CVE-2021-21996 Overview
An issue was discovered in SaltStack Salt before version 3003.3 that allows an attacker with control of the source and source_hash URLs to gain full file system access as root on a salt minion. This vulnerability represents a significant security risk for organizations using SaltStack Salt for infrastructure automation and configuration management, as it could allow a low-privileged attacker to escalate to root-level access on managed systems.
Critical Impact
Attackers with control over source and source_hash URL parameters can achieve full root file system access on salt minions, potentially compromising entire infrastructure automation deployments.
Affected Products
- SaltStack Salt versions before 3003.3
- Fedora 33, 34, and 35
- Debian Linux 9.0, 10.0, and 11.0
Discovery Timeline
- 2021-09-08 - CVE-2021-21996 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-21996
Vulnerability Analysis
This vulnerability exists in the file state handling mechanism of SaltStack Salt. The core issue lies in how the Salt minion processes external source URLs and their corresponding hash verification parameters. When an attacker has control over both the source URL and the source_hash URL parameters, they can manipulate the file retrieval process to access arbitrary files on the system with root privileges.
Salt minions execute with elevated privileges to perform system configuration tasks. The vulnerability exploits the trust relationship between the source URL handling and hash verification mechanisms. By controlling both parameters, an attacker can bypass intended security controls and leverage the minion's root access to read, write, or execute files anywhere on the file system.
Root Cause
The root cause of CVE-2021-21996 is insufficient validation and trust boundary enforcement when handling user-controlled source and source_hash URL parameters. The Salt minion fails to properly restrict or validate the origins and contents of these URLs, allowing an attacker who can influence these parameters to direct the minion to process malicious content or access unintended file paths with root privileges.
Attack Vector
The attack requires network access and low-level privileges (authenticated user or control over certain Salt state configurations). The attacker must be able to influence or control the source and source_hash URLs used in Salt state files or pillar data. Once these parameters are controlled, the attacker can:
- Specify malicious source URLs that point to attacker-controlled content
- Provide corresponding hash values that pass verification
- Leverage the Salt minion's root execution context to access or modify arbitrary files
The attack complexity is considered high as it requires specific preconditions to be met, including control over the URL parameters within the Salt infrastructure.
Detection Methods for CVE-2021-21996
Indicators of Compromise
- Unexpected file access patterns on salt minions originating from salt-minion processes
- Suspicious source or source_hash URLs in Salt state files pointing to external or unusual locations
- Log entries indicating file operations in sensitive directories initiated through Salt state execution
- Unusual network connections from salt minion processes to external hosts
Detection Strategies
- Monitor Salt state files and pillar data for external or suspicious source and source_hash URL patterns
- Implement file integrity monitoring on salt minions to detect unauthorized file modifications
- Review Salt master and minion logs for unusual state execution patterns or file operations
- Deploy network monitoring to detect salt minion connections to unauthorized external sources
Monitoring Recommendations
- Enable verbose logging on Salt minions to capture detailed file operation records
- Implement SIEM rules to alert on Salt state executions involving external URLs
- Monitor for privilege escalation indicators on systems running salt minions
- Establish baseline behavior for Salt infrastructure and alert on deviations
How to Mitigate CVE-2021-21996
Immediate Actions Required
- Upgrade SaltStack Salt to version 3003.3 or later immediately
- Audit all Salt state files and pillar data for external source and source_hash URL references
- Restrict network access for salt minions to only required internal resources
- Review and limit user permissions for modifying Salt state files and pillar data
Patch Information
SaltStack has released security updates addressing this vulnerability in version 3003.3 and later. Organizations should consult the Salt Project Security Advisory for detailed patch information and upgrade guidance. Additionally, Linux distributions have released security updates:
Workarounds
- Restrict Salt state file modifications to trusted administrators only until patches are applied
- Implement strict input validation for any user-controlled data that influences Salt state execution
- Use Salt's file_roots and pillar_roots configurations to limit source locations to trusted internal repositories
- Consider implementing network segmentation to isolate Salt infrastructure from external threats
# Verify current SaltStack Salt version
salt --version
# Update SaltStack Salt on Debian/Ubuntu
apt-get update && apt-get install salt-minion salt-master
# Update SaltStack Salt on RHEL/CentOS
yum update salt-minion salt-master
# Restart Salt services after update
systemctl restart salt-minion
systemctl restart salt-master
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
