📄 Description (English)
SaltStack Salt Shell Injection Vulnerability — SaltStack Salt allows an unauthenticated user with network access to the Salt API to use shell injections to run code on the Salt API using the SSH client. This vulnerability affects any users running the Salt API.
🤖 AI Executive Summary
CVE-2020-16846 is a critical shell injection vulnerability in SaltStack Salt that allows unauthenticated remote attackers to execute arbitrary code on systems running the Salt API via SSH client injection. With a CVSS score of 9.0 and a confirmed public exploit, this vulnerability poses an immediate and severe threat to any organization using SaltStack for infrastructure automation and configuration management. The vulnerability requires no authentication, dramatically lowering the barrier for exploitation by threat actors. Organizations must treat this as an emergency requiring immediate remediation given the widespread use of SaltStack in enterprise and cloud environments.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 19, 2026 02:22
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations leveraging SaltStack for large-scale infrastructure automation face critical exposure. Key at-risk sectors include: (1) Energy/ARAMCO and SABIC — SaltStack is widely used in OT/IT convergence environments for configuration management of critical infrastructure nodes; (2) Government/NCA-regulated entities — ministries and government agencies using SaltStack for server fleet management risk full infrastructure compromise; (3) Telecom/STC and Mobily — large-scale server farms managed via Salt are vulnerable to lateral movement and mass compromise; (4) Banking/SAMA-regulated institutions — Salt API exposure could lead to unauthorized access to financial backend systems, violating SAMA CSF requirements; (5) Cloud and MSP providers operating in Saudi Arabia — a single compromised Salt master could cascade to thousands of managed minion systems. Given that this vulnerability requires zero authentication and has a public exploit, Saudi SOCs should assume active exploitation attempts are ongoing.
🏢 Affected Saudi Sectors
Energy
Government
Banking
Telecom
Healthcare
Cloud/MSP
Defense
Transportation
🎯 MITRE ATT&CK Techniques
T1190 — Exploit Public-Facing Application (initial access via Salt API)
T1059.004 — Command and Scripting Interpreter: Unix Shell (shell injection execution)
T1072 — Software Deployment Tools (abuse of SaltStack for lateral movement)
T1078 — Valid Accounts (credential harvesting post-exploitation)
T1105 — Ingress Tool Transfer (downloading malware post-exploitation)
T1021.004 — Remote Services: SSH (SSH client abuse in injection)
T1136 — Create Account (persistence via new accounts post-exploitation)
T1543 — Create or Modify System Process (persistence via services/cron)
⚖️ Saudi Risk Score (AI)
9.4
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS (within 24 hours):
1. Identify all systems running Salt API (salt-api service) across your environment immediately.
2. Disable or firewall the Salt API port (default 8000/TCP) from public internet access immediately.
3. Restrict Salt API access to trusted IP ranges only using firewall ACLs or security groups.
4. Check Salt API logs for signs of exploitation: look for unusual SSH subprocess spawning, unexpected outbound connections, or anomalous command execution patterns.
PATCHING GUIDANCE:
5. Upgrade SaltStack Salt to version 3001.1, 3000.3, or 2019.2.7 or later — these versions contain the official fix.
6. Follow the SaltStack security advisory (https://saltproject.io/security_announcements/) for version-specific patch instructions.
7. After patching, rotate all Salt API credentials, tokens, and any secrets accessible from Salt masters.
COMPENSATING CONTROLS (if immediate patching is not possible):
8. Completely disable the Salt API service until patching is complete: systemctl stop salt-api && systemctl disable salt-api
9. Implement network segmentation to isolate Salt masters from untrusted networks.
10. Deploy WAF rules to detect and block shell metacharacter injection patterns targeting the Salt API endpoint.
11. Enable process-level monitoring (auditd/Sysmon) to detect unexpected child processes spawned by salt-api.
DETECTION RULES:
12. SIEM alert: Monitor for salt-api spawning /bin/sh, /bin/bash, or ssh processes as child processes.
13. Network IDS: Alert on HTTP POST requests to /run or /hook endpoints containing shell metacharacters (;, |, &&, $(), backticks).
14. Threat hunt: Search for new cron jobs, SSH authorized_keys modifications, or new user accounts created after Salt API activity.
15. Review Salt master logs at /var/log/salt/api for anomalous entries.
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية (خلال 24 ساعة):
1. تحديد جميع الأنظمة التي تشغّل Salt API (خدمة salt-api) في بيئتك فوراً.
2. تعطيل أو حجب منفذ Salt API (الافتراضي 8000/TCP) من الوصول العام للإنترنت فوراً.
3. تقييد الوصول إلى Salt API على نطاقات IP موثوقة فقط باستخدام قوائم التحكم بالوصول أو مجموعات الأمان.
4. مراجعة سجلات Salt API بحثاً عن علامات الاستغلال: ابحث عن عمليات SSH غير معتادة، أو اتصالات صادرة مشبوهة، أو أنماط تنفيذ أوامر غير طبيعية.
إرشادات التصحيح:
5. ترقية SaltStack Salt إلى الإصدار 3001.1 أو 3000.3 أو 2019.2.7 أو أحدث — تحتوي هذه الإصدارات على الإصلاح الرسمي.
6. اتباع النشرة الأمنية لـ SaltStack للحصول على تعليمات التصحيح الخاصة بكل إصدار.
7. بعد التصحيح، تدوير جميع بيانات اعتماد Salt API والرموز المميزة وأي أسرار يمكن الوصول إليها من خوادم Salt الرئيسية.
ضوابط التعويض (إذا تعذّر التصحيح الفوري):
8. تعطيل خدمة Salt API بالكامل حتى اكتمال التصحيح: systemctl stop salt-api && systemctl disable salt-api
9. تطبيق تجزئة الشبكة لعزل خوادم Salt الرئيسية عن الشبكات غير الموثوقة.
10. نشر قواعد WAF للكشف عن أنماط حقن الأوامر الخاصة بنقطة نهاية Salt API وحجبها.
11. تفعيل مراقبة العمليات (auditd/Sysmon) للكشف عن العمليات الفرعية غير المتوقعة التي تنشئها salt-api.
قواعد الكشف:
12. تنبيه SIEM: مراقبة salt-api عند إنشاء عمليات /bin/sh أو /bin/bash أو ssh كعمليات فرعية.
13. IDS الشبكي: التنبيه على طلبات HTTP POST إلى نقاط النهاية /run أو /hook التي تحتوي على محارف خاصة بالأوامر.
14. البحث عن التهديدات: البحث عن مهام cron جديدة، أو تعديلات على SSH authorized_keys، أو حسابات مستخدمين جديدة أُنشئت بعد نشاط Salt API.
15. مراجعة سجلات Salt master في /var/log/salt/api بحثاً عن إدخالات غير طبيعية.
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC-1-4-2: Cybersecurity Vulnerability Management — immediate patching of critical vulnerabilities
ECC-1-3-2: Cybersecurity Event Logging and Monitoring — detection of exploitation attempts
ECC-2-2-1: Network Security — restricting unauthorized network access to management interfaces
ECC-2-3-1: Secure Configuration — hardening API exposure and access controls
ECC-1-5-1: Cybersecurity Incident Management — response to active exploitation
🔵 SAMA CSF
3.3.3 Vulnerability Management — critical vulnerability identification and remediation
3.3.5 Patch Management — emergency patching procedures for critical systems
3.2.4 Network Security — API access restriction and network segmentation
3.3.6 Security Monitoring and Incident Management — detection of unauthenticated API exploitation
3.2.2 Identity and Access Management — credential rotation post-compromise
🟡 ISO 27001:2022
A.8.8 Management of technical vulnerabilities (ISO 27001:2022)
A.8.20 Networks security — restricting Salt API network exposure
A.8.25 Secure development life cycle — secure API configuration
A.5.26 Response to information security incidents — incident response activation
A.8.15 Logging — monitoring Salt API for exploitation indicators
🟣 PCI DSS v4.0
Requirement 6.3.3 — All system components protected from known vulnerabilities via patching
Requirement 6.4.1 — Web-facing applications protected against known attacks
Requirement 10.2 — Audit logs to detect unauthorized access attempts
Requirement 1.3 — Network access controls restricting inbound connections to Salt API
🔗 References & Sources 0
No references.
📦 Affected Products / CPE 1 entries
SaltStack:Salt