Last week a critical vulnerability was discovered affecting Salt Master versions 2019.2.3 and 3000.1 and earlier. SaltStack customers and Salt users who have followed fundamental internet security guidelines and best practices are not affected by this vulnerability. The vulnerability is easily exploitable if a Salt Master is exposed to the open internet.
A scan by the security firm that identified the vulnerability found approximately 6000 Salt Masters exposed to the Internet and vulnerable. These systems in particular, and all Salt environments must be hardened and updated immediately.
Upon learning of the CVE, SaltStack took immediate action to develop and publish patches, and to communicate update instructions to our customers and users. Although there was no initial evidence the CVE had been exploited, we have confirmed that some vulnerable, unpatched systems have been accessed by unauthorized users since the release of the patches.