CVE-2020-16846: SaltStack Salt RCE Vulnerability

CVE-2020-16846 Overview

CVE-2020-16846 is a critical shell injection vulnerability discovered in SaltStack Salt through version 3002. The vulnerability allows unauthenticated remote attackers to execute arbitrary operating system commands by sending specially crafted web requests to the Salt API when the SSH client feature is enabled. This command injection flaw (CWE-78) represents a severe security risk for organizations using SaltStack Salt for infrastructure automation and configuration management.

Critical Impact
This vulnerability enables unauthenticated remote code execution through shell injection in the Salt API, allowing complete system compromise. CISA has added this vulnerability to the Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild.

Affected Products

SaltStack Salt through version 3002 (including versions 3001, 3002, and earlier)
Debian Linux 9.0 and 10.0
Fedora 31
openSUSE Leap 15.1

Discovery Timeline

November 3, 2020 - SaltStack publicly disclosed CVE-2020-16846 along with two other CVEs
November 6, 2020 - CVE-2020-16846 published to NVD
November 7, 2025 - Last updated in NVD database

Technical Details for CVE-2020-16846

Vulnerability Analysis

This shell injection vulnerability exists in SaltStack Salt's REST API implementation when the SSH client functionality is enabled. The flaw stems from improper input validation and sanitization of user-supplied data within API requests. When an attacker sends a crafted web request to the Salt API endpoint, the malicious input is passed directly to shell commands without adequate escaping or validation, enabling arbitrary command execution on the underlying operating system.

The vulnerability is particularly dangerous because it can be exploited remotely over the network without requiring any authentication credentials. The Salt API, designed to provide programmatic access to Salt functionality, becomes a direct attack vector when SSH client features are active. Successful exploitation grants attackers the same privileges as the Salt master process, which typically runs with elevated permissions.

Root Cause

The root cause of CVE-2020-16846 is improper neutralization of special elements used in an OS command (CWE-78). The Salt API fails to properly sanitize input parameters before incorporating them into shell commands executed via the SSH client functionality. User-controlled data containing shell metacharacters (such as semicolons, pipes, backticks, or command substitution syntax) is processed without escaping, allowing attackers to break out of the intended command context and inject arbitrary commands.

Attack Vector

The attack vector for this vulnerability is network-based, targeting the Salt API's HTTP/HTTPS endpoints. An attacker can exploit this vulnerability by:

Identifying exposed Salt API instances with SSH client functionality enabled
Crafting malicious HTTP requests containing shell injection payloads in vulnerable parameters
Sending the crafted requests to the Salt API endpoint
The injected commands execute on the Salt master server with its associated privileges

The vulnerability requires no authentication, no user interaction, and has low attack complexity, making it highly exploitable. Attackers can achieve full system compromise, including data exfiltration, lateral movement, and persistent backdoor installation.

Technical details regarding the specific exploitation methodology can be found in the Packet Storm Exploit Report and the Zero Day Initiative Advisory ZDI-20-1379.

Detection Methods for CVE-2020-16846

Indicators of Compromise

Unexpected process executions spawned by the Salt master process or salt-api service
Anomalous outbound network connections originating from Salt infrastructure servers
Suspicious command patterns in system logs containing shell metacharacters (;, |, $(), backticks)
Unusual HTTP requests to Salt API endpoints with encoded or obfuscated payloads in request parameters

Detection Strategies

Monitor Salt API access logs for requests containing shell metacharacters or encoded injection payloads
Implement network intrusion detection rules to identify exploitation attempts targeting Salt API endpoints
Deploy endpoint detection solutions to monitor for anomalous child processes spawned by Salt services
Review authentication logs for unexpected API access patterns or requests from untrusted IP addresses

Monitoring Recommendations

Enable comprehensive logging for Salt API requests including full request bodies and parameters
Configure SIEM alerts for command injection attack patterns targeting Salt infrastructure
Implement baseline monitoring of Salt master process behavior to detect deviation from normal operations
Monitor for indicators of post-exploitation activity such as new user creation, SSH key installation, or cron job modifications

How to Mitigate CVE-2020-16846

Immediate Actions Required

Upgrade SaltStack Salt to a patched version immediately (versions released after November 3, 2020)
If immediate patching is not possible, disable the Salt API or restrict access to trusted networks only
Audit Salt infrastructure for signs of compromise before and after patching
Implement network segmentation to limit exposure of Salt API endpoints

Patch Information

SaltStack released security patches addressing CVE-2020-16846 on November 3, 2020. Organizations should update to patched versions as documented in the SaltStack CVEs Disclosure Blog. Updated packages are also available through distribution repositories:

Debian: Security advisory DSA-4837 and Debian LTS announcements
Fedora: Package updates available
openSUSE: Security announcement
Gentoo: GLSA 202011-13

Workarounds

Disable the Salt API service entirely if not required for operations (systemctl stop salt-api && systemctl disable salt-api)
Configure firewall rules to restrict Salt API access to trusted management networks only
Disable SSH client functionality in Salt configuration if not actively used
Place Salt API endpoints behind a reverse proxy with strict input validation and web application firewall rules

bash

# Restrict Salt API access via firewall (iptables example)
# Allow Salt API access only from trusted management subnet
iptables -A INPUT -p tcp --dport 8000 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 8000 -j DROP

# Disable Salt API service if not required
systemctl stop salt-api
systemctl disable salt-api

CVE-2020-16846 Overview

Critical Impact
This vulnerability enables unauthenticated remote code execution through shell injection in the Salt API, allowing complete system compromise. CISA has added this vulnerability to the Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild.

Affected Products

SaltStack Salt through version 3002 (including versions 3001, 3002, and earlier)
Debian Linux 9.0 and 10.0
Fedora 31
openSUSE Leap 15.1

Discovery Timeline

November 3, 2020 - SaltStack publicly disclosed CVE-2020-16846 along with two other CVEs
November 6, 2020 - CVE-2020-16846 published to NVD
November 7, 2025 - Last updated in NVD database

Technical Details for CVE-2020-16846

Vulnerability Analysis

Root Cause

Attack Vector

The attack vector for this vulnerability is network-based, targeting the Salt API's HTTP/HTTPS endpoints. An attacker can exploit this vulnerability by:

Identifying exposed Salt API instances with SSH client functionality enabled
Crafting malicious HTTP requests containing shell injection payloads in vulnerable parameters
Sending the crafted requests to the Salt API endpoint
The injected commands execute on the Salt master server with its associated privileges

Technical details regarding the specific exploitation methodology can be found in the Packet Storm Exploit Report and the Zero Day Initiative Advisory ZDI-20-1379.

Detection Methods for CVE-2020-16846

Indicators of Compromise

Unexpected process executions spawned by the Salt master process or salt-api service
Anomalous outbound network connections originating from Salt infrastructure servers
Suspicious command patterns in system logs containing shell metacharacters (;, |, $(), backticks)
Unusual HTTP requests to Salt API endpoints with encoded or obfuscated payloads in request parameters

Detection Strategies

Monitor Salt API access logs for requests containing shell metacharacters or encoded injection payloads
Implement network intrusion detection rules to identify exploitation attempts targeting Salt API endpoints
Deploy endpoint detection solutions to monitor for anomalous child processes spawned by Salt services
Review authentication logs for unexpected API access patterns or requests from untrusted IP addresses

Monitoring Recommendations

Enable comprehensive logging for Salt API requests including full request bodies and parameters
Configure SIEM alerts for command injection attack patterns targeting Salt infrastructure
Implement baseline monitoring of Salt master process behavior to detect deviation from normal operations
Monitor for indicators of post-exploitation activity such as new user creation, SSH key installation, or cron job modifications

How to Mitigate CVE-2020-16846

Immediate Actions Required

Upgrade SaltStack Salt to a patched version immediately (versions released after November 3, 2020)
If immediate patching is not possible, disable the Salt API or restrict access to trusted networks only
Audit Salt infrastructure for signs of compromise before and after patching
Implement network segmentation to limit exposure of Salt API endpoints

Patch Information

Debian: Security advisory DSA-4837 and Debian LTS announcements
Fedora: Package updates available
openSUSE: Security announcement
Gentoo: GLSA 202011-13

Workarounds

Disable the Salt API service entirely if not required for operations (systemctl stop salt-api && systemctl disable salt-api)
Configure firewall rules to restrict Salt API access to trusted management networks only
Disable SSH client functionality in Salt configuration if not actively used
Place Salt API endpoints behind a reverse proxy with strict input validation and web application firewall rules

bash

# Restrict Salt API access via firewall (iptables example)
# Allow Salt API access only from trusted management subnet
iptables -A INPUT -p tcp --dport 8000 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 8000 -j DROP

# Disable Salt API service if not required
systemctl stop salt-api
systemctl disable salt-api

CVE-2020-16846: SaltStack Salt RCE Vulnerability

CVE-2020-16846 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2020-16846

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2020-16846

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2020-16846

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2020-16846: SaltStack Salt RCE Vulnerability

CVE-2020-16846 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2020-16846

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2020-16846

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2020-16846

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform