Developers of the LineageOS mobile platform (the one that replaced CyanogenMod) they warned about identification of traces left from unauthorized access on your infrastructure. It is observed that at 6 o'clock in the morning (MSK) on May 3, the attacker managed to gain access to the main server of the SaltStack centralized configuration management system by exploiting the vulnerability that has not been patched so far.
It is only reported that the attack did not affect the keys to generate digital signatures, the build system and source code of the platform. The keys were placed on a host completely separate from the main infrastructure managed through SaltStack and the assemblies were stopped for technical reasons on April 30.
Judging from the data on the status.lineageos.org page, the developers have already restored the server with Gerrit's code review system, website, and wiki. Servers with builds (builds.lineageos.org), the download portal of files (download.lineageos.org), mail servers and a system to coordinate forwarding to mirrors are currently disabled.
About the ruling
An update was released on April 29 from the SaltStack 3000.2 platform and four days later (2 of May) two vulnerabilities were eliminated.
The problem lies in which, of the vulnerabilities that were reported, one was published on April 30 and was assigned the highest level of danger (here the importance of publishing the information several days or weeks after its discovery and release of the bug fixes or fixes).
Since the flaw allows an unauthenticated user to perform remote code execution as the controlling host (salt-master) and all servers managed through it.
The attack was made possible by the fact that the network port 4506 (to access the SaltStack) was not blocked by the firewall for external requests and in which the attacker had to wait to act before the developers of Lineage SaltStack and ekspluatarovat will try to install an update to correct the failure.
All SaltStack users are advised to urgently update their systems and check for signs of hacking.
Apparently, attacks via SaltStack weren't just limited to affecting LineageOS and became widespread during the day, several users who did not have time to update SaltStack noticed that their infrastructures were compromised by mining hosting code or back doors.
He also reports a similar hack on the content management system infrastructure Ghost, whatIt affected Ghost (Pro) sites and billing (it is alleged that credit card numbers were not affected, but the password hashes of Ghost users could fall into the hands of attackers).
- The first vulnerability (CVE-2020-11651) it is caused by the lack of proper checks when calling the methods of the ClearFuncs class in the salt-master process. The vulnerability allows a remote user to access certain methods without authentication. In particular, through problematic methods, an attacker can obtain a token for root access to the master server and execute any command on the served hosts that run the salt-minion daemon. A patch was released 20 days ago that fixes this vulnerability, but after its application appeared, there were backward changes that caused freezes and interruption of file synchronization.
- The second vulnerability (CVE-2020-11652) allows, through manipulations with the ClearFuncs class, access to methods through the transfer of paths defined in a certain way, which can be used for full access to arbitrary directories on the FS of the master server with root privileges, but it requires authenticated access (such access can be obtained using the first vulnerability and using the second vulnerability to completely compromise the entire infrastructure).