On May 2, 2020, hackers have breached the infrastructure of LineageOS, an open-source operating system based on Android through an unpatched vulnerability.
LineageOS is a free open-source operating system for smartphones, tablet, set-up boxes based on Android, that was officially released at the end of 2016, available for 109 phone models with over 1.7 million active installs.
Before the attacker did any harm to the system the LineageOS team identified the attack and published a statement about the attack within hours after the attack.
The LineageOS team said that the attacker used unpatched vulnerability to breach into Salt installation. The team also said that the signing keys that were used to authenticate official OS distributions were unaffected, and source code is also unaffected.
Salt is an open-source framework provided by saltstack that is used to manage and automate servers inside internal networks, data centers, cloud server setup.
The two critical vulnerability that was disclosed by F-secure cybersecurity firm in the salt framework were used to breach LineageOS.
The vulnerabilities are marked as CVE-2020-11651 (authentication bypass) and CVE-2020-11652 (a directory traversal) that when combined can let attackers bypass login procedures and run arbitrary code on the salt-master server that was left exposed on the internet.
The firm said that there are about 6,000 salt servers left exposed to the internet patches for the vulnerability that were released this week. Salt servers should not be left exposed to the internet.
According to the salt server owners after the release of the vulnerability, the attacker started exploiting the flaw and in some cases, they planted backdoors in the vulnerable servers and other instances have planted crypto miners into the servers.
Last night the LineageOS team has taken down all the servers to investigate the attack and patch the vulnerable servers.
Also, in July 2019 hackers have breached the Canonical’s GitHub account, however, the Ubuntu source code remains unaffected.