CVE-2022-22935 in Salt
Summary
by MITRE • 03/29/2022
An issue was discovered in SaltStack Salt in versions before 3002.8, 3003.4, 3004.1. A minion authentication denial of service can cause a MiTM attacker to force a minion process to stop by impersonating a master.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 09/06/2025
The vulnerability identified as CVE-2022-22935 represents a critical authentication denial of service flaw within SaltStack Salt, a widely deployed configuration management and automation platform. This vulnerability affects versions prior to 3002.8, 3003.4, and 3004.1, creating a significant security risk for organizations relying on SaltStack for their infrastructure automation. The flaw specifically targets the minion authentication mechanism, which serves as the foundational security component for establishing trust between Salt minions and masters. When exploited, this vulnerability allows an attacker positioned in a man-in-the-middle position to disrupt legitimate minion operations by impersonating the legitimate master server.
The technical implementation of this vulnerability stems from insufficient authentication validation within the SaltStack minion process. Under normal operation, minions establish secure connections with masters through a robust authentication framework that includes key exchange and verification mechanisms. However, the flaw allows a malicious actor to manipulate the authentication flow by presenting forged master credentials that appear legitimate to the minion. This manipulation causes the minion to terminate its connection attempts and effectively halt its operational state, creating a denial of service condition that can persist until manual intervention occurs. The vulnerability operates at the protocol level where authentication tokens and connection states are validated, making it particularly dangerous as it undermines the fundamental trust model that SaltStack relies upon for secure remote execution.
The operational impact of this vulnerability extends beyond simple service disruption to encompass broader security implications for enterprise infrastructure management. Organizations utilizing SaltStack for critical automation tasks face potential operational downtime where minions become unresponsive, preventing configuration updates, software deployments, and system monitoring activities. The MiTM position required for exploitation means that attackers can target networks where traffic flows between minions and masters are not properly encrypted or authenticated, particularly affecting environments with unencrypted communication channels or weak network segmentation. This vulnerability directly impacts the availability aspect of the CIA triad, potentially causing cascading failures in automated infrastructure management systems where multiple minions depend on master coordination for their operations.
Mitigation strategies for CVE-2022-22935 focus on both immediate patching and operational security improvements. Organizations must upgrade to SaltStack versions 3002.8, 3003.4, or 3004.1 to address the core authentication flaw. Additionally, network administrators should implement mandatory encryption for all SaltStack communications using TLS 1.2 or higher protocols to prevent MiTM exploitation opportunities. The vulnerability aligns with CWE-308, which addresses the use of a predictable source of entropy in security-critical contexts, and maps to ATT&CK technique T1072 for software deployment tools, highlighting the importance of securing automation platforms. Network segmentation should be enforced to limit direct communication between minions and masters, while implementing robust certificate management practices ensures that only authorized entities can establish legitimate connections. Regular security audits of SaltStack configurations and monitoring for unusual authentication patterns can help detect exploitation attempts before they cause significant operational disruption.