Shortly after security researchers disclosed vulnerabilities in the SaltStack orchestration and configuration management framework, malicious actors have been quick to seize the opportunity to breach a number of organizations that rely on the technology.
A few days ago researchers from F-Secure described a number of vulnerabilities in the “Salt” framework, including two issues that could be exploited by attackers to take over Salt installations.
The two flaws, tracked as CVE-2020-11651 and CVE-2020-11652, are a directory traversal issue and an authentication bypass vulnerability respectively. Chaining the issue, an attacker could bypass authentication and run arbitrary code on Salt master servers exposed online.
LineageOS, a free Android-based operating system, and Ghost, a popular blogging platform, reported over the weekend that unidentified hackers had breached their infrastructure in what appears to be separate incidents.
On early Sunday, the team behind LineageOS operating system announced that an attacker had used the flaws in SaltStack to access the project's main infrastructure causing the maintainers of the project to briefly shut down all services in order to work on reprovisioning affected servers.
According to LineageOS team, the source code, signing keys, and OS builds had not been affected in the attack. In case of the Ghost blogging platform, the attackers exploited critical vulnerabilities in Ghost’s server management infrastructure and installed cryptocurrency-mining malware.
“Our investigation indicates that a critical vulnerability in our server management infrastructure (Saltstack, CVE-2020-11651 CVE-2020-11652) was used in an attempt to mine cryptocurrency on our servers. The mining attempt spiked CPUs and quickly overloaded most of our systems, which alerted us to the issue immediately,” according to a statement on the Ghost’s website.
While the team did not find evidence indicating the intruders got access to systems or data, all sessions, passwords and keys were cycled and all servers re-provisioned.