salt icon indicating copy to clipboard operation
salt copied to clipboard
verified publisher icon saltstack

[Bug] Authentication downgrade

Open dwoz opened this issue 1 month ago • 2 comments

What happened?

CVE-2025-62349

Authentication downgrade attack.There's a vulnerability in 3006.12+ and 3007.4+ that allows minion impersonation via a downgrade attack. It is possible to circumvent the fixes for CVE-2024-38822 by using an earlier payload format for Req server messages.

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Attribution: Barney Sowood <[email protected]>

Type of salt install

Official deb

Major version

3006.x

What supported OS are you seeing the problem on? Can select multiple. (If bug appears on an unsupported OS, please open a GitHub Discussion instead)

debian-12

salt --versions-report output

n/a

dwoz avatar Nov 19 '25 06:11 dwoz

Thank you for the fix. There is one documentation issue in #68468 : It is impossible to check the authentication version supported by a given minion version just by looking at the documentation for minimum_auth_version. A table like "authentication version x is supported by release 3004.1 and later, version y is supported by 3006.12 and later" would be extremely helpful in determining if all minions in a mixed-version fleet support any given authentication version.

hailfinger avatar Nov 20 '25 10:11 hailfinger

Thank you for the fix. There is one documentation issue in #68468 : It is impossible to check the authentication version supported by a given minion version just by looking at the documentation for minimum_auth_version. A table like "authentication version x is supported by release 3004.1 and later, version y is supported by 3006.12 and later" would be extremely helpful in determining if all minions in a mixed-version fleet support any given authentication version.

that is a good thing that needs documentation. for the record after looking at the commits that introduced the version changes

here is what i found, in case someone wants to add the documentation for it.

version 3 introduced into 3007: v3007.4 version 3 introduced into 3006: v3006.12 version 2 introduced: v3005 everything before v3005 will count as version 0 since versioning wasn't a thing before that and the payload didn't have versions.

whytewolf avatar Nov 23 '25 21:11 whytewolf