Safeguard
Vulnerability Analysis

SaltStack Directory Traversal Paired With Auth Bypass (CV...

CVE-2020-11652, a directory traversal flaw in SaltStack's salt-master, paired with an auth bypass to enable full remote compromise. Impact, CVSS/KEV context, and fixes.

Aman Khan
AppSec Engineer
7 min read

In late April 2020, SaltStack disclosed two vulnerabilities in its Salt configuration management platform that, together, gave unauthenticated attackers a direct path to full remote compromise of Salt infrastructure. CVE-2020-11652 is the directory traversal half of that pair — a flaw in the salt-master's request server that lets an attacker read (and in some contexts write) files outside the directories Salt intended to expose. On its own it's a serious information-disclosure bug. Chained with its sibling, the authentication bypass tracked as CVE-2020-11651, it becomes a reliable route to root-level access on the master and every minion it controls. Within days of the patch shipping, mass exploitation was underway across the internet-facing Salt install base.

Why CVE-2020-11652 Matters for Configuration Management at Scale

SaltStack (now maintained as part of VMware's Salt Project) is a widely deployed configuration management and remote execution framework. A single salt-master can orchestrate command execution, file distribution, and state enforcement across thousands of minions. That centralization is exactly what makes a vulnerability in the master's request-handling code so dangerous: compromise the master, and an attacker inherits control over the entire managed fleet. CVE-2020-11652 is significant precisely because it targets that trust boundary — the component every other node in the environment implicitly trusts.

Affected Versions and Components

The vulnerabilities live in the salt-master service, specifically in the ZeroMQ-based request server that listens on the default Salt ports (4505 for the publish port, 4506 for the request port). Salt's request server exposes two internal interfaces: AESFuncs, which requires an authenticated, encrypted session, and ClearFuncs, which is meant to handle only the narrow set of unauthenticated tasks needed before a minion has established trust (such as initial key exchange). The bug underlying CVE-2020-11652 is that methods reachable through ClearFuncs failed to properly validate and sanitize file paths supplied by the client, allowing path traversal sequences to escape the intended file root and reach arbitrary locations on the master's filesystem.

SaltStack fixed both issues in Salt 3000.2 and Salt 2019.2.4. Any salt-master running a version prior to those releases — across the 2019.2.x and 3000.x branches, as well as older unsupported branches — is vulnerable. Because Salt masters are frequently deployed with their request ports reachable from broad network segments (and in a number of documented cases, directly from the internet), the practical exposure was much larger than the "internal automation tool" label suggests.

CVSS, EPSS, and KEV Status

CVE-2020-11652 carries a CVSS v3.1 base score of 7.5 (High), reflecting a network-exploitable, unauthenticated read primitive with high confidentiality impact and no direct integrity or availability effect on its own (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). Its companion, CVE-2020-11651, scores 9.8 (Critical), since the authentication bypass allows full command execution — and it's the combination of the two that security teams should treat as the real-world severity: an attacker can use the auth bypass to reach privileged master functions and the directory traversal to pull sensitive files (private keys, minion configuration, credentials) or, depending on the code path, place files where they shouldn't be.

Both CVEs have consistently shown elevated EPSS (Exploit Prediction Scoring System) scores relative to the broader vulnerability population, consistent with the sustained, automated scanning and exploitation activity observed against internet-facing Salt masters since 2020. Both CVE-2020-11651 and CVE-2020-11652 also appear on CISA's Known Exploited Vulnerabilities (KEV) catalog, a designation reserved for vulnerabilities with confirmed evidence of active exploitation in the wild — which for federal civilian agencies under Binding Operational Directive 22-01 triggers mandatory remediation timelines, and for everyone else is a strong signal that these are not theoretical bugs sitting in a lab.

Timeline

  • April 29–30, 2020 — SaltStack published patched releases (Salt 2019.2.4 and 3000.2) along with a security advisory addressing the authentication bypass and directory traversal issues, and CVE-2020-11651 / CVE-2020-11652 were assigned.
  • Within 24–48 hours of disclosure — Researchers and opportunistic attackers reverse-engineered the patch diff to reconstruct working exploits. Mass scanning and exploitation of unpatched, internet-exposed salt-masters began almost immediately, a now-common pattern where the patch itself becomes the exploit blueprint.
  • Early May 2020 — Multiple organizations publicly disclosed breaches traced back to unpatched Salt infrastructure, including compromises of build and hosting systems that were used to deploy cryptomining payloads and, in some incidents, led to downstream certificate-revocation and service-availability issues for affected providers.
  • Ongoing — Because Salt is often deployed in long-lived infrastructure and configuration management layers that are patched less frequently than application code, unpatched salt-master instances exposed to the internet have continued to surface in scans years after the original disclosure.

Remediation Steps

  1. Upgrade immediately. Update salt-master (and salt-minion, where applicable) to Salt 3000.2, 2019.2.4, or a later release. There is no viable long-term workaround short of patching — this is a code-level fix, not a configuration hardening issue.
  2. Restrict network exposure of ports 4505/4506. Salt masters should never be reachable from the open internet. Place them behind a firewall or VPN, and restrict access to known minion IP ranges and administrative hosts only.
  3. Audit for prior compromise. If a salt-master was internet-facing and unpatched between the vulnerability's disclosure and your patch date, treat it as potentially compromised: check for unexpected minion key acceptances, unfamiliar scheduled jobs or cron entries, unauthorized user accounts, unexplained outbound connections, and cryptomining processes.
  4. Rotate credentials and keys. Given the directory traversal's ability to read arbitrary files, rotate any secrets, SSH keys, or master/minion authentication keys that could have been exposed prior to patching.
  5. Inventory your configuration management footprint. CVE-2020-11652 is a reminder that configuration management systems — Salt, but also comparable tooling — sit at a privileged layer of the stack and deserve the same asset-tracking and patch-SLA discipline as internet-facing applications. Knowing every salt-master version running across your environment, including ones spun up outside of central IT's visibility, is the precondition for actually closing this gap.

How Safeguard Helps

CVE-2020-11652 is a textbook case of why software supply chain visibility can't stop at application dependencies — it has to extend to the infrastructure and configuration management tooling that operates your fleet. Safeguard helps teams close exactly this kind of gap:

  • Continuous component inventory — Safeguard identifies SaltStack and other configuration management components across your environment, including versions running in build systems, CI/CD pipelines, and production infrastructure that may not be tracked in a central asset register.
  • Vulnerability and KEV correlation — When a CVE like CVE-2020-11652 is confirmed exploited in the wild and added to CISA's KEV catalog, Safeguard flags any matching component in your environment against that context automatically, so remediation gets prioritized by real-world exploitation evidence rather than CVSS score alone.
  • Exposure-aware risk scoring — Because the actual risk of CVE-2020-11652 depends heavily on whether the affected service (like a salt-master) is internet-reachable, Safeguard combines vulnerability data with network exposure signals to distinguish "patch this quarter" from "patch today."
  • Supply chain provenance for your automation layer — Configuration management systems are part of your software supply chain just as much as your application dependencies are. Safeguard extends SBOM and provenance tracking to this layer so a future SaltStack-class disclosure — or one affecting Ansible, Puppet, Chef, or similar tooling — surfaces immediately, with the affected hosts already identified, instead of requiring a manual fire drill.

CVE-2020-11652 is more than five years old at this point, but it remains a relevant case study because the underlying conditions that made it so damaging — internet-exposed management infrastructure, slow patch cycles for "boring" internal tooling, and a lack of centralized visibility into where configuration management systems actually run — are still common today. Treating configuration management infrastructure with the same rigor as production application code is the lesson this CVE keeps teaching new organizations every time an old, unpatched salt-master turns up in a breach report.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.