Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Recent Salt Vulnerabilities Exploited to Hack LineageOS, Ghost, DigiCert Servers

Over the past several days, hackers have exploited two recently disclosed Salt vulnerabilities to compromise the servers of LineageOS, Ghost and DigiCert.

Over the past several days, hackers have exploited two recently disclosed Salt vulnerabilities to compromise the servers of LineageOS, Ghost and DigiCert.

Managed by SaltStack, Salt is an open-source configuration tool to monitor and update the state of servers in both datacenters and cloud environments. Called minions, agents installed on servers connect to a master to deliver state reports (to a “request server”) and receive updates (from a “publish server”).

Last week, F-Secure security researchers disclosed two vulnerabilities in Salt (CVE-2020-11651 and CVE-2020-11652) that could allow remote attackers to execute commands as root on “master” and connected minions. The most severe of the bugs has a CVSS score of 10.

The vulnerabilities could allow an attacker to bypass authentication and authorization controls, “and publish arbitrary control messages, read and write files anywhere on the ‘master’ server filesystem and steal the secret key used to authenticate to the master as root,” F-Secure said last week.

The security firm warned that attackers would likely devise exploits for the vulnerabilities within 24 hours after the report became public: “Patch by Friday or compromised by Monday,” F-Secure Principal Consultant Olle Segerdahl said on Thursday.

Over the weekend, attacks looking to exploit the two security flaws were observed, with LineageOS, Ghost, and DigiCert being among the first to fall victim.

Servers of the LineageOS Android distribution were hit on Saturday, May 2, with the builds and stats servers still impacted by the outage at the time of writing. In a message posted on Twitter, LineageOS said that signing keys, builds, and source code were not affected by the incident.

Open-source publishing platform Ghost revealed on its status page that attackers managed to gain access to its infrastructure on May 3. Both Ghost(Pro) sites and Ghost.org billing services were affected, but no credit card information was impacted, Ghost said (adding that no credentials are stored in plaintext).

Advertisement. Scroll to continue reading.

“There is no direct evidence that private customer data, passwords or other information has been compromised. All sessions, passwords and keys are being cycled and all servers are being re-provisioned,” Ghost noted.

The attackers, the company revealed, were attempting to abuse its servers to run crypto-mining malware. The attack resulted in high CPU loads that quickly overloaded most systems.

Certificate authority DigiCert admitted on Sunday that attackers were able to exploit the Salt vulnerability and compromise the CT (Certificate Transparency) Log 2’s key used to sign SCTs (signed certificate timestamps).

Other CT logs run on separate infrastructure and were unaffected, Jeremy Rowley, DigiCert Executive VP of Product, revealed. He also noted that the compromised key might not have been used to sign SCTs, as the attacker did not appear to realize they accessed the keys.

“Digging into our logs, I think the log should be distrusted for everything after 17:00:02 on May 2. This was the last known good treehead,” Rowley said a couple of hours later.

SaltStack released patches for the vulnerabilities last week, with Salt version 3000.2 addressing them. Salt version number 2019.2.4, which was released for the previous major version of the tool, also includes the patches.

UPDATE: “We do not believe the key was used to sign SCTs outside of the CT log’s normal operation, though as a precaution, CAs that received SCTs from the CT2 log after May 2 at 5 p.m. U.S. Mountain Daylight Time (MDT) should receive an SCT from another trusted log,” DigiCert, which has been planning the shut down of CT2 log, which was moved to read only as of May 3, said in an emailed statement.

“Because of Google’s implementation of CT that requires SCTs be posted in multiple logs in order for a certificate to be valid, active TLS certificates posted to the CT2 log should continue to work as expected if issued before May 2 at 5 p.m. MDT,” the company added.

Related: Critical Vulnerability in Salt Requires Immediate Patching

Related: Microsoft to Patch Internet Explorer Vulnerability Exploited in Targeted Attacks

Related: Kr00k Vulnerability Exposed Data From Over a Billion Wi-Fi Devices

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Karl Triebes has joined Ivanti as Chief Product Officer.

Steven Hernandez has joined USAID as CISO and Deputy CIO.

Data security and privacy firm Protegrity has named Michael Howard as its CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.