Over the past several days, hackers have exploited two recently disclosed Salt vulnerabilities to compromise the servers of LineageOS, Ghost and DigiCert.
Managed by SaltStack, Salt is an open-source configuration tool to monitor and update the state of servers in both datacenters and cloud environments. Called minions, agents installed on servers connect to a master to deliver state reports (to a “request server”) and receive updates (from a “publish server”).
Last week, F-Secure security researchers disclosed two vulnerabilities in Salt (CVE-2020-11651 and CVE-2020-11652) that could allow remote attackers to execute commands as root on “master” and connected minions. The most severe of the bugs has a CVSS score of 10.
The vulnerabilities could allow an attacker to bypass authentication and authorization controls, “and publish arbitrary control messages, read and write files anywhere on the ‘master’ server filesystem and steal the secret key used to authenticate to the master as root,” F-Secure said last week.
The security firm warned that attackers would likely devise exploits for the vulnerabilities within 24 hours after the report became public: “Patch by Friday or compromised by Monday,” F-Secure Principal Consultant Olle Segerdahl said on Thursday.
Over the weekend, attacks looking to exploit the two security flaws were observed, with LineageOS, Ghost, and DigiCert being among the first to fall victim.
Servers of the LineageOS Android distribution were hit on Saturday, May 2, with the builds and stats servers still impacted by the outage at the time of writing. In a message posted on Twitter, LineageOS said that signing keys, builds, and source code were not affected by the incident.
Open-source publishing platform Ghost revealed on its status page that attackers managed to gain access to its infrastructure on May 3. Both Ghost(Pro) sites and Ghost.org billing services were affected, but no credit card information was impacted, Ghost said (adding that no credentials are stored in plaintext).
“There is no direct evidence that private customer data, passwords or other information has been compromised. All sessions, passwords and keys are being cycled and all servers are being re-provisioned,” Ghost noted.
The attackers, the company revealed, were attempting to abuse its servers to run crypto-mining malware. The attack resulted in high CPU loads that quickly overloaded most systems.
Certificate authority DigiCert admitted on Sunday that attackers were able to exploit the Salt vulnerability and compromise the CT (Certificate Transparency) Log 2’s key used to sign SCTs (signed certificate timestamps).
Other CT logs run on separate infrastructure and were unaffected, Jeremy Rowley, DigiCert Executive VP of Product, revealed. He also noted that the compromised key might not have been used to sign SCTs, as the attacker did not appear to realize they accessed the keys.
“Digging into our logs, I think the log should be distrusted for everything after 17:00:02 on May 2. This was the last known good treehead,” Rowley said a couple of hours later.
SaltStack released patches for the vulnerabilities last week, with Salt version 3000.2 addressing them. Salt version number 2019.2.4, which was released for the previous major version of the tool, also includes the patches.
UPDATE: “We do not believe the key was used to sign SCTs outside of the CT log’s normal operation, though as a precaution, CAs that received SCTs from the CT2 log after May 2 at 5 p.m. U.S. Mountain Daylight Time (MDT) should receive an SCT from another trusted log,” DigiCert, which has been planning the shut down of CT2 log, which was moved to read only as of May 3, said in an emailed statement.
“Because of Google’s implementation of CT that requires SCTs be posted in multiple logs in order for a certificate to be valid, active TLS certificates posted to the CT2 log should continue to work as expected if issued before May 2 at 5 p.m. MDT,” the company added.
Related: Critical Vulnerability in Salt Requires Immediate Patching
Related: Microsoft to Patch Internet Explorer Vulnerability Exploited in Targeted Attacks
Related: Kr00k Vulnerability Exposed Data From Over a Billion Wi-Fi Devices