Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 18 submissions in the queue.

Recent Salt Vulnerabilities Exploited to Hack LineageOS, Ghost, DigiCert Servers

posted by Fnord666 on Monday May 04 2020, @08:43PM   Printer-friendly
from the don't-be-salty-about-it dept.

martyb writes:

Recent Salt Vulnerabilities Exploited to Hack LineageOS, Ghost, DigiCert Servers

Over the past several days, hackers have exploited two recently disclosed Salt vulnerabilities to compromise the servers of LineageOS, Ghost and DigiCert.

Managed by SaltStack, Salt is an open-source configuration tool to monitor and update the state of servers in both datacenters and cloud environments. Called minions, agents installed on servers connect to a master to deliver state reports (to a "request server") and receive updates (from a "publish server").

Last week, F-Secure security researchers disclosed two vulnerabilities in Salt (CVE-2020-11651 and CVE-2020-11652) that could allow remote attackers to execute commands as root on "master" and connected minions. The most severe of the bugs has a CVSS score of 10.

The vulnerabilities could allow an attacker to bypass authentication and authorization controls, "and publish arbitrary control messages, read and write files anywhere on the 'master' server filesystem and steal the secret key used to authenticate to the master as root," F-Secure said last week.

The security firm warned that attackers would likely devise exploits for the vulnerabilities within 24 hours after the report became public: "Patch by Friday or compromised by Monday," F-Secure Principal Consultant Olle Segerdahl said on Thursday.

Over the weekend, attacks looking to exploit the two security flaws were observed, with LineageOS, Ghost, and DigiCert being among the first to fall victim.

[...] SaltStack released patches for the vulnerabilities last week, with Salt version 3000.2 addressing them. Salt version number 2019.2.4, which was released for the previous major version of the tool, also includes the patches.

Related: Critical Vulnerability in Salt Requires Immediate Patching

See notices from LineageOS, Ghost, and DigiCert.

Also at: The Register.

Separately, RamNode, who hosts our backups server, sent an email reporting they also got hit:

This message is to customers with VPSs on our legacy SolusVM system.

At approximately 20:34 eastern (GMT -4) on May 2, recently published SaltStack vulnerabilities (CVE-2020-11651, CVE-2020-11652) were used to launch cryptocurrency miners on our SolusVM host nodes. The attack disrupted various services in order to allocate as much CPU as possible to the miners. SSH and QEMU processes were killed on some of our CentOS 6 KVM hosts, causing extended downtime in certain cases.

Upon detecting the disruption, we quickly began to re-enable SSH, disable and remove Salt, kill related processes, and boot shutdown KVM guests. After careful analysis of the exploit used, we do not believe any data was compromised.

RamNode was not specifically targeted, but rather anyone running SaltStack versions prior to the one released a few days ago (April 29).

Our OpenStack Cloud services were not impacted since we do not use SaltStack for them.

We take security seriously and will revise our configuration management and software updating protocols to reduce the chance of similar issues in the future. We apologize for any inconvenience and will continue to monitor.

Thanks,

RamNode

Coincidentally, SoylentNews was already taking steps to do our own server backups, separate from RamNode. Further, we currently have Linode providing backups of beryllium, boron and helium which would also allow us to recover.

Original Submission

 
This discussion has been archived. No new comments can be posted.
Recent Salt Vulnerabilities Exploited to Hack LineageOS, Ghost, DigiCert Servers | Log In/Create an Account | Top | 9 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)

  • (Score: 4, Interesting) by Anonymous Coward on Monday May 04 2020, @09:10PM (3 children)

    by Anonymous Coward on Monday May 04 2020, @09:10PM (#990433)

    Managed by SaltStack, Salt is an open-source configuration tool

    Dear shitstacks, We already use the word salt [wikipedia.org] for something specific. Kindly stop naming your POS open source webapps after unrelated core concepts leading to headlines that cause me mental and physical discomfort. Thanks.

    • (Score: 0) by Anonymous Coward on Monday May 04 2020, @09:18PM (2 children)

      by Anonymous Coward on Monday May 04 2020, @09:18PM (#990436)

      https://en.wikipedia.org/wiki/Salt [wikipedia.org]

      • (Score: 2, Touché) by Anonymous Coward on Monday May 04 2020, @09:32PM (1 child)

        by Anonymous Coward on Monday May 04 2020, @09:32PM (#990446)

        Does that link have something to do with the loan word to information technology? We all know what salt (in the non-IT sense) is, democrats have been producing it non-stop since Nov 2016.

        • (Score: 0) by Anonymous Coward on Tuesday May 05 2020, @02:02AM

          by Anonymous Coward on Tuesday May 05 2020, @02:02AM (#990537)

          Dems gotta get something useful outta those dimwit MAGAs. Even the GOP sabotaged impeachment had a yield worth about 250 mil.

  • (Score: 4, Informative) by Snotnose on Monday May 04 2020, @10:21PM (2 children)

    by Snotnose (1623) on Monday May 04 2020, @10:21PM (#990459)

    In a security context a salt means something. If some rando company calls their shit a salt then I would expect a site like this to make it clear we are not talking about salting passwords.

    --
    When the dust settled America realized it was saved by a porn star.

    • (Score: 2) by Snotnose on Monday May 04 2020, @10:45PM (1 child)

      by Snotnose (1623) on Monday May 04 2020, @10:45PM (#990472)

      I already replied to this and it didn't show up for some reason. To repeat, the AC with the shitstack comment did not show up when I wrote my reply, but the AC hit 100% of what I was saying. Not sure why my first disclaimer didn't show up as a comment to my own comment, but rest assured. shitstack will forevermore be in my vocabulary.

      --
      When the dust settled America realized it was saved by a porn star.

      • (Score: 1, Funny) by Anonymous Coward on Monday May 04 2020, @11:36PM

        by Anonymous Coward on Monday May 04 2020, @11:36PM (#990492)

        Might be our age and it could be worse. I worked with a guy who kept using the word nonce [merriam-webster.com] to refer to a password salt. Some puzzled looks one 00s morning when he was waxing lyrical about how "a nonce would secure communication" to a British colleague [collinsdictionary.com] (see definition 2).

  • (Score: 1, Funny) by Anonymous Coward on Tuesday May 05 2020, @12:27AM (1 child)

    by Anonymous Coward on Tuesday May 05 2020, @12:27AM (#990504)

    You use these insecure tools that no one has ever heard of and then you act surprised when you find out they're peppered with NSA vulnerabilities. If you were smarter you would write your own srate-reporting tools using bash. Now get off my lawn.

    • (Score: 1) by jurov on Tuesday May 05 2020, @04:39PM

      by jurov (6250) on Tuesday May 05 2020, @04:39PM (#990767)

      Anything is insecure without further lines of defense such as firewall or VPN. I supposed that is what every admin does first when setting up a new service and was baffled when there was no prominent mention in the saltstack docs. Nor did ansible and tjeir ilk. Just open the port to the world and all will be fine...

(1)