CVE-2022-22941 in Salt
Summary
by MITRE • 03/29/2022
An issue was discovered in SaltStack Salt in versions before 3002.8, 3003.4, 3004.1. When configured as a Master-of-Masters, with a publisher_acl, if a user configured in the publisher_acl targets any minion connected to the Syndic, the Salt Master incorrectly interpreted no valid targets as valid, allowing configured users to target any of the minions connected to the syndic with their configured commands. This requires a syndic master combined with publisher_acl configured on the Master-of-Masters, allowing users specified in the publisher_acl to bypass permissions, publishing authorized commands to any configured minion.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 04/01/2022
The vulnerability described in CVE-2022-22941 represents a critical authorization bypass flaw within SaltStack Salt's distributed configuration management system. This issue specifically affects environments configured as Master-of-Masters architectures with Syndic components, where the security controls designed to restrict command execution are fundamentally undermined. The flaw exists in versions prior to 3002.8, 3003.4, and 3004.1, indicating a widespread impact across multiple release branches of the SaltStack platform. The vulnerability stems from improper handling of target validation within the publisher access control mechanism, creating a scenario where legitimate security controls are circumvented through flawed logic in the command routing process.
The technical implementation of this vulnerability involves a critical misinterpretation of target validation logic within SaltStack's Master-of-Masters configuration. When a user is configured in the publisher_acl of a Master-of-Masters, the system incorrectly processes the scenario where no valid targets are identified for a command. Rather than properly rejecting unauthorized command execution attempts, the Salt Master treats the absence of valid targets as a valid condition, thereby allowing configured users to execute commands against any minion connected to the Syndic component. This represents a fundamental breakdown in the principle of least privilege, where authorized users can escalate their privileges to target any system within the network scope. The vulnerability is particularly concerning because it operates at the core of SaltStack's command execution and access control mechanisms, effectively creating a backdoor that bypasses all intended security boundaries.
From an operational perspective, this vulnerability creates significant risk for organizations relying on SaltStack's Master-of-Masters architecture for large-scale infrastructure management. The impact extends beyond simple unauthorized access to include potential privilege escalation and lateral movement within the network environment. Attackers could leverage this flaw to execute arbitrary commands against any minion connected to the syndic, potentially leading to complete system compromise of the managed infrastructure. The vulnerability's exploitation requires specific configuration conditions including the presence of a Syndic master and publisher_acl settings on the Master-of-Masters, but once exploited, it provides broad access to the entire network of minions managed through that syndic connection. This creates a particularly dangerous scenario for organizations with complex SaltStack deployments where multiple layers of security are expected to protect against unauthorized access.
Organizations should prioritize immediate remediation through updating to patched versions of SaltStack Salt that address this authorization bypass vulnerability. The mitigation strategy should include comprehensive review of all Master-of-Masters configurations to identify and disable unnecessary Syndic connections where possible. Security teams should implement additional monitoring for unauthorized command execution patterns and establish stricter access controls around publisher_acl configurations. This vulnerability aligns with CWE-284 (Improper Access Control) and represents a classic example of how flawed input validation and access control logic can create security bypass opportunities. The ATT&CK framework categorizes this as a privilege escalation technique, where the initial authorized access is leveraged to gain broader system access. Organizations should also consider implementing network segmentation and additional firewall rules to limit communication between Master-of-Masters and Syndic components to minimize the attack surface and reduce the potential impact of such vulnerabilities.