CVE-2022-22941 is a high-severity vulnerability affecting SaltStack Salt, a widely used open-source configuration management and remote execution tool. The flaw exists in versions prior to 3002.8, 3003.4, and 3004.1 when Salt is configured in a Master-of-Masters (MoM) setup with a syndic architecture and publisher Access Control Lists (publisher_acl) enabled. In this architecture, a Master-of-Masters manages multiple subordinate Salt Masters (syndics), which in turn manage minions (client nodes). The vulnerability arises because when a user configured in the publisher_acl attempts to target minions connected to the syndic, the Salt Master incorrectly interprets an invalid or empty target specification as valid. This logic error allows these users to bypass intended permission restrictions and execute commands on any minion connected to the syndic, regardless of the configured target constraints. Exploitation requires that the attacker has at least some privileges granted via publisher_acl on the Master-of-Masters, but no user interaction is needed beyond that. The vulnerability impacts confidentiality, integrity, and availability because unauthorized command execution can lead to data exposure, unauthorized changes, or disruption of services on any minion node. The CVSS 3.1 base score is 8.8 (high), reflecting network attack vector, low attack complexity, required privileges, no user interaction, and high impact on confidentiality, integrity, and availability. No known exploits in the wild have been reported to date. The root cause is a CWE-732: Incorrect Permission Assignment for Critical Resource, indicating improper enforcement of access controls in the publisher_acl mechanism within the syndic Master-of-Masters context. This vulnerability is critical for organizations using SaltStack Salt in complex, multi-master environments, especially those relying on fine-grained command targeting and access control to manage large fleets of servers or cloud infrastructure.

For European organizations, this vulnerability poses significant risks, particularly for enterprises and service providers managing large-scale IT infrastructure with SaltStack Salt in Master-of-Masters configurations. Unauthorized command execution on any minion can lead to widespread compromise, including data breaches, unauthorized configuration changes, and potential service outages. This is especially critical for sectors with stringent data protection requirements such as finance, healthcare, and government, where unauthorized access could violate GDPR and other regulations. The ability to bypass publisher_acl restrictions undermines trust in the access control model, increasing insider threat risks or enabling lateral movement if an attacker gains limited privileges. Given SaltStack's popularity in cloud and hybrid environments, the vulnerability could facilitate attacks on cloud workloads or critical infrastructure components. The lack of known exploits suggests limited active exploitation, but the high severity and ease of exploitation (network accessible, low complexity) mean that threat actors could weaponize this vulnerability rapidly if they gain access to a publisher_acl-configured user account. Therefore, European organizations must prioritize patching and access review to prevent potential compromise and regulatory repercussions.

1. Immediate patching: Upgrade SaltStack Salt to versions 3002.8, 3003.4, 3004.1 or later where this vulnerability is fixed. 2. Review and restrict publisher_acl configurations: Limit the number of users with publisher_acl permissions on the Master-of-Masters to only those absolutely necessary, and audit these permissions regularly. 3. Harden Master-of-Masters and syndic communications: Use network segmentation, firewall rules, and strong authentication to restrict access to the Master-of-Masters and syndic masters. 4. Monitor command execution logs: Implement detailed logging and alerting on command executions from publisher_acl users to detect anomalous or unauthorized targeting of minions. 5. Implement multi-factor authentication (MFA) for users with publisher_acl privileges to reduce risk of credential compromise. 6. Conduct regular security assessments and penetration tests focusing on SaltStack configurations, especially in multi-master environments. 7. If immediate patching is not feasible, consider temporarily disabling publisher_acl or the Master-of-Masters setup until a patch can be applied, understanding the operational impact. 8. Educate administrators on the risks of misconfigured access controls in SaltStack and enforce least privilege principles.