📄 Description (English)
SaltStack Salt Authentication Bypass Vulnerability — SaltStack Salt contains an authentication bypass vulnerability in the salt-master process ClearFuncs due to improperly validating method calls. The vulnerability allows a remote user to access some methods without authentication, which can be used to retrieve user tokens from the salt master and/or run commands on salt minions. Salt users who follow fundamental internet security guidelines and best practices are not affected by this vulnerability.
🤖 AI Executive Summary
CVE-2020-11651 is a critical authentication bypass vulnerability in SaltStack Salt's salt-master process, specifically in the ClearFuncs class, which fails to properly validate method calls. An unauthenticated remote attacker can exploit this flaw to retrieve user tokens from the salt master and execute arbitrary commands on all connected salt minions. With a CVSS score of 9.0 and a publicly available exploit, this vulnerability poses an immediate and severe risk to any organization using SaltStack for infrastructure automation. Mass exploitation was observed in the wild shortly after disclosure, making rapid patching essential.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 18, 2026 06:28
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations leveraging SaltStack for large-scale infrastructure automation face critical exposure. Energy sector entities including Saudi Aramco and SABIC that use Salt for managing distributed OT/IT environments are at high risk of full infrastructure compromise. Government agencies under NCA oversight using Salt for configuration management could face complete loss of control over managed endpoints. Telecom providers such as STC and Zain KSA using Salt for network device management risk lateral movement across their entire managed fleet. Cloud service providers and managed security service providers (MSSPs) operating in Saudi Arabia face cascading compromise of all client environments. Banking institutions under SAMA supervision using Salt in DevOps pipelines risk exposure of sensitive credentials and unauthorized code deployment into production systems.
🏢 Affected Saudi Sectors
Energy
Government
Banking
Telecom
Healthcare
Cloud/Managed Services
Defense
⚖️ Saudi Risk Score (AI)
9.5
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS (within 24 hours):
1. Isolate salt-master instances from public internet access immediately — restrict port 4505 and 4506 to trusted minion IP ranges only using firewall ACLs.
2. Audit all salt-master logs for unauthorized ClearFuncs method calls, particularly wheel_async and runner_async invocations from unexpected sources.
3. Rotate ALL credentials, tokens, and secrets stored in or accessible via Salt pillar data immediately.
4. Check for indicators of compromise: unauthorized user accounts, new cron jobs, modified authorized_keys files, and unexpected outbound connections on all minions.
PATCHING GUIDANCE:
5. Upgrade SaltStack Salt to version 2019.2.4 or 3000.2 immediately — these versions contain the fix for CVE-2020-11651 and the companion CVE-2020-11652.
6. If immediate patching is not possible, block external access to TCP ports 4505 and 4506 as a compensating control.
7. Apply patches during an emergency change window — do not wait for scheduled maintenance.
COMPENSATING CONTROLS:
8. Implement network segmentation to ensure salt-master is only reachable from a dedicated management VLAN.
9. Enable Salt's external authentication (eAuth) and enforce multi-factor authentication for all Salt administrative access.
10. Deploy a WAF or network IPS rule to detect and block exploitation attempts targeting SaltStack ZeroMQ ports.
DETECTION RULES:
11. SIEM rule: Alert on any connection to port 4505/4506 from IPs outside the approved minion whitelist.
12. SIEM rule: Monitor for salt-master process spawning unexpected child processes or shell commands.
13. Snort/Suricata: Detect ZeroMQ messages invoking _prep_auth_info or _send_pub without valid authentication tokens.
14. EDR: Alert on new user creation, sudoers modification, or SSH key injection on salt minion hosts.
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية (خلال 24 ساعة):
1. عزل مثيلات salt-master عن الإنترنت العام فوراً — تقييد المنافذ 4505 و4506 على نطاقات IP الموثوقة فقط باستخدام قوائم التحكم في الوصول بجدار الحماية.
2. مراجعة جميع سجلات salt-master بحثاً عن استدعاءات أساليب ClearFuncs غير المصرح بها، خاصةً استدعاءات wheel_async وrunner_async من مصادر غير متوقعة.
3. تدوير جميع بيانات الاعتماد والرموز والأسرار المخزنة في أو يمكن الوصول إليها عبر بيانات Salt pillar فوراً.
4. التحقق من مؤشرات الاختراق: الحسابات غير المصرح بها، مهام cron الجديدة، ملفات authorized_keys المعدلة، والاتصالات الصادرة غير المتوقعة على جميع minions.
إرشادات التصحيح:
5. ترقية SaltStack Salt إلى الإصدار 2019.2.4 أو 3000.2 فوراً — تحتوي هذه الإصدارات على إصلاح CVE-2020-11651 والثغرة المصاحبة CVE-2020-11652.
6. إذا تعذر التصحيح الفوري، حظر الوصول الخارجي إلى المنافذ TCP 4505 و4506 كإجراء تعويضي.
7. تطبيق التصحيحات خلال نافذة تغيير طارئة — لا تنتظر الصيانة المجدولة.
ضوابط التعويض:
8. تطبيق تجزئة الشبكة لضمان إمكانية الوصول إلى salt-master فقط من VLAN إدارة مخصص.
9. تفعيل المصادقة الخارجية (eAuth) في Salt وفرض المصادقة متعددة العوامل لجميع وصول إدارة Salt.
10. نشر قاعدة WAF أو IPS للشبكة للكشف عن محاولات الاستغلال التي تستهدف منافذ SaltStack ZeroMQ وحظرها.
قواعد الكشف:
11. قاعدة SIEM: تنبيه عند أي اتصال بالمنفذ 4505/4506 من عناوين IP خارج القائمة البيضاء المعتمدة.
12. قاعدة SIEM: مراقبة عملية salt-master لاكتشاف العمليات الفرعية أو أوامر shell غير المتوقعة.
13. Snort/Suricata: الكشف عن رسائل ZeroMQ التي تستدعي _prep_auth_info أو _send_pub بدون رموز مصادقة صالحة.
14. EDR: تنبيه عند إنشاء مستخدم جديد أو تعديل sudoers أو حقن مفاتيح SSH على مضيفي salt minion.
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC-1-4-2: Cybersecurity Vulnerability Management — critical patch application within defined SLA
ECC-2-3-1: Access Control — authentication enforcement for administrative interfaces
ECC-2-5-1: Network Security — restriction of management plane access
ECC-2-6-1: Secure Configuration — hardening of infrastructure automation tools
ECC-3-3-1: Cybersecurity Event Management — detection and response to exploitation attempts
🔵 SAMA CSF
3.3.4 Vulnerability Management — immediate remediation of critical vulnerabilities in infrastructure automation
3.3.6 Patch Management — emergency patching procedures for CVSS 9.0+ vulnerabilities
3.2.3 Access Control Management — authentication bypass remediation
3.3.9 Network Security Management — segmentation of management infrastructure
3.4.2 Cyber Incident Management — response to active exploitation
🟡 ISO 27001:2022
A.8.8 Management of technical vulnerabilities — timely identification and remediation
A.8.3 Information access restriction — preventing unauthorized access to management systems
A.8.20 Networks security — network segmentation for management plane
A.8.25 Secure development life cycle — secure configuration of automation tooling
A.5.26 Response to information security incidents — incident response for active exploitation
🟣 PCI DSS v4.0
Requirement 6.3.3 — All system components protected from known vulnerabilities by patching
Requirement 7.2 — Access to system components restricted to least privilege
Requirement 10.7 — Failures of critical security controls detected and reported
Requirement 11.3.1 — Internal vulnerability scans performed regularly
🔗 References & Sources 0
No references.
📦 Affected Products / CPE 1 entries
SaltStack:Salt