CVE-2021-25282 Overview
CVE-2021-25282 is a critical directory traversal vulnerability discovered in SaltStack Salt before version 3002.5. The vulnerability exists in the salt.wheel.pillar_roots.write method, which fails to properly sanitize file path inputs, allowing attackers to write arbitrary files to locations outside the intended directory structure. This flaw can be exploited remotely without authentication to compromise the integrity and availability of affected systems.
Critical Impact
Unauthenticated remote attackers can exploit this directory traversal vulnerability to write arbitrary files on Salt Master servers, potentially leading to complete system compromise, remote code execution, or denial of service across managed infrastructure.
Affected Products
- SaltStack Salt versions prior to 3002.5
- Fedora 32, 33, and 34
- Debian Linux 9.0, 10.0, and 11.0
Discovery Timeline
- 2021-02-25 - SaltStack releases security advisory
- 2021-02-27 - CVE-2021-25282 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-25282
Vulnerability Analysis
This directory traversal vulnerability affects the Salt Master's wheel system, specifically the pillar_roots.write method responsible for managing pillar data files. The method accepts user-controlled file path parameters without adequate validation, enabling path traversal sequences (such as ../) to escape the intended pillar root directory.
When exploited, an attacker can write arbitrary content to any location on the filesystem accessible by the Salt Master process, which typically runs with elevated privileges. This can result in overwriting critical configuration files, injecting malicious code into executable locations, or disrupting system operations.
The vulnerability is particularly dangerous because it can be chained with other Salt vulnerabilities disclosed in the same security release to achieve unauthenticated remote code execution on Salt infrastructure.
Root Cause
The root cause of CVE-2021-25282 is insufficient input validation in the salt.wheel.pillar_roots.write method. The function accepts a file path parameter from API requests but fails to properly sanitize or validate that the resulting path remains within the designated pillar root directory. Path traversal sequences embedded in the filename parameter are processed literally, allowing directory escape.
Attack Vector
The attack can be executed remotely over the network against the Salt API or Salt Master service. An attacker crafts a malicious request to the pillar_roots.write wheel function, embedding path traversal sequences in the filename parameter. The Salt Master processes this request and writes the attacker-controlled content to an arbitrary filesystem location.
The vulnerability enables attackers to:
- Write SSH authorized keys for persistent access
- Overwrite configuration files to disable security controls
- Plant malicious scripts in cron directories or startup locations
- Corrupt system binaries or libraries to cause denial of service
For detailed technical analysis and proof-of-concept information, refer to the Packet Storm Exploit Analysis.
Detection Methods for CVE-2021-25282
Indicators of Compromise
- Unexpected file modifications outside of normal pillar root directories on Salt Master systems
- Suspicious API requests to wheel.pillar_roots.write containing path traversal sequences (../)
- New or modified files in sensitive directories such as /root/.ssh/, /etc/cron.d/, or /etc/salt/
- Salt Master process writing to unusual filesystem locations
Detection Strategies
- Monitor Salt API and Master logs for requests containing path traversal patterns in wheel function calls
- Implement file integrity monitoring (FIM) on Salt Master servers to detect unauthorized file modifications
- Deploy network intrusion detection signatures to identify exploitation attempts targeting Salt services
- Review Salt Master audit logs for anomalous pillar_roots.write invocations with suspicious path parameters
Monitoring Recommendations
- Enable comprehensive logging for all Salt API and wheel function calls
- Configure alerts for any file write operations outside designated pillar directories
- Monitor Salt Master process activity for unexpected child processes or network connections
- Regularly audit filesystem permissions and ownership on Salt Master servers
How to Mitigate CVE-2021-25282
Immediate Actions Required
- Upgrade SaltStack Salt to version 3002.5 or later immediately
- Restrict network access to Salt Master and Salt API services using firewall rules
- Review Salt Master filesystem for signs of unauthorized file modifications
- Audit Salt API authentication configuration and disable unnecessary access
Patch Information
SaltStack has released patched versions addressing CVE-2021-25282 and related vulnerabilities. Organizations should upgrade to Salt version 3002.5 or the latest available release for their deployment branch. The official Salt Project CVE Release provides detailed upgrade instructions and affected version information.
Distribution-specific patches are available:
- Debian Security Advisory DSA-5011
- Gentoo GLSA 2021-03
- Fedora package updates via the standard repository channels
Workarounds
- Implement strict network segmentation to limit access to Salt Master services to trusted management networks only
- Configure external authentication mechanisms with strong access controls for the Salt API
- Disable the Salt API if not required for operations
- Deploy Web Application Firewall (WAF) rules to filter requests containing path traversal patterns
# Restrict Salt API access using iptables
iptables -A INPUT -p tcp --dport 8000 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 8000 -j DROP
# Verify current Salt version
salt --version
# Update Salt on Debian/Ubuntu
apt-get update && apt-get upgrade salt-master salt-minion
# Update Salt on RHEL/CentOS
yum update salt-master salt-minion
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
