Over the past several days, hackers have exploited two recently disclosed Salt vulnerabilities to compromise the servers of LineageOS, Ghost and DigiCert.
Managed by SaltStack, Salt is an open-source configuration tool to monitor and update the state of servers in both datacenters and cloud environments. Called minions, agents installed on servers connect to a master to deliver state reports (to a “request server”) and receive updates (from a “publish server”).
Last week, F-Secure security researchers disclosed two vulnerabilities in Salt [securityweek.com] (CVE-2020-11651 and CVE-2020-11652) that could allow remote attackers to execute commands as root on “master” and connected minions. The most severe of the bugs has a CVSS score of 10.
The vulnerabilities could allow an attacker to bypass authentication and authorization controls, “and publish arbitrary control messages, read and write files anywhere on the ‘master’ server filesystem and steal the secret key used to authenticate to the master as root,” F-Secure said [f-secure.com] last week.
The security firm warned that attackers would likely devise exploits for the vulnerabilities within 24 hours after the report became public: “Patch by Friday or compromised by Monday,” F-Secure Principal Consultant Olle Segerdahl said on Thursday.
Over the weekend, attacks looking to exploit the two security flaws were observed, with LineageOS, Ghost, and DigiCert being among the first to fall victim.
[...] SaltStack released patches for the vulnerabilities last week, with Salt version 3000.2 addressing them. Salt version number 2019.2.4, which was released for the previous major version of the tool, also includes the patches.
Related: Critical Vulnerability in Salt Requires Immediate Patching [securityweek.com]
See notices from LineageOS [twitter.com], Ghost [ghost.org], and DigiCert [google.com].
Also at: The Register [theregister.co.uk].
Separately, RamNode [ramnode.com], who hosts our backups server, sent an email reporting they also got hit:
===== EXTENDED COPY =====
This message is to customers with VPSs on our legacy SolusVM system.
At approximately 20:34 eastern (GMT -4) on May 2, recently published SaltStack vulnerabilities (CVE-2020-11651, CVE-2020-11652) were used to launch cryptocurrency miners on our SolusVM host nodes. The attack disrupted various services in order to allocate as much CPU as possible to the miners. SSH and QEMU processes were killed on some of our CentOS 6 KVM hosts, causing extended downtime in certain cases.
Upon detecting the disruption, we quickly began to re-enable SSH, disable and remove Salt, kill related processes, and boot shutdown KVM guests. After careful analysis of the exploit used, we do not believe any data was compromised.
RamNode was not specifically targeted, but rather anyone running SaltStack versions prior to the one released a few days ago (April 29).
Our OpenStack Cloud services were not impacted since we do not use SaltStack for them.
We take security seriously and will revise our configuration management and software updating protocols to reduce the chance of similar issues in the future. We apologize for any inconvenience and will continue to monitor.
Thanks,
RamNode
Coincidentally, SoylentNews was already taking steps to do our own server backups, separate from RamNode. Further, we currently have Linode providing backups of beryllium, boron and helium which would also allow us to recover.