Exposed Salt Servers: How Many Are Left 12 Days In?
On May 1, Saltstack announced two critical vulnerabilities, CVE-2020-11651 and CVE-2020-11652. These vulnerabilities allow an attacker to bypass both authentication and authorization controls to effectively take over anything Saltstack is managing; this includes cloud infrastructure, servers, databases, and in some cases even user endpoints like laptops.
The Censys team has monitored the situation, and this is what we’re seeing:
- On May 1 we found 5,841 exposed and likely vulnerable Salt servers connected to the Internet.
- On May 6, that number went down to 3,722 Salt servers exposed – a 36% reduction in just 5 days.
- Today, May 12, the number stands at 2,928 Salt servers still exposed – a 21% reduction from last week, and a 50% reduction overall since the CVE was announced.
Clearly, in addition to patching, folks began to limit exposure of these servers to the internet, per company guidance.
Censys will continue to monitor and report on the number of exposed Salt Servers.
