Security Experts:

Connect with us

Hi, what are you looking for?



Recent Salt Vulnerabilities Exploited to Hack LineageOS, Ghost, DigiCert Servers

Over the past several days, hackers have exploited two recently disclosed Salt vulnerabilities to compromise the servers of LineageOS, Ghost and DigiCert.

Over the past several days, hackers have exploited two recently disclosed Salt vulnerabilities to compromise the servers of LineageOS, Ghost and DigiCert.

Managed by SaltStack, Salt is an open-source configuration tool to monitor and update the state of servers in both datacenters and cloud environments. Called minions, agents installed on servers connect to a master to deliver state reports (to a “request server”) and receive updates (from a “publish server”).

Last week, F-Secure security researchers disclosed two vulnerabilities in Salt (CVE-2020-11651 and CVE-2020-11652) that could allow remote attackers to execute commands as root on “master” and connected minions. The most severe of the bugs has a CVSS score of 10.

The vulnerabilities could allow an attacker to bypass authentication and authorization controls, “and publish arbitrary control messages, read and write files anywhere on the ‘master’ server filesystem and steal the secret key used to authenticate to the master as root,” F-Secure said last week.

The security firm warned that attackers would likely devise exploits for the vulnerabilities within 24 hours after the report became public: “Patch by Friday or compromised by Monday,” F-Secure Principal Consultant Olle Segerdahl said on Thursday.

Over the weekend, attacks looking to exploit the two security flaws were observed, with LineageOS, Ghost, and DigiCert being among the first to fall victim.

Servers of the LineageOS Android distribution were hit on Saturday, May 2, with the builds and stats servers still impacted by the outage at the time of writing. In a message posted on Twitter, LineageOS said that signing keys, builds, and source code were not affected by the incident.

Open-source publishing platform Ghost revealed on its status page that attackers managed to gain access to its infrastructure on May 3. Both Ghost(Pro) sites and billing services were affected, but no credit card information was impacted, Ghost said (adding that no credentials are stored in plaintext).

“There is no direct evidence that private customer data, passwords or other information has been compromised. All sessions, passwords and keys are being cycled and all servers are being re-provisioned,” Ghost noted.

The attackers, the company revealed, were attempting to abuse its servers to run crypto-mining malware. The attack resulted in high CPU loads that quickly overloaded most systems.

Certificate authority DigiCert admitted on Sunday that attackers were able to exploit the Salt vulnerability and compromise the CT (Certificate Transparency) Log 2’s key used to sign SCTs (signed certificate timestamps).

Other CT logs run on separate infrastructure and were unaffected, Jeremy Rowley, DigiCert Executive VP of Product, revealed. He also noted that the compromised key might not have been used to sign SCTs, as the attacker did not appear to realize they accessed the keys.

“Digging into our logs, I think the log should be distrusted for everything after 17:00:02 on May 2. This was the last known good treehead,” Rowley said a couple of hours later.

SaltStack released patches for the vulnerabilities last week, with Salt version 3000.2 addressing them. Salt version number 2019.2.4, which was released for the previous major version of the tool, also includes the patches.

UPDATE: “We do not believe the key was used to sign SCTs outside of the CT log’s normal operation, though as a precaution, CAs that received SCTs from the CT2 log after May 2 at 5 p.m. U.S. Mountain Daylight Time (MDT) should receive an SCT from another trusted log,” DigiCert, which has been planning the shut down of CT2 log, which was moved to read only as of May 3, said in an emailed statement.

“Because of Google’s implementation of CT that requires SCTs be posted in multiple logs in order for a certificate to be valid, active TLS certificates posted to the CT2 log should continue to work as expected if issued before May 2 at 5 p.m. MDT,” the company added.

Related: Critical Vulnerability in Salt Requires Immediate Patching

Related: Microsoft to Patch Internet Explorer Vulnerability Exploited in Targeted Attacks

Related: Kr00k Vulnerability Exposed Data From Over a Billion Wi-Fi Devices

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.