Safeguard
Vulnerability Analysis

CVE-2020-11651: Authentication bypass in SaltStack salt-m...

CVE-2020-11651, a critical CVSS 9.8 authentication bypass in SaltStack's salt-master, enabled unauthenticated RCE and fueled real-world attacks on LineageOS, Ghost, and DigiCert.

Vikram Iyer
Security Researcher
8 min read

In April 2020, SaltStack quietly patched a pair of vulnerabilities in its Salt configuration management framework. Within days, the flaws were being exploited in the wild against exposed salt-master servers, hitting production infrastructure at LineageOS, Ghost, and DigiCert. The most severe of the two, CVE-2020-11651, is an authentication bypass in the Salt master's request server that lets an unauthenticated, remote attacker execute arbitrary commands on every minion under that master's control — and, when chained with its sibling directory-traversal bug, read and write arbitrary files on the master itself. For any organization that used Salt to orchestrate fleets of servers, this was as close to a worst-case scenario as configuration management tooling gets: one exposed master, full fleet compromise.

What the vulnerability is

Salt uses a master/minion architecture: a central salt-master pushes commands and configuration to fleets of salt-minion agents over ZeroMQ. The master exposes a "ClearFuncs" class that handles certain unauthenticated requests by design — functions minions need to call before they've established a session, such as requesting the master's public key. The bug was that several methods exposed through ClearFuncs, including _send_pub and _prep_auth_info, did not actually require any authentication or authorization check before being invoked.

_send_pub allowed an attacker to publish arbitrary commands directly to the minion command bus, meaning any minion connected to the master would execute whatever the attacker sent — effectively remote code execution across the entire fleet with no credentials at all. _prep_auth_info exposed access to Salt's "wheel" modules, which are meant to be privileged, master-side administrative functions (managing keys, reading and writing files, provisioning new minions, and more). Because wheel access was reachable without authentication, an attacker could use it directly on the master.

This is where CVE-2020-11651 compounds with its companion vulnerability, CVE-2020-11652, a directory traversal flaw in the same ClearFuncs interface. Normally paired in write-ups because they were discovered and patched together, CVE-2020-11652 let an attacker manipulate file paths passed into wheel module calls to read and write files outside the intended directory. Combined, the two bugs gave an unauthenticated attacker a path to full root-level compromise of the salt-master host and, through it, every minion it managed — reading /etc/shadow, dropping SSH keys, or pushing malicious states to thousands of servers in one request.

Affected versions and components

The vulnerable component is the salt-master service, part of the SaltStack Salt open-source project (now maintained under the Broadcom/VMware umbrella as part of vRealize/Aria Automation SaltStack Config). The bypass affects:

  • Salt versions prior to 2019.2.4
  • Salt 3000 versions prior to 3000.2

Salt minions are not directly vulnerable — the flaw lives in the master's unauthenticated request-handling logic — but a compromised master gives an attacker command execution on every minion it manages, which in practice means minions are the ultimate blast radius even though they aren't the entry point. Any deployment running an internet-facing or otherwise reachable salt-master on an unpatched version, with the default ports (4505/4506) accessible to untrusted networks, was exposed.

CVSS, EPSS, and KEV context

CVE-2020-11651 carries a CVSS v3.1 base score of 9.8 (Critical), reflecting a network-exploitable vulnerability with no privileges or user interaction required and high impact to confidentiality, integrity, and availability. That score is well earned: there is no authentication barrier at all, the attack requires nothing more than network access to the master's ports, and successful exploitation grants root-equivalent control.

Given the scale and speed of real-world exploitation described below, this CVE has long carried an EPSS score in the highest exploitation-probability band tracked by FIRST — unsurprising for a vulnerability with public proof-of-concept exploits, wormable characteristics, and a documented history of mass scanning. It is also listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, which requires U.S. federal civilian agencies to remediate it on an accelerated timeline and serves as a strong industry signal that exploitation is not theoretical — it happened, repeatedly, against real production systems.

Timeline

  • Early-to-mid 2020 — Security researchers at F-Secure identify the authentication bypass and directory traversal issues in Salt's ClearFuncs interface during independent research and report them to SaltStack.
  • April 2020 — SaltStack releases patched versions, 2019.2.4 and 3000.2, fixing both CVE-2020-11651 and CVE-2020-11652, along with an advisory urging users to restrict access to the salt-master ports.
  • Early May 2020 — F-Secure publishes technical details of the vulnerabilities publicly. Within roughly 24–48 hours, opportunistic attackers begin mass-scanning the internet for exposed salt-masters and weaponizing the flaw.
  • May 2020 — Confirmed compromises hit multiple high-profile organizations running exposed, unpatched salt-masters, including the LineageOS project (build infrastructure), the Ghost blogging platform (Ghost.org's hosting infrastructure), and DigiCert, which had to revoke and reissue TLS certificates as a precaution after its Salt-managed infrastructure was affected.
  • Following months — The incident becomes a widely cited case study in "patch-gap" exploitation: attackers reverse-engineered the official fix to build working exploits faster than many operators could apply it, a pattern later reflected in its inclusion on CISA's KEV catalog.

The core lesson from the timeline isn't just "patch fast" — it's that the window between a patch release and mass exploitation can be measured in hours once a fix reveals what was broken. Organizations that treated the April patch as routine maintenance rather than urgent, out-of-band remediation were the ones that ended up in incident response mode in May.

Remediation steps

  1. Upgrade immediately. Update salt-master to 2019.2.4, 3000.2, or any later release. This is the only complete fix — there is no viable mitigation that fully closes the authentication bypass without patching the code.
  2. Restrict network exposure of the master. Salt masters should never be reachable from the public internet. Firewall ports 4505 and 4506 to only the minion IP ranges that need them, and place management infrastructure behind a VPN or bastion.
  3. Audit for prior compromise. If a master was internet-facing and unpatched during the exploitation window, do not assume patching alone is sufficient. Review master and minion logs for unrecognized wheel/runner calls, unexpected file writes, unfamiliar cron jobs or SSH keys, and any minions executing commands their state files don't account for.
  4. Rotate credentials and keys. Treat any exposed, unpatched master as potentially compromised: rotate master and minion keys, API tokens, and any secrets that Salt states or pillars had access to.
  5. Reissue certificates where relevant. As DigiCert's own response illustrated, if certificate issuance infrastructure touched a compromised Salt environment, proactively revoking and reissuing certificates is a reasonable precaution.
  6. Track this CVE in ongoing vulnerability management, not just at patch time. Because CVE-2020-11651 is in the CISA KEV catalog, it should be flagged automatically by any vulnerability management or SBOM-based monitoring process for as long as older Salt versions might still be running anywhere in your environment — including in forgotten dev/test infrastructure, appliances, or vendor products that bundle Salt.

How Safeguard Helps

CVE-2020-11651 is a textbook example of why point-in-time patching isn't enough: the vulnerability was fixed in April 2020, yet organizations were still compromised in May 2020 because nobody had continuous visibility into where Salt was actually running, at what version, and whether it was reachable. Safeguard is built to close exactly that gap for software supply chain risk.

  • Continuous SBOM and component inventory — Safeguard identifies every instance of SaltStack Salt across your environment, including dependencies bundled inside container images, infrastructure-as-code tooling, and third-party appliances, so you know your real exposure surface instead of relying on a spreadsheet from the last audit.
  • KEV-aware prioritization — Because CVE-2020-11651 sits in CISA's Known Exploited Vulnerabilities catalog, Safeguard automatically elevates it above CVSS-only scoring, surfacing it as an urgent remediation item rather than letting it sit in a routine patch backlog alongside lower-risk findings.
  • Exposure-aware risk scoring — Safeguard correlates vulnerable components with network reachability signals, so an internet-facing salt-master running a vulnerable version is flagged as critical, while an internal, firewalled instance is triaged accordingly — reflecting the actual attack path, not just the presence of a CVE.
  • Drift and re-introduction detection — Legacy or vulnerable Salt versions have a way of reappearing through golden images, forked repos, or vendor updates. Safeguard continuously monitors for regressions so a fixed vulnerability doesn't silently come back.
  • Audit-ready evidence — For teams under SOC 2 or similar compliance obligations, Safeguard maintains a continuous record of detection, prioritization, and remediation timelines for high-severity CVEs like this one, turning incident post-mortems and auditor questions into a straightforward export rather than a scramble.

The SaltStack incident showed how quickly a critical authentication bypass in widely deployed infrastructure tooling can turn into a supply chain event, spreading from one exposed master into the systems of downstream customers and users who never touched Salt directly. Safeguard's mission is to make sure that when the next CVE-2020-11651 lands, your organization finds out from a dashboard — not from a customer, or a headline.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.