Hackers Breach LineageOS, Ghost, DigiCert Servers Using SaltStack Vulnerability
Days after cybersecurity researchers sounded the alarm over two critical vulnerabilities in the SaltStack configuration framework, a hacking campaign has already begun exploiting the flaws to breach servers of LineageOS, Ghost, and DigiCert. Tracked as CVE-2020-11651 and CVE-2020-11652, the disclosed flaws could allow an adversary to execute arbitrary code on remote servers deployed in data centers and cloud environments. LineageOS source code, OS builds, and signing keys were unaffected, developers said. The issues were fixed by SaltStack in a release published on April 29th.
The LineageOS team said the operating system’s source code was unaffected, and so were any operating system builds, which had been already paused since April 30, because of an unrelated issue. Signing keys, used to authenticate official OS distributions, were also unaffected, as these hosts were stored separately from the LineageOS main infrastructure.
The vulnerabilities could allow an attacker to bypass authentication and authorization controls, “and publish arbitrary control messages, read and write files anywhere on the ‘master’ server filesystem and steal the secret key used to authenticate to the master as root,” F-Secure said last week.
Over the weekend, attacks looking to exploit the two security flaws were observed, with LineageOS, Ghost, and DigiCert being among the first to fall victim.
Servers of the LineageOS Android distribution were hit on Saturday, May 2, with the builds and stats servers still impacted by the outage at the time of writing. In a message posted on Twitter, LineageOS said that signing keys, builds, and source code were not affected by the incident.
Around 8PM PST on May 2nd, 2020 an attacker used a CVE in our saltstack master to gain access to our infrastructure.
We are able to verify that:
– Signing keys are unaffected.
– Builds are unaffected.
– Source code is unaffected.
See https://t.co/85fvp6Gj2h for more info.
— LineageOS (@LineageAndroid) May 3, 2020
Open-source publishing platform Ghost revealed on its status page that attackers managed to gain access to its infrastructure on May 3. Both Ghost(Pro) sites and Ghost.org billing services were affected, but no credit card information was impacted, Ghost said (adding that no credentials are stored in plaintext).
Ghost, however, confirmed there was no evidence the incident resulted in a compromise of customer data, passwords, and financial information. Both LineageOS and Ghost have restored the services after taking the servers offline to patch the systems and secure them behind a new firewall.
LineageOS developers said the hack took place after the attacker used an unpatched vulnerability to breach its Salt installation. Salt is an open-source framework provided by SaltStack that is usually deployed and used to manage and automate servers inside data centers, cloud server setups, or internal networks.
With F-Secure’s alert revealing more than 6,000 Salt vulnerable servers that can be exploited via this vulnerability, if left unpatched, companies are advised to update the Salt software packages to the latest version to resolve the flaws.