Safeguard
Vulnerability Analysis

SaltStack Authentication Bypass Behind Mass Salt-Master E...

CVE-2020-11651 let unauthenticated attackers hijack Salt masters, triggering mass exploitation within days of disclosure. Here is what happened and how to fix it.

Vikram Iyer
Security Researcher
7 min read

In late April 2020, SaltStack quietly shipped a patch for two vulnerabilities in its Salt configuration management platform. Within days, CVE-2020-11651 — a critical authentication bypass in the Salt master service — was being used to compromise thousands of internet-facing servers, including infrastructure belonging to LineageOS, Ghost, DigiCert, and Algolia. The flaw let an unauthenticated attacker who could reach a salt-master's network ports run arbitrary commands as root on every minion it managed, turning a single exposed management server into a foothold across an entire fleet.

This post breaks down what CVE-2020-11651 actually is, the affected versions, how it was scored and tracked, the timeline from disclosure to mass exploitation, and what remediation looks like — both for teams still running Salt and for anyone assessing third-party software that depends on it.

What Is CVE-2020-11651?

SaltStack Salt uses a ClearFuncs class on the salt-master process to handle certain unauthenticated, "clear" (non-encrypted-channel) RPC requests — functionality intended only for a small set of pre-authentication operations like minion key exchange. CVE-2020-11651 exists because the validate() method in that ClearFuncs class failed to properly restrict which methods a client could invoke. An attacker who could send network requests to the salt-master's request server port could call internal methods that were never meant to be reachable without authentication, including ones that returned minion authentication data and, more damagingly, allowed publishing arbitrary commands to be executed on minions.

In practice this meant remote, unauthenticated command execution. No credentials, no valid minion key, and no prior access were required — only network reachability to the salt-master's ports (by default TCP 4505 and 4506).

CVE-2020-11651 was disclosed alongside a companion flaw, CVE-2020-11652, a directory traversal vulnerability in the same ClearFuncs interface that allowed unauthenticated reading of arbitrary files on the master. The two were frequently chained: attackers used the traversal bug to pull sensitive files (such as the master's private keys or /etc/shadow) and the authentication bypass to push and execute commands, giving them both information disclosure and full remote code execution from a single exposed service.

Affected Versions and Components

The vulnerability lives in the salt-master component of SaltStack Salt, not in the minion agents themselves. According to SaltStack's advisory and the corresponding NVD entry, versions of Salt before 2019.2.4 and before 3000.2 are affected. SaltStack fixed both CVE-2020-11651 and CVE-2020-11652 in the 2019.2.4 and 3000.2 releases.

Because Salt is embedded in a wide range of downstream products — infrastructure automation platforms, PaaS offerings, and various DevOps tooling that bundle a salt-master for orchestration — the practical blast radius extended well beyond organizations that had knowingly deployed SaltStack directly. Any product or managed service that shipped an unpatched salt-master, even as an internal implementation detail, inherited the same exposure.

CVSS, EPSS, and KEV Context

CVE-2020-11651 is rated Critical, with a CVSS v3.1 base score of 9.8 (Attack Vector: Network, Attack Complexity: Low, Privileges Required: None, User Interaction: None, and High impact to confidentiality, integrity, and availability). That scoring reflects exactly what made the bug so dangerous in practice: no authentication, no user interaction, low complexity, and complete compromise of affected hosts.

Given the scale of real-world exploitation that followed disclosure, CVE-2020-11651 has consistently carried a high EPSS (Exploit Prediction Scoring System) probability relative to most CVEs, reflecting sustained scanning and exploitation activity in the wild rather than a one-off event. It is also listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, which specifically tracks vulnerabilities with confirmed active exploitation — a designation that carries remediation-deadline obligations for U.S. federal agencies under Binding Operational Directive 22-01, and that most vulnerability management programs treat as a strong signal to prioritize patching regardless of sector.

Timeline

  • Weeks before public disclosure: F-Secure's vulnerability research team identified the ClearFuncs authentication issue and reported it to SaltStack through coordinated disclosure.
  • April 29, 2020: SaltStack published a security advisory and released patched versions 2019.2.4 and 3000.2, addressing CVE-2020-11651 and CVE-2020-11652. Technical details were held back initially to give operators time to patch.
  • Early May 2020: Within days, proof-of-concept exploit code and technical writeups began circulating publicly. Mass scanning of the internet for exposed salt-master ports (4505/4506) followed almost immediately, and opportunistic attackers began exploiting unpatched instances at scale — this is the mass exploitation event most commonly associated with the CVE.
  • May 2020: Multiple high-profile compromises tied to the flaw became public, including build infrastructure for LineageOS, the Ghost blogging platform's hosting infrastructure, and services from DigiCert and Algolia. Some intrusions deployed cryptocurrency miners; others were used for broader lateral movement.
  • May 5, 2020: CISA issued an alert (AA20-126A) warning organizations about active exploitation of the SaltStack vulnerabilities and urging immediate patching or network isolation of salt-master services.
  • Following months: The incident became a widely cited case study in patch-lag risk — the window between advisory publication and mass exploitation was measured in days, not weeks, which was unusually fast for that era and reinforced the value of emergency patching processes for critical, unauthenticated RCE bugs.

Remediation Steps

For any organization still running an affected Salt deployment, or assessing whether legacy infrastructure might be exposed, the remediation path is well established:

  1. Upgrade Salt immediately. Update salt-master (and accompanying salt-minion packages, for consistency) to 2019.2.4, 3000.2, or any later release. All currently maintained Salt releases include the ClearFuncs fix.
  2. Restrict network exposure of the master. Salt-master's request server (4505/4506 by default) should never be reachable from the public internet. Firewall these ports to only the minions and administrative hosts that need access, and treat any internet-facing salt-master discovered during an audit as a likely-compromised host requiring incident response, not just patching.
  3. Assume compromise if exposure predates patching. If a salt-master was internet-reachable and unpatched at any point after the vulnerability became public, rotate the master's keys, review minion configurations for unauthorized changes, and audit for unexpected cron jobs, users, or outbound connections consistent with cryptomining or backdoor installation.
  4. Inventory Salt usage across vendors and internal tooling. Because Salt is frequently embedded inside other automation and platform products, confirm that any third-party software or SaaS platform in your environment that relies on SaltStack has been updated, and request attestation from vendors where you can't verify directly.
  5. Monitor for KEV-listed vulnerabilities going forward. CVE-2020-11651's inclusion in CISA's KEV catalog is a reminder that vulnerabilities don't stop mattering once patches ship — internet-wide scanning against known, high-severity bugs continues for years, targeting the long tail of unpatched systems.

How Safeguard Helps

CVE-2020-11651 is a textbook example of why supply chain visibility has to extend past your own first-party code and into the infrastructure automation and management tooling running underneath it. A salt-master is rarely the "product" — it's the plumbing that keeps everything else configured and running — which is exactly why it gets overlooked in asset inventories and patch cycles until an advisory like this one forces the issue.

Safeguard is built for that gap. Our platform continuously maps the software and infrastructure components across your environment and your vendors' environments, so a component like SaltStack doesn't have to be top-of-mind for someone to catch that it's out of date. When a CVE like CVE-2020-11651 is disclosed — or, just as importantly, when CISA adds a vulnerability to the KEV catalog signaling active exploitation — Safeguard correlates that intelligence against your actual component inventory in real time, flags affected assets by version, and prioritizes them using CVSS severity, EPSS exploitation likelihood, and KEV status together, rather than CVSS alone.

For vulnerabilities with a mass-exploitation profile like this one — critical severity, network-exposed, no authentication required — Safeguard's alerting is designed to surface the finding fast enough to close the window that attackers depend on, and to keep tracking exposed instances through remediation until they're verifiably patched. That combination of continuous discovery, exploit-context prioritization, and vendor-level supply chain mapping is what turns a scramble like the SaltStack incident into a routine, manageable patch cycle instead of an incident response.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.