SaltStack Salt rest_cherrypy ssh_port Command Injection Remote Code Execution Vulnerability

ID ZDI-20-1382
Type zdi
Reporter KPC of Trend Micro Zero Day Initiative
Modified 2020-11-26T00:00:00


This vulnerability allows remote attackers to execute arbitrary code on affected installations of SaltStack Salt. Authentication is not required to exploit this vulnerability. The specific flaw exists within the rest_cherrypy module. When parsing the ssh_port parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the salt-api process.