Skip to main content

CVE-2022-22936: Job publishes and file server replies are susceptible to replay attacks. in SaltStack Salt

High
VulnerabilityCVE-2022-22936cvecve-2022-22936
Published: Tue Mar 29 2022 (03/29/2022, 00:00:00 UTC)
Source: CVE
Vendor/Project: n/a
Product: SaltStack Salt

Description

An issue was discovered in SaltStack Salt in versions before 3002.8, 3003.4, 3004.1. Job publishes and file server replies are susceptible to replay attacks, which can result in an attacker replaying job publishes causing minions to run old jobs. File server replies can also be re-played. A sufficient craft attacker could gain root access on minion under certain scenarios.

AI-Powered Analysis

AILast updated: 07/03/2025, 11:13:09 UTC

Technical Analysis

CVE-2022-22936 is a high-severity vulnerability affecting SaltStack Salt versions prior to 3002.8, 3003.4, and 3004.1. SaltStack Salt is a widely used open-source configuration management and remote execution tool that enables administrators to manage infrastructure at scale. The vulnerability arises from the way Salt handles job publishes and file server replies, which are susceptible to replay attacks. In a replay attack, an adversary intercepts legitimate messages and retransmits them to cause unintended effects. Here, an attacker can replay previously sent job publishes, causing Salt minions (the managed nodes) to execute old jobs repeatedly. Similarly, file server replies can be replayed, potentially leading to unauthorized or unintended file operations. Under certain conditions, a sufficiently skilled attacker exploiting this vulnerability could escalate privileges and gain root access on the minion systems. The CVSS v3.1 score of 8.8 reflects the high impact on confidentiality, integrity, and availability, with the attack vector being adjacent network (AV:A), low attack complexity (AC:L), no privileges required (PR:N), and no user interaction (UI:N). This means an attacker within the network segment can exploit the vulnerability without authentication or user involvement. The underlying weakness corresponds to CWE-294 (Authentication Bypass by Replay), indicating that the protocol or implementation does not adequately prevent replayed messages from being accepted as valid. This flaw can lead to unauthorized command execution and full system compromise on affected minions, posing a serious risk to managed infrastructure environments relying on SaltStack Salt for automation and orchestration.

Potential Impact

For European organizations, this vulnerability poses significant risks, especially those operating large-scale IT infrastructures, cloud environments, or critical industrial systems managed via SaltStack Salt. Exploitation could allow attackers to execute arbitrary commands on minions, potentially leading to data breaches, service disruptions, or lateral movement within networks. The ability to gain root access on minions could enable attackers to implant persistent backdoors, manipulate configurations, or disrupt operations. This is particularly concerning for sectors such as finance, healthcare, energy, and government, where infrastructure integrity and availability are paramount. Given that SaltStack Salt is often used in automated deployment pipelines and configuration management, successful exploitation could undermine the security of entire IT environments. Additionally, the replay attack nature means that even previously captured legitimate commands can be maliciously reused, complicating detection and response. The lack of known exploits in the wild reduces immediate risk but does not diminish the urgency for remediation, as the vulnerability is straightforward to exploit in adjacent network scenarios without authentication.

Mitigation Recommendations

European organizations should prioritize upgrading SaltStack Salt installations to versions 3002.8, 3003.4, 3004.1 or later, where this vulnerability has been addressed. Until upgrades are applied, organizations should implement network segmentation to restrict access to Salt master and minion communication channels, limiting exposure to trusted hosts only. Employing network-level protections such as VPNs or encrypted tunnels can reduce the risk of message interception and replay. Monitoring and logging Salt job publishes and minion responses for anomalies or repeated identical commands can aid in early detection of replay attempts. Additionally, organizations should review and harden SaltStack configurations to enforce strict authentication and message integrity checks where possible. Deploying host-based intrusion detection systems (HIDS) on minions to detect unusual privilege escalations or command executions can provide an additional security layer. Finally, conducting regular security audits and penetration tests focusing on SaltStack deployments will help identify residual risks and validate mitigation effectiveness.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
vmware
Date Reserved
2022-01-10T00:00:00.000Z
Cisa Enriched
true
Cvss Version
3.1
State
PUBLISHED

Threat ID: 682d981ec4522896dcbdbfbb

Added to database: 5/21/2025, 9:08:46 AM

Last enriched: 7/3/2025, 11:13:09 AM

Last updated: 8/16/2025, 1:42:29 PM

Views: 15

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats