📄 Description (English)
SaltStack Salt Path Traversal Vulnerability — SaltStack Salt contains a path traversal vulnerability in the salt-master process ClearFuncs which allows directory access to authenticated users. Salt users who follow fundamental internet security guidelines and best practices are not affected by this vulnerability.
🤖 AI Executive Summary
CVE-2020-11652 is a critical path traversal vulnerability (CVSS 9.0) in SaltStack Salt's salt-master process ClearFuncs component, allowing authenticated users to gain unauthorized directory access beyond their permitted scope. Active exploits are publicly available, significantly elevating the risk of exploitation in the wild. This vulnerability has been actively leveraged in targeted attacks against infrastructure management platforms, potentially enabling attackers to read sensitive configuration files, credentials, and private keys. Organizations using SaltStack for infrastructure automation and configuration management must treat this as an emergency remediation priority.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 18, 2026 08:33
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations heavily reliant on SaltStack for large-scale infrastructure automation face critical exposure. Key at-risk sectors include: Energy (Saudi Aramco, SABIC) using Salt for OT/IT infrastructure orchestration; Telecom (STC, Mobily, Zain) managing large server fleets; Government entities under NCA oversight using centralized configuration management; Banking and financial institutions (SAMA-regulated) where compromise of salt-master could expose credentials for core banking systems. An authenticated attacker exploiting this vulnerability could traverse to sensitive directories containing API keys, database credentials, TLS certificates, and internal network topology data — enabling lateral movement across the entire managed infrastructure. Given Saudi Vision 2030 digital transformation initiatives, the breadth of SaltStack deployments in cloud and hybrid environments amplifies the blast radius significantly.
🏢 Affected Saudi Sectors
Energy
Government
Banking
Telecom
Healthcare
Defense
Cloud Service Providers
⚖️ Saudi Risk Score (AI)
9.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS (within 24 hours):
1. Identify all salt-master instances across your environment using asset inventory tools
2. Isolate salt-master processes behind strict network segmentation — restrict access to trusted minion IPs only via firewall rules
3. Audit authentication logs on salt-master for anomalous directory traversal patterns (look for '../' sequences in request logs)
4. Rotate all credentials, API keys, and certificates stored or accessible via salt-master directories
PATCHING GUIDANCE:
5. Upgrade SaltStack Salt immediately to versions 2019.2.4 or 3000.2 which contain the official fix
6. If immediate patching is not possible, apply vendor-recommended workarounds including disabling ClearFuncs or restricting authenticated user permissions
7. Verify patch integrity using official SaltStack checksums before deployment
COMPENSATING CONTROLS (if patch unavailable):
8. Implement strict allowlisting of salt-master API calls at the network layer
9. Deploy a WAF or reverse proxy in front of salt-master with path traversal detection rules
10. Enable multi-factor authentication for all salt-master administrative accounts
11. Restrict file system permissions on salt-master to limit traversal impact
DETECTION RULES:
12. SIEM rule: Alert on HTTP/API requests containing '../', '%2e%2e', or encoded path traversal sequences targeting salt-master ports (4505/4506)
13. File integrity monitoring on /etc/salt/, /var/cache/salt/, and /srv/salt/ directories
14. Monitor for unexpected outbound connections from salt-master hosts
15. Deploy Sigma rule: detect unusual file access patterns in salt-master process logs
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية (خلال 24 ساعة):
1. تحديد جميع نسخ salt-master في بيئتك باستخدام أدوات جرد الأصول
2. عزل عمليات salt-master خلف تجزئة صارمة للشبكة — تقييد الوصول لعناوين IP الموثوقة فقط عبر قواعد جدار الحماية
3. مراجعة سجلات المصادقة على salt-master للكشف عن أنماط اجتياز المسار الشاذة (البحث عن تسلسلات '../' في سجلات الطلبات)
4. تدوير جميع بيانات الاعتماد ومفاتيح API والشهادات المخزنة أو التي يمكن الوصول إليها عبر مجلدات salt-master
إرشادات التصحيح:
5. ترقية SaltStack Salt فوراً إلى الإصدارات 2019.2.4 أو 3000.2 التي تحتوي على الإصلاح الرسمي
6. إذا تعذّر التصحيح الفوري، تطبيق الحلول البديلة الموصى بها من المورّد بما في ذلك تعطيل ClearFuncs أو تقييد صلاحيات المستخدمين المصادق عليهم
7. التحقق من سلامة التصحيح باستخدام المجاميع الاختبارية الرسمية من SaltStack قبل النشر
ضوابط التعويض (إذا لم يتوفر التصحيح):
8. تطبيق قائمة بيضاء صارمة لاستدعاءات API الخاصة بـ salt-master على مستوى الشبكة
9. نشر جدار حماية تطبيقات ويب أو وكيل عكسي أمام salt-master مع قواعد كشف اجتياز المسار
10. تفعيل المصادقة متعددة العوامل لجميع حسابات إدارة salt-master
11. تقييد أذونات نظام الملفات على salt-master للحد من تأثير الاجتياز
قواعد الكشف:
12. قاعدة SIEM: تنبيه على طلبات HTTP/API التي تحتوي على '../' أو '%2e%2e' أو تسلسلات اجتياز مسار مشفرة تستهدف منافذ salt-master (4505/4506)
13. مراقبة سلامة الملفات على مجلدات /etc/salt/ و/var/cache/salt/ و/srv/salt/
14. مراقبة الاتصالات الصادرة غير المتوقعة من مضيفي salt-master
15. نشر قاعدة Sigma للكشف عن أنماط وصول غير معتادة للملفات في سجلات عملية salt-master
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC-1-4-2: Cybersecurity Vulnerability Management
ECC-2-3-1: Access Control and Privilege Management
ECC-2-5-1: Cryptography and Key Management
ECC-2-6-1: Network Security and Segmentation
ECC-3-3-1: Patch and Vulnerability Management
🔵 SAMA CSF
3.3.3 Vulnerability Management
3.3.5 Patch Management
3.2.2 Access Control
3.3.6 Penetration Testing
3.4.1 Incident Management
🟡 ISO 27001:2022
A.8.8 Management of Technical Vulnerabilities (ISO 27001:2022)
A.8.3 Information Access Restriction
A.8.20 Network Security
A.8.9 Configuration Management
A.5.15 Access Control
🟣 PCI DSS v4.0
Requirement 6.3.3: All system components are protected from known vulnerabilities
Requirement 7.2: Access to system components is appropriately defined and assigned
Requirement 11.3: External and internal vulnerabilities are regularly identified and addressed
🔗 References & Sources 0
No references.
📦 Affected Products / CPE 1 entries
SaltStack:Salt