Official patches for previous versions can be requested at: https://www.saltstack.com/lp/request-patch-april-2020/

⚠ Patches here are custom, and may differ from official ones ⚠

Backported security patches for unsupported salt versions

Patches in this repo address the following CVEs:

• CVE-2020-11651 & CVE-2020-11652 - https://labs.f-secure.com/advisories/saltstack-authorization-bypass

Additionally include the following bugfixes:

• fix typo _minion_runner -> minion_runner. See: https://docs.saltstack.com/en/latest/topics/releases/3000.2.html#known-issue
• fix type _find_file_and_stat -> _find_hash_and_stat. See https://github.com/rossengeorgiev/salt-security-backports/issues/1
• removal of run_func from whitelist
• missing import salt.utils.verify

Above fixed are included in latest release of SaltStack, specifically v2019.2.5 and v3000.3.

Check if your salt-master is vulnerable

Check script needs to be ran locally on your salt-master as root

python salt-cve-check.py

Example output for Salt 2017.7.8:

[+] Salt version: 2017.7.8
[ ] This version of salt is vulnerable! Check results below
[+] Checking salt-master (127.0.0.1:4506) status... ONLINE
[+] Checking if vulnerable to CVE-2020-11651... YES
[+] Checking if vulnerable to CVE-2020-11652 (read_token)... YES
[+] Checking if vulnerable to CVE-2020-11652 (read)... YES
[+] Checking if vulnerable to CVE-2020-11652 (write1)... YES
[+] Checking if vulnerable to CVE-2020-11652 (write2)... YES

Applying the patches

# locate the salt package directory (use python3 if necessary)

python -c "import imp; print(imp.find_module('salt')[1])"

# in my case: /usr/lib/python2.7/dist-packages/salt
# apply patches
# (adding -b flag will backup file before modifications at same path with .orig suffix)
# (patch can be reversed running the same command with -R flag)

patch -p2 -d /usr/lib/python2.7/dist-packages/salt < 2017.7.8_CVE-2020-11651.patch
patch -p2 -d /usr/lib/python2.7/dist-packages/salt < 2017.7.8_CVE-2020-11652.patch

# restart salt-master

systemctl restart salt-master
# or
service salt-master restart

Rerun the check script:

user@salt # python salt-cve-check.py
[+] Salt version: 2017.7.8
[ ] This version of salt is vulnerable! Check results below
[+] Checking salt-master (127.0.0.1:4506) status... ONLINE
[+] Checking if vulnerable to CVE-2020-11651... NO
[+] Checking if vulnerable to CVE-2020-11652 (read_token)... NO
[+] Checking if vulnerable to CVE-2020-11652 (read)... NO
[+] Checking if vulnerable to CVE-2020-11652 (write1)... NO
[+] Checking if vulnerable to CVE-2020-11652 (write2)... NO