May 8, 2020

Playbook for attack on Salt servers

By venkat


Below are for older bug fixes related to CVE-2020-11651

  1. Consider taking down the related servers to investigate the incident and patch vulnerable servers.
  2. Patches for the Salt vulnerabilities have been released earlier this week. Salt servers should normally be deployed behind a firewall and not left exposed on the internet.
  3. SaltStack engineers patched these vulnerabilities in release 3000.2 and users of Salt are encouraged to make sure that their installs are configured to automatically pull updates from SaltStacks repository server, see for more information. A patch release for the previous major release version is also available, with version number 2019.2.4.
  4. Adding network security controls that restrict access to the salt master (ports 4505 and 4506 being the defaults) to known minions, or at least block the wider Internet, would also be prudent as the authentication and authorization controls provided by Salt are not currently robust enough to be exposed to hostile networks.
  5. Have a quick look at related incidents [1][2][3][4]

Technical Details

Understanding your adversary is half battle won. Details at :


  1. Abnormal CPU utilization or servers going down.
  2. The hackers could have installed a backdoor and a cryptocurrency miner on your server.


Technical details

Related Incidents

More references in news