CVE-2017-5192

Name of the Vulnerable Software and Affected Versions SaltStack Salt versions prior to 2015.8.13 SaltStack Salt versions 2016.3.x prior to 2016.3.5 SaltStack Salt versions 2016.11.x prior to 2016.11.2

Description The issue arises when using the local batch client from salt-api in SaltStack Salt, where external authentication is not respected, allowing all authentication to be bypassed. This enables code execution for already-authenticated users, but only when running salt-api as the root user. The LocalClient.cmd batch() method client does not accept external auth credentials.

Recommendations For SaltStack Salt versions prior to 2015.8.13, update to version 2015.8.13 or later. For SaltStack Salt versions 2016.3.x prior to 2016.3.5, update to version 2016.3.5 or later. For SaltStack Salt versions 2016.11.x prior to 2016.11.2, update to version 2016.11.2 or later. As a temporary workaround, consider removing access to the LocalClient.cmd batch() method client from salt-api to prevent code execution for already-authenticated users.