LineageOS is a free and open-source, Android-based operating system used for smartphones, tablet computers, and set-top boxes. The hackers were succeeded to exploit the LineageOS servers through the unpatched vulnerability.
Reportedly, the hackers tried to interrupt the operating system on Saturday night, at about 8 pm (US Pacific coast). Luckily, the hackers were detected within 3 hours and were caught before they could damaged the whole LineageOS server.
Since April 30, the operating system’s working was put on hold due to some issues. According to the LineageOS team, the source code of the operating system was safe from the attacker’s approach because they failed to establish any link to the operating system.
The LineageOS also has signing keys that have separate storage servers which are used to authenticate the official OS distributions. The hackers also failed to harm these signing keys.
Stated by the LineageOS developers “the hackers tried to breach the Salt installation of the LineageOS through the unpatched vulnerability.”
The Saltstack provided an open-source Salt server that is used to manage, automate, and deploy the servers inside the data centers, internal networks, and cloud server setups.
Reportedly, a cybersecurity company F-Secure discovered the two vulnerabilities such as CVE-2020-11651 (An authentication bypass) and CVE-2020-11652 (a directory traversal) which are used to manage the Salt installations.
Both Authentication-Bypass and Directory-traversal vulnerabilities allow attackers to bypass login procedures and have access to the Salt server. Once the attackers gain access they can run codes on Salt master servers that are vulnerable on the internet.
According to Salt server owners, Attackers have in some cases planted backdoors on hacked servers. They had deployed
- Cryptocurrency Miners.
Description My all servers with salt-minion installed，An unknown program suddenly ran today， He's /tmp/salt-minions [[email protected] ~]# top top - 10:06:44 up 511 days, 18:39, 3 users, load average: 2.01, 2.02, 1.91 Tasks: 193 total, 1 running, 192 sleeping, 0 stopped, 0 zombie Cpu(s): 7.2%us, 18.3%sy, 0.0%ni, 74.1%id, 0.4%wa, 0.0%hi, 0.0%si, 0.0%st Mem: 8060948k total, 7502768k used, 558180k free, 76316k buffers Swap: 4194300k total, 437368k used, 3756932k free, 188012k cached PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 2280 root 20 0 56.0g 541m 1588 S 101.1 6.9 345886:48 tp_core 27061 root 20 0 2797m 1848 1000 S 99.1 0.0 36:02.75 salt-minions [[email protected] ~]# ps -ef |grep 27061 | grep -v grep root 27061 1 89 09:26 ? 00:36:37 /tmp/salt-minions sal-minion version 2018.3.2 sys：CentOS release 6.5 (Final)
Recently, more than 6,000 Salt servers were exploited through this unpatched vulnerability. Reportedly earlier this week, the Salt team has released a patched vulnerability server. Hence, for more security, these Salt servers should be kept behind a firewall and should not be left as unpatched.
This wasn’t the first time the hackers attacked the operating system. The Canonical’s GitHub account was also breached by the hackers in July 2019, Ubuntu source code was also unaffected.
Therefore, the LineageOS team investigate the incident and patched all the Salt vulnerability servers to make them secure in the future.