Mobile platform developers , which replaced CyanogenMod, on identifying traces of hacking of the project infrastructure. It is noted that at 6 am (MSK) on May 3, the attacker managed to gain access to the main server of the centralized configuration management system. through exploitation of an unpatched vulnerability. The incident is currently being analyzed and details are not yet available.
only that the attack did not affect the keys for generating digital signatures, the assembly system, and the source code of the platform - the keys on hosts completely separate from the main infrastructure managed through SaltStack, and the builds were stopped for technical reasons on April 30th. According to the information on the page the developers have already restored the server with the Gerrit code review system, the site and the wiki. The server with builds (builds.lineageos.org), the portal for downloading files (download.lineageos.org), mail servers and the mirror forwarding coordination system remain disabled.
The attack became possible due to the fact that the network port (4506) for accessing SaltStack blocked for external requests by a firewall - the attacker had to wait for a critical vulnerability in SaltStack to appear and exploit it before administrators installed an update with a fix. All SaltStack users are advised to urgently update their systems and check for signs of hacking.
Apparently, the attacks through SaltStack were not limited to the LineageOS hack and became widespread - during the day, various users who did not have time to update SaltStack, detection of compromise of their infrastructures with placement of code for mining or backdoors on servers. Including about a similar hacking of the content management system infrastructure , which affected Ghost(Pro) websites and billing (it is claimed that credit card numbers were not affected, but the password hashes of Ghost users could have fallen into the hands of attackers).
April 29 were SaltStack platform updates и , in which were eliminated (the vulnerabilities were published on April 30), which are assigned the highest level of severity because they are not authenticated remote code execution both on the control host (salt-master) and on all servers managed through it.
- First vulnerability () is caused by the lack of proper checks when calling methods of the ClearFuncs class in the salt-master process. The vulnerability allows a remote user to access some methods without authentication. Including through problematic methods, an attacker can obtain a token for root access to the master server and run any commands on serviced hosts running the daemon . A patch fixing this vulnerability was 20 days ago, but after using it popped up , leading to crashes and disruption of file synchronization.
- The second vulnerability) allows, through manipulations with the ClearFuncs class, to access methods by passing specially designed paths, which can be used for full access to arbitrary directories in the FS of the master server with root rights, but requires authenticated access (such access can be obtained using the first vulnerability and use the second vulnerability to completely compromise the entire infrastructure).
Source: opennet.ru