CVE-2019-17361

Vulnerability

Overview

CVE-2019-17361 is a command injection vulnerability in the salt-api NET API of SaltStack Salt, affecting versions through 2019.2.0. The flaw exists when the SSH client is enabled; the API endpoint fails to properly sanitize user-supplied input, allowing an attacker to inject arbitrary operating system commands. [1] [2]

Exploitation

Prerequisites

The vulnerability can be exploited remotely without authentication, provided the attacker has network access to the salt-api endpoint. No prior credentials or special privileges are required. The attacker only needs to craft a malicious request to the NET API that leverages the SSH client functionality to inject commands. [1] [2]

Impact

Successful exploitation enables an unauthenticated remote attacker to execute arbitrary code on the salt-api host. This can lead to full compromise of the server, including data exfiltration, installation of backdoors, or lateral movement within the network. [1] [2]

Mitigation

SaltStack addressed this vulnerability in a later release. Users are strongly advised to upgrade to a patched version of Salt (post-2019.2.0). The official advisory from Ubuntu (USN-4459-1) lists the fix among several other security updates. [2] A workaround is to disable the SSH client in the NET API configuration if upgrading is not immediately possible, though upgrading is the recommended course of action.