CVE-2022-22967 is a high-severity vulnerability affecting SaltStack Salt versions prior to 3002.9, 3003.5, and 3004.2. The issue lies in the Pluggable Authentication Module (PAM) integration within SaltStack Salt, where the PAM authentication mechanism fails to reject accounts that have been locked. This flaw allows users whose accounts have been administratively locked to continue executing Salt commands. The vulnerability impacts both local shell accounts with active sessions and salt-api users who authenticate via PAM external authentication (eauth). Essentially, the PAM module does not enforce the locked account status, permitting unauthorized command execution despite account restrictions. This vulnerability is classified under CWE-863 (Incorrect Authorization), indicating a failure to properly enforce access control policies. The CVSS v3.1 base score is 8.8, reflecting a high severity due to network attack vector, low attack complexity, requiring privileges but no user interaction, and resulting in high confidentiality, integrity, and availability impacts. Exploitation could allow an attacker with a previously authorized but now locked account to maintain or regain control over SaltStack-managed systems, potentially leading to unauthorized system configuration changes, data exposure, or disruption of services. No known exploits in the wild have been reported as of the published date, but the risk remains significant given the critical role SaltStack plays in infrastructure automation and management.

For European organizations, this vulnerability poses a substantial risk, especially for enterprises and service providers relying on SaltStack Salt for configuration management and orchestration. The ability for locked accounts to bypass restrictions undermines internal security policies and could facilitate insider threats or lateral movement by attackers who have obtained credentials but whose accounts have been disabled or locked as a mitigation step. This could lead to unauthorized changes in critical infrastructure, data breaches, or service outages. Given the widespread use of SaltStack in sectors such as finance, telecommunications, energy, and government within Europe, exploitation could disrupt essential services and compromise sensitive data. The vulnerability's impact on confidentiality, integrity, and availability is high, potentially affecting compliance with GDPR and other regulatory frameworks. Additionally, the lack of user interaction required for exploitation increases the risk of automated or stealthy attacks.

European organizations should prioritize upgrading SaltStack Salt to versions 3002.9, 3003.5, 3004.2, or later where this vulnerability is patched. Until upgrades are applied, organizations should implement compensating controls such as: 1) Restricting PAM authentication usage in SaltStack to trusted users only and monitoring for anomalous command executions; 2) Enforcing stricter account management policies, including immediate revocation of credentials and session termination upon account lockout; 3) Implementing network segmentation to limit SaltStack API access to trusted management networks; 4) Enhancing logging and alerting on SaltStack command executions and PAM authentication events to detect suspicious activity; 5) Reviewing and tightening SaltStack user permissions to follow the principle of least privilege; 6) Considering temporary disabling of PAM eauth if feasible until patches are applied. Regular audits of SaltStack user accounts and sessions should be conducted to ensure locked accounts are not active. Finally, organizations should stay informed about any emerging exploits or additional patches related to this vulnerability.