IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Hackers leverage Saltbox flaw to breach LineageOS, Ghost and DigiCert servers

It took only days for hackers to latch onto these known vulnerabilities

Just days after cyber security researchers brought attention to two critical vulnerabilities in the SaltStack configuration framework, hackers have exploited the flaws to breach the servers of LineageOS, Ghost and DigiCert.

Dubbed CVE-2020-11651 and CVE-2020-11652, the previously disclosed flaws may allow a hacker to execute arbitrary code on remote servers deployed in data centers and cloud environments.

Researchers previously warned that any competent hacker could create 100% reliable exploits related to the issues in 24 hours or less. Since then, LineageOS detected an intrusion that occurred on May 2, 2020.

"Around 8 pm PST on May 2nd, 2020, an attacker used a CVE in our SaltStack master to gain access to our infrastructure," the company shared in its incident report. The company added the breach didn’t impact Android builds and signing keys.

Ghost also fell victim to the Saltbox vulnerability. Developers noted that "around 1:30 am UTC on May 3rd, 2020, an attacker used a CVE in our SaltStack master to gain access to our infrastructure" and install a cryptocurrency miner. According to the developers, the mining attempt spiked CPUs, which quickly overloaded Ghost’s systems, alerting them of the attack immediately.

LineageOS and Ghost have since patched the impacted systems and restored services. 

The Salt vulnerability was also used to hack into DigiCert certificate authority. DigiCert's VP of product, Jeremy Rowley, shared in a Google Groups post on Sunday, "We discovered today that CT Log 2's key used to sign SCTs (signed certificate timestamps) was compromised last night at 7 pm via the Salt vulnerability." 

Rowley added, "Although we don't think the key was used to sign SCTs (the attacker doesn't seem to realize that they gained access to the keys and were running other services on the infrastructure), any SCTs provided from that log after 7 pm MST yesterday are suspect. The log should be pulled from the trusted log list." 

While the issues were fixed by SaltStack in a release published on April 29, 2020, it’d be wise for businesses to update Salt software packages to the latest version to resolve these flaws and avoid any and all nefarious hacking attempts.

Featured Resources

The state of Salesforce: Future of business

Three articles that look forward into the changing state of Salesforce and the future of business

Free Download

The mighty struggle to migrate SAP to the cloud may be over

A simplified and unified approach to delivering Enterprise Transformation in the cloud

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

The Total Economic Impact™ Of IBM FlashSystem

Cost savings and business benefits enabled by FlashSystem

Free Download

Most Popular

Why convenience is the biggest threat to your security
Sponsored

Why convenience is the biggest threat to your security

8 Aug 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022
Microsoft successfully tests emission-free hydrogen fuel cell system for data centres
data centres

Microsoft successfully tests emission-free hydrogen fuel cell system for data centres

29 Jul 2022