The attackers exploited a high-severity vulnerability in the “Salt” open source management system that was released to the public on April 30, the day after the maintainers released new versions that fixed the problem.

All systems down there

In just two days, the intruders searched the internet for vulnerable Salt Master installations and acted against them. In a short tweet, LineageOS announced the attack that it occurred on May 2, around 8 p.m. PST and the source code remained unchanged.  Although the incident forced LineageOS to shut down all of its services, it did not affect the signing keys that authenticate distributions because they are stored on servers separate from the main infrastructure. We are able to verify that: – Signing keys are unaffected. – Builds are unaffected. – Source code is unaffected. See https://t.co/85fvp6Gj2h for more info. — LineageOS (@LineageAndroid) May 3, 2020 Builds were also unaltered as they had been “paused because of an unrelated issue since April 30,” according to information on the status page of the project. In all, the intrusion affected the following services: mail servers, download mirrors, statistics, download portal, and the Gerrit Code Review collaboration program used in the development process. Sunday morning, 3 a.m. The LineageOS team has managed to restore the website, email, wiki, and some internal services. Gerrit is up and running at the moment, too.

Bugs were identified earlier this week

Salt is a SaltStack server management tool for event-based automation and remote task execution. Planned for network and configuration management for any application layer, it is usually installed on servers in data centers and cloud configurations. On April 30, F-Secure researchers published information about two bugs in Salt that are exploitable for remote code execution with root privileges. One of them, known as CVE-2020-11651, is a master server bypass authentication that allows you to move to client servers (minions) commands that are run as root. The other one, monitored as CVE-2020-11652, is a path traversal that provides access to the master server’s entire file system. In the advisory, F-Secure claimed that “any skilled hacker would be able to build 100% effective exploits for these issues in less than 24 hours.” At the time of the study, more than 6,000 compromised Salt instances were exposed to the public Internet.