#VU82801 Insufficient verification of data authenticity in Salt - CVE-2022-22935


Vulnerability identifier: #VU82801

Vulnerability risk: Medium

CVSSv4.0: 4.9 [CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2022-22935

CWE-ID: CWE-345

Exploitation vector: Local network

Exploit availability: No

Vulnerable software:
Salt
Web applications / Remote management & hosting panels

Vendor: SaltStack

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper verification of data authenticity. A remote attacker with ability to perform MitM attack can impersonate a master and force a minion process to stop.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Salt: 3002 - 3002.7, 3003 - 3003.3, 3004

External links
https://saltproject.io/security_announcements/salt-security-advisory-release/
https://security.gentoo.org/glsa/202310-22

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Gentoo update for Salt
SUSE update for Security Beta update for SUSE Manager Client Tools
SUSE update for Security Beta update for SUSE Manager Salt Bundle
SUSE update for Security Beta update for SUSE Manager Salt Bundle
SUSE update for Security Beta update for SUSE Manager Salt Bundle
SUSE update for Security Beta update for SUSE Manager Salt Bundle
SUSE update for Security Beta update for SUSE Manager Salt Bundle
SUSE update for Security Beta update for SUSE Manager Client Tools
SUSE update for Security Beta update for SUSE Manager Client Tools
SUSE update for Security Beta update for SUSE Manager Client Tools