Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Monday May 04 2020, @08:43PM   Printer-friendly
from the don't-be-salty-about-it dept.

Recent Salt Vulnerabilities Exploited to Hack LineageOS, Ghost, DigiCert Servers

Over the past several days, hackers have exploited two recently disclosed Salt vulnerabilities to compromise the servers of LineageOS, Ghost and DigiCert.

Managed by SaltStack, Salt is an open-source configuration tool to monitor and update the state of servers in both datacenters and cloud environments. Called minions, agents installed on servers connect to a master to deliver state reports (to a "request server") and receive updates (from a "publish server").

Last week, F-Secure security researchers disclosed two vulnerabilities in Salt (CVE-2020-11651 and CVE-2020-11652) that could allow remote attackers to execute commands as root on "master" and connected minions. The most severe of the bugs has a CVSS score of 10.

The vulnerabilities could allow an attacker to bypass authentication and authorization controls, "and publish arbitrary control messages, read and write files anywhere on the 'master' server filesystem and steal the secret key used to authenticate to the master as root," F-Secure said last week.

The security firm warned that attackers would likely devise exploits for the vulnerabilities within 24 hours after the report became public: "Patch by Friday or compromised by Monday," F-Secure Principal Consultant Olle Segerdahl said on Thursday.

Over the weekend, attacks looking to exploit the two security flaws were observed, with LineageOS, Ghost, and DigiCert being among the first to fall victim.

[...] SaltStack released patches for the vulnerabilities last week, with Salt version 3000.2 addressing them. Salt version number 2019.2.4, which was released for the previous major version of the tool, also includes the patches.

Related: Critical Vulnerability in Salt Requires Immediate Patching

See notices from LineageOS, Ghost, and DigiCert.

Also at: The Register.

Separately, RamNode, who hosts our backups server, sent an email reporting they also got hit:

This message is to customers with VPSs on our legacy SolusVM system.

At approximately 20:34 eastern (GMT -4) on May 2, recently published SaltStack vulnerabilities (CVE-2020-11651, CVE-2020-11652) were used to launch cryptocurrency miners on our SolusVM host nodes. The attack disrupted various services in order to allocate as much CPU as possible to the miners. SSH and QEMU processes were killed on some of our CentOS 6 KVM hosts, causing extended downtime in certain cases.

Upon detecting the disruption, we quickly began to re-enable SSH, disable and remove Salt, kill related processes, and boot shutdown KVM guests. After careful analysis of the exploit used, we do not believe any data was compromised.

RamNode was not specifically targeted, but rather anyone running SaltStack versions prior to the one released a few days ago (April 29).

Our OpenStack Cloud services were not impacted since we do not use SaltStack for them.

We take security seriously and will revise our configuration management and software updating protocols to reduce the chance of similar issues in the future. We apologize for any inconvenience and will continue to monitor.

Thanks,

RamNode

Coincidentally, SoylentNews was already taking steps to do our own server backups, separate from RamNode. Further, we currently have Linode providing backups of beryllium, boron and helium which would also allow us to recover.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 1, Funny) by Anonymous Coward on Tuesday May 05 2020, @12:27AM (1 child)

    by Anonymous Coward on Tuesday May 05 2020, @12:27AM (#990504)

    You use these insecure tools that no one has ever heard of and then you act surprised when you find out they're peppered with NSA vulnerabilities. If you were smarter you would write your own srate-reporting tools using bash. Now get off my lawn.

    Starting Score:    0  points
    Moderation   +1  
       Funny=1, Total=1
    Extra 'Funny' Modifier   0  

    Total Score:   1  
  • (Score: 1) by jurov on Tuesday May 05 2020, @04:39PM

    by jurov (6250) on Tuesday May 05 2020, @04:39PM (#990767)

    Anything is insecure without further lines of defense such as firewall or VPN. I supposed that is what every admin does first when setting up a new service and was baffled when there was no prominent mention in the saltstack docs. Nor did ansible and tjeir ilk. Just open the port to the world and all will be fine...