LinageOS Android custom operating system were on high alert on Saturday after hackers breached their main infrastructure, causing a full outage, reports Administrators of LineageOS.
In just two days, the intruders scanned the internet for vulnerable Salt master installations and acted against them. In a short tweet, LineageOS reported the attack saying that it occurred on may 2, around 8 p.m. PST and that the source code remained unaffected.
Although the incident forced LineageOS to take offline all its service, it did not impact the signing keys that authenticate distributions because they are stored on hosts separate from the main infrastructure.
Builds were also unaltered as they had been “paused due to an unrelated issue since April 30th,” according to details on the project’s status page .
In all, the intrusion affected the following services: mail servers, download mirrors, statistics, the download portal, and the Gerrit Code Review collaboration system used in development.
Sunday morning at 3 a.m. the LineageOS team managed to restore the website, email, wiki, and some internal services. At the moment, Gerrit is also up and running.
Salt is a server management tool from SaltStack for event-based automation and remote task execution. Designed for infrastructures and configuration management for any app stack, it is typically deployed on servers in data centers and cloud setups.
Researchers at F-Secure on April 30 published details about two vulnerabilities in Salt that are exploitable to achieve remote code execution with root privileges.
One of them, identified as CVE-2020-11651, is an authentication bypass on the master server that allows pushing to client servers (minions) commands that are executed as root.
The other, tracked as CVE-2020-11652, is a path traversal that provides access to the entire filesystem of the master server.