CVE-2021-3197

Vulnerability

Overview

CVE-2021-3197 is a shell injection vulnerability found in the SaltStack Salt configuration management framework, specifically in the salt-api's SSH client. The vulnerability exists in versions before 3002.5. An attacker can inject arbitrary shell commands by including a ProxyCommand directive in an SSH argument or via ssh_options provided in an API request [1]. The root cause is insufficient sanitization of user-supplied input that is later passed to a shell, allowing an attacker to break out of the intended command and execute arbitrary system commands.

Exploitation

The attack surface is the salt-api endpoint that handles SSH connections. No authentication is required to exploit this vulnerability; an attacker can send a crafted API request that includes malicious ProxyCommand options or ssh_options values [1]. The injected commands are executed by the SSH client on the Salt master or proxy minion, depending on the deployment. This low-complexity attack can be carried out over the network without any user interaction.

Impact

Successful exploitation grants an attacker unauthenticated remote code execution (RCE) with the privileges of the salt-api process, which is often root or a highly privileged user [1]. This allows the attacker to take full control of the Salt master or any managed systems that the API can reach, leading to a complete compromise of the infrastructure. The vulnerability has been assigned a CVSS score of 9.8 (Critical) due to its network attack vector, low complexity, and high impact on confidentiality, integrity, and availability.

Mitigation

The vulnerability is patched in SaltStack Salt version 3002.5 [1]. Users are strongly advised to upgrade immediately. No workarounds have been publicly recommended, and given the critical severity, patching is the only reliable mitigation. The fix ensures that user-supplied SSH options are properly sanitized before being passed to the shell, preventing injection.