Good with a keyboard and fluent in gibberish

The Salt Exploit

On April 29, SaltStack made releases to Salt v2019.2 and v3000 to fix some CVEs. It turns out, these are pretty serious CVEs. And they’re being exploited in the wild.

Someone is going around and plopping down miners on every Salt minion they can find. has some of the specifics.

If your Salt Master is exposed to the internet and not up-to-date, you’re not only vulnerable but very likely already exploited.

So far, they’re not doing anything too nefarious, but they could change at any moment. Mearly trying to work your CPUs for all their worth for cryptocurrency.

The paranoid option is to burn down your infrastructure and rebuild from scratch. There are probably more meassured responses, though, especially since you already have configuration management available.

There are people saying “don’t run your master exposed to the internet”. I totally agree with this when it is feasible, but not all infrastructure is shaped this way. Mine, for example: basically no two minions share a LAN, so I would need to deploy some kind of VPN to secure things this way. While a basic server-to-server VPN isn’t too difficult, I then need to manage my VPN settings, and then I either have a dependency loop or a second layer of management.

In general, your Salt Master is the keys to the kingdom, and you should secure it as such. My company, Lumami Software, has published some guidelines for how we set up Salt clusters.