CVE-2022-22936: Job publishes and file server replies are susceptible to replay attacks. in SaltStack Salt
An issue was discovered in SaltStack Salt in versions before 3002.8, 3003.4, 3004.1. Job publishes and file server replies are susceptible to replay attacks, which can result in an attacker replaying job publishes causing minions to run old jobs. File server replies can also be re-played. A sufficient craft attacker could gain root access on minion under certain scenarios.
AI Analysis
Technical Summary
CVE-2022-22936 is a high-severity vulnerability affecting SaltStack Salt versions prior to 3002.8, 3003.4, and 3004.1. SaltStack Salt is a widely used open-source configuration management and remote execution tool that enables administrators to manage infrastructure at scale. The vulnerability arises from the way Salt handles job publishes and file server replies, which are susceptible to replay attacks. In a replay attack, an adversary intercepts legitimate messages and retransmits them to cause unintended effects. Here, an attacker can replay previously sent job publishes, causing Salt minions (the managed nodes) to execute old jobs repeatedly. Similarly, file server replies can be replayed, potentially leading to unauthorized or unintended file operations. Under certain conditions, a sufficiently skilled attacker exploiting this vulnerability could escalate privileges and gain root access on the minion systems. The CVSS v3.1 score of 8.8 reflects the high impact on confidentiality, integrity, and availability, with the attack vector being adjacent network (AV:A), low attack complexity (AC:L), no privileges required (PR:N), and no user interaction (UI:N). This means an attacker within the network segment can exploit the vulnerability without authentication or user involvement. The underlying weakness corresponds to CWE-294 (Authentication Bypass by Replay), indicating that the protocol or implementation does not adequately prevent replayed messages from being accepted as valid. This flaw can lead to unauthorized command execution and full system compromise on affected minions, posing a serious risk to managed infrastructure environments relying on SaltStack Salt for automation and orchestration.
Potential Impact
For European organizations, this vulnerability poses significant risks, especially those operating large-scale IT infrastructures, cloud environments, or critical industrial systems managed via SaltStack Salt. Exploitation could allow attackers to execute arbitrary commands on minions, potentially leading to data breaches, service disruptions, or lateral movement within networks. The ability to gain root access on minions could enable attackers to implant persistent backdoors, manipulate configurations, or disrupt operations. This is particularly concerning for sectors such as finance, healthcare, energy, and government, where infrastructure integrity and availability are paramount. Given that SaltStack Salt is often used in automated deployment pipelines and configuration management, successful exploitation could undermine the security of entire IT environments. Additionally, the replay attack nature means that even previously captured legitimate commands can be maliciously reused, complicating detection and response. The lack of known exploits in the wild reduces immediate risk but does not diminish the urgency for remediation, as the vulnerability is straightforward to exploit in adjacent network scenarios without authentication.
Mitigation Recommendations
European organizations should prioritize upgrading SaltStack Salt installations to versions 3002.8, 3003.4, 3004.1 or later, where this vulnerability has been addressed. Until upgrades are applied, organizations should implement network segmentation to restrict access to Salt master and minion communication channels, limiting exposure to trusted hosts only. Employing network-level protections such as VPNs or encrypted tunnels can reduce the risk of message interception and replay. Monitoring and logging Salt job publishes and minion responses for anomalies or repeated identical commands can aid in early detection of replay attempts. Additionally, organizations should review and harden SaltStack configurations to enforce strict authentication and message integrity checks where possible. Deploying host-based intrusion detection systems (HIDS) on minions to detect unusual privilege escalations or command executions can provide an additional security layer. Finally, conducting regular security audits and penetration tests focusing on SaltStack deployments will help identify residual risks and validate mitigation effectiveness.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Italy, Spain, Poland
CVE-2022-22936: Job publishes and file server replies are susceptible to replay attacks. in SaltStack Salt
Description
An issue was discovered in SaltStack Salt in versions before 3002.8, 3003.4, 3004.1. Job publishes and file server replies are susceptible to replay attacks, which can result in an attacker replaying job publishes causing minions to run old jobs. File server replies can also be re-played. A sufficient craft attacker could gain root access on minion under certain scenarios.
AI-Powered Analysis
Technical Analysis
CVE-2022-22936 is a high-severity vulnerability affecting SaltStack Salt versions prior to 3002.8, 3003.4, and 3004.1. SaltStack Salt is a widely used open-source configuration management and remote execution tool that enables administrators to manage infrastructure at scale. The vulnerability arises from the way Salt handles job publishes and file server replies, which are susceptible to replay attacks. In a replay attack, an adversary intercepts legitimate messages and retransmits them to cause unintended effects. Here, an attacker can replay previously sent job publishes, causing Salt minions (the managed nodes) to execute old jobs repeatedly. Similarly, file server replies can be replayed, potentially leading to unauthorized or unintended file operations. Under certain conditions, a sufficiently skilled attacker exploiting this vulnerability could escalate privileges and gain root access on the minion systems. The CVSS v3.1 score of 8.8 reflects the high impact on confidentiality, integrity, and availability, with the attack vector being adjacent network (AV:A), low attack complexity (AC:L), no privileges required (PR:N), and no user interaction (UI:N). This means an attacker within the network segment can exploit the vulnerability without authentication or user involvement. The underlying weakness corresponds to CWE-294 (Authentication Bypass by Replay), indicating that the protocol or implementation does not adequately prevent replayed messages from being accepted as valid. This flaw can lead to unauthorized command execution and full system compromise on affected minions, posing a serious risk to managed infrastructure environments relying on SaltStack Salt for automation and orchestration.
Potential Impact
For European organizations, this vulnerability poses significant risks, especially those operating large-scale IT infrastructures, cloud environments, or critical industrial systems managed via SaltStack Salt. Exploitation could allow attackers to execute arbitrary commands on minions, potentially leading to data breaches, service disruptions, or lateral movement within networks. The ability to gain root access on minions could enable attackers to implant persistent backdoors, manipulate configurations, or disrupt operations. This is particularly concerning for sectors such as finance, healthcare, energy, and government, where infrastructure integrity and availability are paramount. Given that SaltStack Salt is often used in automated deployment pipelines and configuration management, successful exploitation could undermine the security of entire IT environments. Additionally, the replay attack nature means that even previously captured legitimate commands can be maliciously reused, complicating detection and response. The lack of known exploits in the wild reduces immediate risk but does not diminish the urgency for remediation, as the vulnerability is straightforward to exploit in adjacent network scenarios without authentication.
Mitigation Recommendations
European organizations should prioritize upgrading SaltStack Salt installations to versions 3002.8, 3003.4, 3004.1 or later, where this vulnerability has been addressed. Until upgrades are applied, organizations should implement network segmentation to restrict access to Salt master and minion communication channels, limiting exposure to trusted hosts only. Employing network-level protections such as VPNs or encrypted tunnels can reduce the risk of message interception and replay. Monitoring and logging Salt job publishes and minion responses for anomalies or repeated identical commands can aid in early detection of replay attempts. Additionally, organizations should review and harden SaltStack configurations to enforce strict authentication and message integrity checks where possible. Deploying host-based intrusion detection systems (HIDS) on minions to detect unusual privilege escalations or command executions can provide an additional security layer. Finally, conducting regular security audits and penetration tests focusing on SaltStack deployments will help identify residual risks and validate mitigation effectiveness.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- vmware
- Date Reserved
- 2022-01-10T00:00:00.000Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d981ec4522896dcbdbfbb
Added to database: 5/21/2025, 9:08:46 AM
Last enriched: 7/3/2025, 11:13:09 AM
Last updated: 8/16/2025, 1:42:29 PM
Views: 15
Related Threats
CVE-2025-9091: Hard-coded Credentials in Tenda AC20
LowCVE-2025-9090: Command Injection in Tenda AC20
MediumCVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowCVE-2025-9089: Stack-based Buffer Overflow in Tenda AC20
HighCVE-2025-9088: Stack-based Buffer Overflow in Tenda AC20
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.