CVE-2020-11652 Overview
A directory traversal vulnerability was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class allows access to some methods that improperly sanitize paths. These methods allow arbitrary directory access to authenticated users, enabling attackers to read sensitive files from the Salt master server.
Critical Impact
This vulnerability is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog and has been actively exploited in the wild. Authenticated attackers can leverage improper path sanitization to traverse directories and access sensitive configuration files, credentials, and other critical data on Salt master servers.
Affected Products
- SaltStack Salt (versions before 2019.2.4 and 3000.x before 3000.2)
- openSUSE Leap 15.1
- Debian Linux 8.0, 9.0, 10.0
- Canonical Ubuntu Linux 16.04 ESM, 18.04 LTS
- BlackBerry Workspaces Server
- VMware Application Remote Collector 7.5.0, 8.0.0
Discovery Timeline
- April 30, 2020 - CVE-2020-11652 published to NVD
- November 7, 2025 - Last updated in NVD database
Technical Details for CVE-2020-11652
Vulnerability Analysis
This vulnerability exists in the ClearFuncs class within the salt-master process, which handles unauthenticated requests on the publish port. Several methods within this class fail to properly sanitize user-supplied file paths, allowing authenticated users to escape intended directory boundaries. The flaw enables directory traversal attacks where an attacker can navigate the file system using path traversal sequences to access files outside the intended scope.
The vulnerability is particularly dangerous in SaltStack environments because the Salt master typically has access to sensitive configuration data, encryption keys, and credentials used to manage infrastructure. Successful exploitation allows an attacker to read arbitrary files from the master server, potentially exposing secrets that could lead to complete infrastructure compromise.
Root Cause
The root cause of CVE-2020-11652 is improper input validation (CWE-22: Improper Limitation of a Pathname to a Restricted Directory). The vulnerable methods in the ClearFuncs class do not adequately sanitize file path parameters before using them in file system operations. This allows authenticated users to inject path traversal sequences such as ../ to navigate to arbitrary directories on the Salt master file system.
Attack Vector
The attack is network-based and requires an authenticated session with the Salt master. An authenticated attacker can craft malicious requests to the vulnerable methods in the ClearFuncs class, including path traversal sequences in file path parameters. The Salt master processes these requests without proper path sanitization, allowing the attacker to read files from arbitrary locations on the server.
The vulnerability can be chained with CVE-2020-11651 (authentication bypass) for unauthenticated remote exploitation, significantly increasing the attack surface. Exploitation has been observed in the wild, leading to CISA adding this vulnerability to their Known Exploited Vulnerabilities catalog.
Detection Methods for CVE-2020-11652
Indicators of Compromise
- Unusual file access patterns on Salt master servers, particularly attempts to read files outside normal Salt directories
- Requests containing path traversal sequences (../, ..%2f, etc.) in Salt master logs
- Unexpected access to sensitive files such as /etc/shadow, /etc/passwd, or Salt configuration files
- Network connections to Salt master ports (4505, 4506) from unauthorized IP addresses
Detection Strategies
- Monitor Salt master logs for requests containing directory traversal patterns
- Implement file integrity monitoring on critical Salt configuration directories
- Deploy network intrusion detection rules for known Salt exploitation patterns
- Analyze authentication logs for suspicious or unauthorized Salt master access
- Review outbound network traffic from Salt infrastructure for signs of data exfiltration
Monitoring Recommendations
- Enable verbose logging on Salt master servers to capture detailed request information
- Configure SIEM alerts for path traversal patterns in Salt-related log entries
- Monitor access to Salt master configuration files and the /srv/salt/ directory hierarchy
- Track authentication events and privilege usage on Salt infrastructure
- Implement network segmentation monitoring to detect lateral movement from compromised Salt servers
How to Mitigate CVE-2020-11652
Immediate Actions Required
- Update SaltStack Salt to version 2019.2.4 or later (for 2019.x branch) or 3000.2 or later (for 3000.x branch)
- Restrict network access to Salt master ports (4505, 4506) using firewall rules
- Audit Salt master configurations and review file access permissions
- Check for signs of compromise including unauthorized file access or configuration changes
- Rotate any credentials or keys that may have been exposed through exploitation
Patch Information
SaltStack has released patched versions addressing this vulnerability. Users should upgrade to Salt version 2019.2.4 or 3000.2 or later, depending on their release branch. Detailed release notes and upgrade instructions are available in the SaltStack Release Notes 2019.2.4 and SaltStack Release Notes 3000.2. Multiple downstream vendors including Debian, Ubuntu, openSUSE, Cisco, VMware, and BlackBerry have released security advisories and patches for their affected products.
Workarounds
- Implement strict firewall rules to limit access to Salt master ports only from trusted minion IP addresses
- Deploy a VPN or bastion host architecture to restrict direct network access to Salt infrastructure
- Enable Salt authentication and ensure proper key management for all minions
- Consider temporarily disabling the Salt master service if patching cannot be performed immediately
- Use network segmentation to isolate Salt infrastructure from untrusted networks
# Example firewall configuration to restrict Salt master access
# Allow only specific minion IPs to connect to Salt master ports
iptables -A INPUT -p tcp --dport 4505 -s <trusted_minion_ip> -j ACCEPT
iptables -A INPUT -p tcp --dport 4506 -s <trusted_minion_ip> -j ACCEPT
iptables -A INPUT -p tcp --dport 4505 -j DROP
iptables -A INPUT -p tcp --dport 4506 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
