News

SaltStack discloses critical bugs on Election Day

SaltStack has publicly disclosed 3 vulnerabilities that had been impacting Salt instances for some time. Two of these have been rated as High or Critical.

One of the vulnerabilities is a Shell Injection flaw (CVE-2020-16846) which allows an unauthenticated actor to conduct Remote Code Execution (RCE) attacks on the unpatched Salt instances.

The other two vulnerabilities are an authentication bypass flaw (CVE-2020-25592), and a permissions issue impacting the SSH key files (CVE-2020-17490).

Shortly after disclosure, reports emerged on Twitter, with some users highlighting the “pretty severe” nature of vulnerabilities.

Reports emerged on Twitter with some users calling the vulns. “pretty severe!”

While a heads up was given by SaltStack folks on October 30th, the timing of full disclosure is interesting in how it coincides with the U.S. Election Day, when much distraction is expected, making it an ideal time to deliver unsavory news.

As I had first reported on BleepingComputer, the fix for the shell injection vulnerability CVE-2020-16846 appears to have existed in Salt’s public GitHub repository, since at least August 18th, 2020.

Moreover, some of the Zero-Day Initiative (ZDI) bugs mentioned in the fixes show dates of original vulnerability reports dating back to June, 2020.

The reason behind gaps between different events isn’t entirely clear.

Original vulnerability reports for some CVEs were filed in June via Zero-Day Initiative (and have ZDI identifiers).

GitHub fixes (publicly visible) were made to Salt starting August, but full disclosure and release of patched versions only took place on November 3rd, 2020.

Users should follow the official SaltStack advisory, released November 3rd, for upgrade advice and patches.

Patches for older versions have also been provided via GitLab.


Background photo licensed under CC BY-NC.

Ax Sharma

Ax Sharma is a UK-based security researcher, journalist and TV subject matter expert experienced in malware analysis and cybercrime investigations. His areas of interest include open source software security and threat intel analysis. Frequently featured by leading media outlets like the BBC, Channel 5, Fortune, WIRED, The Register, among others, Ax is an active community member of the OWASP Foundation and the British Association of Journalists (BAJ).

Recent Posts

ParkMobile’s $32.8 Million Data Breach Settlement = You get $1?

In 2021, parking app ParkMobile suffered a massive data breach impacting 22 million users whose…

3 days ago

8 Brutal Truths About Cybersecurity I Wish I Knew

When I first got into cybersecurity, I thought it was all about hackers in hoodies…

5 days ago

US Air Force Probes Potential SharePoint-Linked Privacy Breach

The US Air Force is investigating a “privacy-related issue” that may have exposed personally identifiable…

6 days ago

Harrods third-party breach exposes 430,000 customer records, hackers reach out

London’s iconic department store Harrods has disclosed that approximately 430,000 customer records were compromised in…

1 week ago

WestJet confirms customer ID, passports stolen in June cyberattack

WestJet confirmed that in a June 2025 cybersecurity incident, a “sophisticated, criminal third party” gained…

1 week ago

Did You Also Get a ‘Real’ Phishing Email From GitHub.com?

Imagine getting an email straight from GitHub’s own notification system: the same one you've trusted…

2 weeks ago

This website uses cookies.