Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2021-25282

CVE-2021-25282: SaltStack Salt Path Traversal Flaw

CVE-2021-25282 is a path traversal vulnerability in SaltStack Salt affecting versions before 3002.5. Attackers can exploit the salt.wheel.pillar_roots.write method to access unauthorized directories.

Published:

CVE-2021-25282 Overview

CVE-2021-25282 is a critical directory traversal vulnerability discovered in SaltStack Salt before version 3002.5. The vulnerability exists in the salt.wheel.pillar_roots.write method, which fails to properly sanitize file path inputs, allowing attackers to write arbitrary files to locations outside the intended directory structure. This flaw can be exploited remotely without authentication to compromise the integrity and availability of affected systems.

Critical Impact

Unauthenticated remote attackers can exploit this directory traversal vulnerability to write arbitrary files on Salt Master servers, potentially leading to complete system compromise, remote code execution, or denial of service across managed infrastructure.

Affected Products

  • SaltStack Salt versions prior to 3002.5
  • Fedora 32, 33, and 34
  • Debian Linux 9.0, 10.0, and 11.0

Discovery Timeline

  • 2021-02-25 - SaltStack releases security advisory
  • 2021-02-27 - CVE-2021-25282 published to NVD
  • 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2021-25282

Vulnerability Analysis

This directory traversal vulnerability affects the Salt Master's wheel system, specifically the pillar_roots.write method responsible for managing pillar data files. The method accepts user-controlled file path parameters without adequate validation, enabling path traversal sequences (such as ../) to escape the intended pillar root directory.

When exploited, an attacker can write arbitrary content to any location on the filesystem accessible by the Salt Master process, which typically runs with elevated privileges. This can result in overwriting critical configuration files, injecting malicious code into executable locations, or disrupting system operations.

The vulnerability is particularly dangerous because it can be chained with other Salt vulnerabilities disclosed in the same security release to achieve unauthenticated remote code execution on Salt infrastructure.

Root Cause

The root cause of CVE-2021-25282 is insufficient input validation in the salt.wheel.pillar_roots.write method. The function accepts a file path parameter from API requests but fails to properly sanitize or validate that the resulting path remains within the designated pillar root directory. Path traversal sequences embedded in the filename parameter are processed literally, allowing directory escape.

Attack Vector

The attack can be executed remotely over the network against the Salt API or Salt Master service. An attacker crafts a malicious request to the pillar_roots.write wheel function, embedding path traversal sequences in the filename parameter. The Salt Master processes this request and writes the attacker-controlled content to an arbitrary filesystem location.

The vulnerability enables attackers to:

  • Write SSH authorized keys for persistent access
  • Overwrite configuration files to disable security controls
  • Plant malicious scripts in cron directories or startup locations
  • Corrupt system binaries or libraries to cause denial of service

For detailed technical analysis and proof-of-concept information, refer to the Packet Storm Exploit Analysis.

Detection Methods for CVE-2021-25282

Indicators of Compromise

  • Unexpected file modifications outside of normal pillar root directories on Salt Master systems
  • Suspicious API requests to wheel.pillar_roots.write containing path traversal sequences (../)
  • New or modified files in sensitive directories such as /root/.ssh/, /etc/cron.d/, or /etc/salt/
  • Salt Master process writing to unusual filesystem locations

Detection Strategies

  • Monitor Salt API and Master logs for requests containing path traversal patterns in wheel function calls
  • Implement file integrity monitoring (FIM) on Salt Master servers to detect unauthorized file modifications
  • Deploy network intrusion detection signatures to identify exploitation attempts targeting Salt services
  • Review Salt Master audit logs for anomalous pillar_roots.write invocations with suspicious path parameters

Monitoring Recommendations

  • Enable comprehensive logging for all Salt API and wheel function calls
  • Configure alerts for any file write operations outside designated pillar directories
  • Monitor Salt Master process activity for unexpected child processes or network connections
  • Regularly audit filesystem permissions and ownership on Salt Master servers

How to Mitigate CVE-2021-25282

Immediate Actions Required

  • Upgrade SaltStack Salt to version 3002.5 or later immediately
  • Restrict network access to Salt Master and Salt API services using firewall rules
  • Review Salt Master filesystem for signs of unauthorized file modifications
  • Audit Salt API authentication configuration and disable unnecessary access

Patch Information

SaltStack has released patched versions addressing CVE-2021-25282 and related vulnerabilities. Organizations should upgrade to Salt version 3002.5 or the latest available release for their deployment branch. The official Salt Project CVE Release provides detailed upgrade instructions and affected version information.

Distribution-specific patches are available:

Workarounds

  • Implement strict network segmentation to limit access to Salt Master services to trusted management networks only
  • Configure external authentication mechanisms with strong access controls for the Salt API
  • Disable the Salt API if not required for operations
  • Deploy Web Application Firewall (WAF) rules to filter requests containing path traversal patterns
bash
# Restrict Salt API access using iptables
iptables -A INPUT -p tcp --dport 8000 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 8000 -j DROP

# Verify current Salt version
salt --version

# Update Salt on Debian/Ubuntu
apt-get update && apt-get upgrade salt-master salt-minion

# Update Salt on RHEL/CentOS
yum update salt-master salt-minion

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.