CVE-2024-38824 Overview
CVE-2024-38824 is a directory traversal vulnerability in SaltStack Salt. The flaw resides in the recv_file method, which fails to validate file paths supplied by minions. An attacker can submit crafted path components to write arbitrary files into the Salt master's cache directory. Because the Salt master trusts files placed in its cache for distribution and execution workflows, this primitive can be abused to overwrite legitimate cached artifacts. The vulnerability is classified under [CWE-22] Path Traversal and is exploitable over the network without authentication or user interaction. SaltStack addressed the issue in Salt versions 3006.12 and 3007.4.
Critical Impact
Network-accessible attackers can write arbitrary files to the Salt master cache directory, compromising the integrity of orchestration data and enabling tampering with files served to managed minions.
Affected Products
- SaltStack Salt versions prior to 3006.12
- SaltStack Salt versions prior to 3007.4 in the 3007.x branch
- Salt master deployments exposing the publish or request server interface
Discovery Timeline
- 2025-06-13 - CVE-2024-38824 published to NVD
- 2025-07-10 - Last updated in NVD database
Technical Details for CVE-2024-38824
Vulnerability Analysis
The vulnerability exists in the Salt master's recv_file handler. This method accepts file transfer requests and writes received content into the master cache directory. The handler does not normalize or constrain the destination path before performing the write operation. As a result, path components such as .. traverse outside the intended cache subdirectory. An attacker controlling or impersonating a minion can place files at attacker-chosen locations within the master cache hierarchy. The CWE-22 classification reflects the absence of canonicalization checks on the path argument. EPSS data indicates a 0.378% probability of exploitation within the next 30 days.
Root Cause
The root cause is missing input validation on file path arguments passed to recv_file. The function concatenates caller-supplied path elements with the master cache root without verifying that the resolved path stays within the intended directory. Salt did not apply path canonicalization or boundary checks before invoking the underlying write operation.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. A remote attacker that can reach the Salt master's request server, or a compromised minion authorized to interact with the master, sends a file transfer request containing traversal sequences in the target filename. The master writes the supplied content to the resolved location inside its cache directory. Because Salt distributes files from this cache to managed minions, the attacker can poison artifacts used in subsequent orchestration runs. See the Salt Project Release Notes 3007.4 for technical context.
Detection Methods for CVE-2024-38824
Indicators of Compromise
- Unexpected files appearing in the Salt master cache directory, typically /var/cache/salt/master/, with timestamps not aligned to legitimate orchestration activity
- File paths in master logs containing .. traversal sequences or absolute paths in recv_file calls
- Modifications to cached state files, pillar data, or minion artifacts without a corresponding administrative action
Detection Strategies
- Audit Salt master logs (/var/log/salt/master) for recv_file entries referencing unusual path components or oversized payloads
- Apply file integrity monitoring to the master cache directory tree to flag writes that bypass normal Salt workflows
- Inspect network telemetry on Salt request server ports (default 4506) for unauthenticated or unexpected client connections
Monitoring Recommendations
- Forward Salt master logs to a centralized logging platform and alert on recv_file invocations containing path separators in the filename argument
- Baseline the contents of the master cache directory and trigger alerts on out-of-band file creation
- Track minion authentication events and correlate file transfer activity with legitimate state runs
How to Mitigate CVE-2024-38824
Immediate Actions Required
- Upgrade Salt master installations to version 3006.12 or 3007.4 or later as published in the vendor advisories
- Restrict network exposure of the Salt master request server (4506) and publish interface (4505) to known minion subnets only
- Review the Salt master cache directory for unexpected files and remove any artifacts that cannot be attributed to legitimate state runs
Patch Information
SaltStack released fixed builds in the Salt Project Release Notes 3006.12 and the Salt Project Release Notes 3007.4. The patches add path validation to the recv_file handler to ensure that resolved destinations remain within the master cache directory. Operators running earlier 3006.x or 3007.x builds should plan upgrades immediately.
Workarounds
- Place the Salt master behind a network access control list that permits only authorized minion IP ranges
- Rotate minion keys and revoke any keys that cannot be tied to a managed asset before upgrading
- Enforce host-based file integrity monitoring on the master cache directory until the patched release is deployed
# Example: verify installed Salt version and upgrade on a Debian-based master
salt --version
sudo apt-get update && sudo apt-get install --only-upgrade salt-master
sudo systemctl restart salt-master
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
