Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

SaltStack Reveals New Critical Vulnerabilities, Patch Now

SaltStack Reveals New Critical Vulnerabilities, Patch Now

SaltStack, a VMware-owned company, has revealed critical vulnerabilities impacting Salt versions 3002 and prior, with patches available as of today.

Salt is an open-source IT infrastructure management solution written in Python that is widely used by data centers around the world.

Users are therefore encouraged to patch their Salt instances immediately.

From shell injection to authentication bypass

The three vulnerabilities disclosed today are as follows, with their severity mentioned in the respective parentheses:

  1. CVE-2020-16846 (High/Critical)has been described by the Salt team as a shell injection vulnerability that was patched by removing the `shell=True` option when calling “” on a SaltStack SSH client.

    The subprocess Python module lets you spawn new processes on the system. Calling the option with a command constructed from external user input and with `shell=True` option is a known security hazard.
     saltstack CVE-2020-16846 fixLine 49 has the “shell=True” option removed to prevent shell injection attacks
    Source: GitHub
    Shown above, the official fix released by the project states, “Stop calling Popen with shell=True to prevent shell injection attacks on the netapi salt-ssh client.”
  2. CVE-2020-25592 (High/Critical) is an authentication bypass flaw but the fix published for the same additionally mentions yet another mysterious identifier, CVE-2020-16804.

    “CVE-2020-16804 – Properly validate eauth credentials and tokens along with their ACLs,” states the fix applied for CVE-2020-25592.

    The commit further states, “Prior to this change eauth was not properly validated when calling Salt ssh via the salt-api. Any value for ‘eauth’ or ‘token’ would allow a user to bypass authentication and make calls to Salt ssh.”

    test case provided by the project developers confirms that in the patched versions, bogus eauth data should cause Salt applications to throw exceptions instead of passing the authentication checks.
  3. CVE-2020-17490 (Low)concerns a permissions issue, rather the access mode, when opening/saving cryptographic private key files.

    “This CVE affects any Minions or Masters that previously used the create_ca, create_csr, and create_self_signed_cert functions in the TLS module,” reads the November 3rd advisory linked below.

    “When using the functions create_cacreate_csr, and create_self_signed_cert in the tls execution module, it would not ensure the key was created with the correct permissions. With the CVE fix, the keys are no longer created with world-readable permissions and use 600,” continues the advisory.

    The issue was remedied by replacing the `os.O_WRONLY` (write-only) flag when opening the SSH keys with the `os.O_RDWR` (read-write) flag.

Also Read: How To Make A PDPC Complaint: With Its Importance And Impact

Confusing disclosure timeline

While the vulnerabilities were disclosed today, it is worth noting that fixes for all three vulnerabilities were committed and disclosed to GitHub much earlier.

For example, the fix for CVE-2020-16846 was pushed to GitHub as early as August 18th,  and the Salt client test cases for the shell injection flaw also mention multiple Zero-Day Initiative  (ZDI) IDs, such as ZDI-CAN-11143. The date of the original report on this identifier, however,  is June 2020 as shown below.

ZDI ID saltstack
ZDI-CAN-11143 reported via Zero Day Initiative to SaltStack as of June 2nd, 2020
Source: Zero Day Initiative

The November 3rd advisory does attribute the discovery of CVE-2020-16846 and CVE-2020-17490 to KPC of Trend Micro Zero Day Initiative who had reported multiple ZDI vulnerabilities in June 2020.

It is not clear why SaltStack published the CVEs and fixes publicly to GitHub before publicly disclosing them as this could have been abused by threat actors to create exploits.

As observed by BleepingComputer today, Shodan lists over 6,000 Salt Master nodes exposed to the internet, not all of which may be running the latest, patched versions.

shodan saltstack 2020
Shodan reports 6,138 exposed SaltStack Master nodes
Source: BleepingComputer

SaltStack gives advance heads up

On October 30th, SaltStack had released a security advisory indicating these CVEs were to come, this Election Day.

The advance partial disclosure on these critical vulnerabilities is a cautious move on SaltStack’s part given the widespread attacks that had hit vulnerable Salt instances earlier this year.

“Two of these vulnerabilities are expected to be rated as high/critical and the other is expected to be low based on the Common Vulnerability Scoring System (CVSS). Once SaltStack became aware of the vulnerabilities, we quickly took actions to remediate them,” stated the October 30th advisory. 

Partial disclosures are increasingly becoming the norm for open-source software.

Giving everyone a heads up allows time for the vulnerable instances to be patched before security flaws can potentially be exploited in the wild by adversaries.

Also Read: Deemed Consent PDPA: How Do Businesses Comply?

The fixed versions include 3002.13001.3, and 3000.5 depending on what branch of Salt you are using. The company has also made patches available for older versions, such as 2019.x.

SaltStack has provided some tips on how to harden your Salt instances, in addition to patching for new vulnerabilities that may be discovered from time to time.

It remains questionable, despite the company giving an advance heads up, whether Election Day is ever the right time to disclose critical vulnerabilities—especially considering the fixed versions have also been released today, coinciding with the full disclosure. 

Users can download the fixed releases from PyPI downloads as of now. More information is also available in the November 3, 2020 advisory.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us