If your kit is affected, don’t wait: uncorrected vulnerabilities in Salt killed two high-level victims over the weekend in the form of a popular without Google LineageOS based on Android and the online editor Ghost.
Patched last week, the vulnerabilities of the Salt configuration tool can allow an attacker to fully control an exposed installation. Originally discovered by F-Secure, the problems were corrected in Salt 3000.2 and also in the previous stable version, 2019.2.4. Older versions required something a little more manual.
Systems that were not configured to automatically update from the SaltStack repository may be vulnerable, and an analysis by F-Secure found more than 6,000 instances exposed to the public Internet.
You can probably drop Ghost and LineageOS (or rather, its infrastructure) into this potential bork bucket.
Ghost.org, which powers a variety of websites and claims more than 2 million installations, first problems reported in the wee hours of May 3, at 03:24 BST, but he later admitted that the intrusion had occurred around 02:30 BST, when “an attacker used a CVE in our saltstack master to access our infrastructure. ”
The outfit is to be congratulated for its transparency, if not the slightly fragrant safety practices that led to borking.
A full post-mortem is scheduled for later this week (and The register contacted Ghost.org for more details) but the impact was severe. Ghost (Pro) sites and billing services for Ghost.org were affected and the gang had to “clean up and rebuild our entire network” after launching new firewalls and security measures as the horse disappeared on the horizon, letting the stable door slam. in the breeze.
Ghost.org insisted that no credit card information had been affected, and said it would be cycle sessions, passwords and keys as well as replenishment of all waiters. It seems that the disbelievers have introduced crypto-mining software on the corporate network. The software quickly overloaded the servers, notifying administrators of CPU alerts.
At 9:29 BST today, Ghost.org estimated that all traces of the villain were gone and things were back to normal. It said:
“All traces of the crypto-mining virus were successfully removed yesterday, all systems remain stable, and we have not discovered any other issues or problems on our network. The team is now working hard on the fix to clean up and rebuild our entire network. We will keep this incident open and continue to share updates until it is fully resolved. ”
Borkage for the line
The infrastructure used by LineageOS, which suffered a failure on the morning of May 3, was also affected. The attack took all services offline and the team was forced to restock the servers.
LineageOS is a free and open source operating system for mobile devices, and is a product of the CyanogenMod project. In early May, the OS represented more than 1.7 million active installations.
To be clear, the attack occurred at the end of LineageOS and the company quickly pointed out that the signing keys were not affected (and stored entirely separate from its main infrastructure) and that the versions had already been discontinued due to an “unrelated problem since April 30”.
The group then tweeted, adding that the operating system source code was not affected either.
Around 8 p.m. PST on May 2, 2020, an attacker used a CVE in our saltstack master to access our infrastructure.
We can verify that:
– Signature keys are not affected.
– Versions are not affected.
– The source code is not affected.
See https://t.co/85fvp6Gj2h for more information.
– LineageOS (@LineageAndroid) May 3, 2020
LineageOS services gradually returned after the attack, internal services, mail and wiki were restored on Sunday. His web-based code review system, Gerrit, came back last night, followed by LineageOS download servers and mirrors this morning. ®
Office 365 client-to-client migration tips