SaltStack Vulnerability

Hackers have exploited the recently patched vulnerability in the SaltStack configuration framework to hack the LineageOS, Ghost, DigiCert servers.

LineageOS is free and also an open-source operating system for smartphones, set-top boxes, and tablet computers that based on the Android operating system.


The breach was tracked as CVE-2020-11651 and CVE-2020-11652, and they revealed the defects which could easily allow an attacker to perform the arbitrary code on the remote servers that are used in data hubs and cloud environments. All these issues were simply fixed by the SaltStack in a release that was published on 29th April 2020.

The CVE-2020-11651 is an authentication bypass on the master server, and it simply allows the attacker to push the client-server commands that are administered as root. And the CVE-2020-11652 is a path that simply provides access to the whole filesystem of the master server.

Security researchers at F-Secure had already warned previously about this flaw in a report last week that “We expect that any skilled hacker will be easily able to create 100% reliable exploits for these problems in under 24 hours.”

According to the reports, the breach happened nearly 8 PM PST on 2nd May 2020, and an attacker used a CVE in the SaltStack master simply to gain access to the infrastructure of the company. Moreover, they have also stated that the Android builds and the engaging keys were unaffected by the hack.

All Systems Down

The intruders examined the internet for vulnerable SaltStack installations for the whole 2 days and worked corresponding to them. Therefore, LineageOS stated about the attack by saying that it happened on May 2, nearby 8 PM PST and the source code remained unchanged and unaffected.

This conflict extorted LineageOS to exert offline all its assistance, but, still, it did not affect the signing keys that verify arrangements as they are collected on hosts that are kept separately from the central infrastructure, as we hinted earlier.

While according to the details presented on the status page of the project, it clearly states that the builds were also constant as they had been paused due to an unattached issue since April 30.

SaltStack Vulnerability

Moreover, the report also stated that this whole conflict had affected various services like statistics, download mirrors, download portal, mail servers, and the Gerrit Code Review collaboration system, which is generally used in development. But, the LineageOS team successfully managed to repair their website, email, wiki, and some essential internal services on Sunday at 3 AM.

During this conflict, nearly 6000 Salt servers were revealed online, and it can be utilized by this vulnerability if it left unpatched for a long time. Well, patches for the Salt vulnerabilities have been published earlier this recent week. Moreover, Salt servers should usually be used behind a firewall, and it should not be left displayed on the internet.

Don’t know bout Salt? Actually, Salt is a tool from SaltStack that allows you to manage servers for event-based automation and remote task execution. Apart from this, the LineageOS is still investigating the whole patch vulnerable servers, and the team was taking down all its servers from last night. 

On the other hand, Ghost, it’s a Node.js based blogging platform has also become the victim of this attack, in which the attacker simply tried to gain access to the infrastructure by using the CVE in the SaltStack master to install a cryptocurrency miner.

But, Ghost clearly stated that this attack had affected all its “Ghost(Pro)” websites and the “” billing services. But, you don’t have to worry about your payment card data and personal credentials, as the platform, Ghost has clarified that there is no credit card information is affected and credentials are stored in plaintext.

That’s why in short, they didn’t found any direct proof of the private customer data, passwords or other essential private information have been compromised.

Moreover, the VP of Product at DigiCert, Jeremy Rowley, clearly stated in a Google Groups post that, “We discovered today that CT Log 2’s key used to sign SCTs (signed certificate timestamps) was compromised last night at 7 PM via the Salt vulnerability.”

Currently, all these services are operating and functioning normally, but, still, they all are continuing to investigate this issue and the actual cause of this outage.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Also Read:

Firefox Fixes 2 Zero-Day Bugs That Allow Hackers To Execute Arbitrary Code Remotely

Several Critical RCE Bugs In HP Support Assistant Expose Windows PCs To Remote Attacks

pppD Vulnerability Let Hackers Execute Arbitrary Code on the Linux Systems & Gain Root Access

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.