AsSalt-ed at the weekend: Miscreants roast Ghost, LineageOS totters as Salt bug bites

If your kit is affected, don't wait: unpatched vulnerabilities in Salt claimed two high profile victims over the weekend in the form of popular Google-free Android-based LineageOS and online publisher Ghost.

Patched last week, the vulnerabilities in the Salt configuration tool can allow an attacker to gain complete control over an exposed installation. Originally discovered by F-Secure, the issues were patched in Salt 3000.2 and also in the previous stable release, 2019.2.4. Older releases required something a little more manual.

Systems that were not set to automatically update from SaltStack's repo could well be vulnerable, and a scan by F-Secure found over 6,000 instances exposed to the public internet.

You can probably drop Ghost and LineageOS (or rather, its infrastructure) into that bucket of potential bork.

Ghosted?

Ghost.org, which powers a variety of websites and lays claim to over 2 million installs, first reported problems in the small hours of 3 May, at 03:24 BST, but it later admitted that the intrusion occurred around 02:30 BST, when "an attacker used a CVE in our saltstack master to gain access to our infrastructure."

The outfit is to be commended for its transparency, if not the slightly whiffy security practices that led to the borkage.

A full postmortem is due later this week (and The Register contacted Ghost.org for more details) but the impact was severe. Both Ghost(Pro) sites and the billing services for Ghost.org were affected and the gang had to "clean and rebuild our entire network" having flung up new firewalls and security precautions as the horse disappeared over the horizon, leaving the stable door flapping in the breeze.

Ghost.org insisted that no credit card information had been affected, and said it would be cycling sessions, passwords and keys as well as reprovisioning all servers. It appears that the miscreants popped some crypto-mining software onto the company's network. The software rapidly overloaded the servers, tipping off administrators with CPU alerts.

As of 09:29 BST today, Ghost.org reckoned that all traces of the nasty were gone and things were getting back to normal. It said:

"All traces of the crypto-mining virus were successfully eliminated yesterday, all systems remain stable, and we have not discovered any further concerns or issues on our network. The team is now working hard on remediation to clean and rebuild our entire network. We will keep this incident open and continue to share updates until it is fully resolved."

Borkage for Lineage

Also affected was the infrastructure used by LineageOS, which suffered an outage during the morning of 3 May. The attack knocked all services offline and the team were forced to re-provision servers.

LineageOS is a free and open-source OS for mobile devices, and hails from the CyanogenMod project. As of the beginning of May, the OS accounted for over 1.7 million active installs.

To be clear, the attack occurred at LineageOS's end and the company was quick to point out that signing keys were unaffected (and stored entirely separately from its main infrastructure) and builds had already been paused due to "unrelated issue since April 30th."

The group later emitted a tweet adding that the source code for the OS was also unaffected.

Around 8PM PST on May 2nd, 2020 an attacker used a CVE in our saltstack master to gain access to our infrastructure.

We are able to verify that:
- Signing keys are unaffected.
- Builds are unaffected.
- Source code is unaffected.

See https://t.co/85fvp6Gj2h for more info.

— LineageOS (@LineageAndroid) May 3, 2020

LineageOS's services gradually came back up after the attack, with internal services, mail and wiki restored later on Sunday. Its web-based code review system, Gerrit, returned yesterday evening, followed by LineageOS's download servers and mirrors by this morning. ®