Hackers breach LineageOS servers via unpatched vulnerability

LineageOS source code, OS builds, and signing keys were unaffected, developers said.
Written by Catalin Cimpanu, Contributor

Hackers have gained access to the core infrastructure of LineageOS, a mobile operating system based on Android, used for smartphones, tablets, and set-top boxes.

The intrusion took place last night, on Saturday, at around 8 pm (US Pacific coast), and was detected before the attackers could do any harm, the LineageOS team said in a statement published less than three hours after the incident.

The LineageOS team said the operating system's source code was unaffected, and so were any operating system builds, which had been already paused since April 30, because of an unrelated issue.

Signing keys, used to authenticate official OS distributions, were also unaffected, as these hosts were stored separately from the LineageOS main infrastructure.

LineageOS developers said the hack took place after the attacker used an unpatched vulnerability to breach its Salt installation.

Salt is an open-source framework provided by Saltstack that is usually deployed and used to manage and automate servers inside data centers, cloud server setups, or internal networks.

Earlier this week, cyber-security firm F-Secure disclosed two major vulnerabilities in the Salt framework that could be used to take over Salt installations.

The two vulnerabilities were CVE-2020-11651 (an authentication bypass) and CVE-2020-11652 (a directory traversal), which, when combined, could allow attackers to bypass login procedures and run code on Salt master servers left exposed on the internet.

According to reports from Salt server owners, attacks exploiting these two bugs began sometime yesterday. In some instances, attackers planted backdoors on hacked servers. In other instances, they deployed cryptocurrency miners.

There are currently more than 6,000 Salt servers left exposed online that can be exploited via this vulnerability, if left unpatched. Patches for the Salt vulnerabilities have been released earlier this week. Salt servers should normally be deployed behind a firewall and not left exposed on the internet.

The LineageOS team has taken down all of its servers last night, to investigate the incident and patch vulnerable servers.

This marks the second time a major operating system was hacked in the past year. In July 2019, hackers breached Canonical's GitHub account, however, the Ubuntu source code was also unaffected.

Updated at 8:15pm to add that the same Salt vulnerability has also been used to breach servers operated by the Ghost blogging platform and the Digicert certificate authority.

Nuu Mobile X6 hands-on review: in pictures

Editorial standards