Miggo Logo

CVE-2020-16846: SaltStack Salt Command Injection in netapi ssh client

9.8

CVSS Score
3.1

Basic Information

EPSS Score
0.99967%
Published
5/24/2022
Updated
10/22/2024
KEV Status
Yes
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
saltpip< 2015.8.132015.8.13
saltpip>= 2016.3.0, < 2016.3.82016.3.8
saltpip>= 2016.11.0, < 2016.11.102016.11.10
saltpip>= 2017.5.0, < 2017.7.82017.7.8
saltpip>= 2018.2.0, < 2018.3.52018.3.5
saltpip>= 2019.2.0, < 2019.2.62019.2.6
saltpip>= 3000.0, < 3000.43000.4
saltpip>= 3001, < 3001.23001.2
saltpip>= 3002, < 3002.13002.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper neutralization of user-controlled parameters in the Salt API's SSH client (rest_cherrypy module). Multiple ZDI advisories (ZDI-20-1379 to ZDI-20-1383) explicitly identify parameters like ssh_priv, tgt, ssh_options, ssh_port, and ssh_remote_port_forwards as injection vectors. These parameters were incorporated into SSH command strings without proper sanitization in functions handling API requests. The SaltStack release notes for patched versions confirm fixes in these areas by validating inputs. The functions responsible for processing these parameters in the rest_cherrypy module are the primary points of vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *is*ov*r** in S*ltSt**k S*lt t*rou** ****. S*n*in* *r**t** w** r*qu*sts to t** S*lt *PI, wit* t** SS* *li*nt *n**l**, **n r*sult in s**ll inj**tion.

Reasoning

T** vuln*r**ility st*ms *rom improp*r n*utr*liz*tion o* us*r-*ontroll** p*r*m*t*rs in t** S*lt *PI's SS* *li*nt (r*st_***rrypy mo*ul*). Multipl* Z*I **visori*s (Z*I-**-**** to Z*I-**-****) *xpli*itly i**nti*y p*r*m*t*rs lik* ss*_priv, t*t, ss*_option