LineageOS Server Infrastructure hacked (May 2, 2020)

[German]On May 2, 2020 a hacker had access to the infrastructure of the Lineage OS servers after exploiting an unpatched vulnerability. Here is some information.

What is LineageOS?

LineageOS is an operating system for smartphones and tablet PCs based on the Android open source code. The operating system is the successor of the now discontinued CyanganoMod.

ROMs for various Android devices are developed by volunteers within the LineageOS community. I myself use this one on a Samsung Galaxy S4, which hasn't received Android updates for ages. The Galaxy S4 runs here on Lineage OS 16.x (equivalent to Android 9) and I will probably switch to Lineage OS 17.x (equivalent to Android 10) as soon as I finish my update for an Android book project.

The Hack on May 2, 2020

The LineageOS team announced a hack of the LineageOS infrastructure in the following tweet on May 3, 2020.

I became aware of the issue through another tweet and this ZDnet article. The hack took place on Saturday, May 2, 2020, around 20:00 hours (US Pacific Coast Time). 

Unpatched vulnerabilities in the Salt framework

The attack was made through an unpatched vulnerability in the Saltstack Master, but was discovered before the attacker could do any damage.

Salt is an open source framework provided by Saltstack. It is used to manage and automate servers or internal networks. Last week F-Secure made public the two vulnerabilities CVE-2020-11651 (Authentication Bypass) and CVE-2020-11652 (Directory Traversal).

A combination of the two vulnerabilities made it possible to take over a salt installation because the login can be bypassed. Security researchers have discovered that attacks against the vulnerability have been occurring since the end of last week. Currently, there are probably 6,000 unpatched Salt installations available via the Internet. Normally, Salt servers should be protected by a firewall against access via the Internet.

Seems it has gone well this time

Less than three hours after the attack, the LineageOS team issued a published statement (see tweet above). It says:

  • The source code of the LineageOS operating system was not affected by the attack.
  • The same is true for all LineageOS operating system builds that had been paused since April 30th due to an unrelated issue.
  • The signing keys used to authenticate official operating system distributions were also not affected, as these hosts were stored separately from the LineageOS main infrastructure.

The LineageOS team nevertheless shut down all its servers on Saturday night to investigate the incident and patch vulnerable servers.

This entry was posted in Android, Security and tagged , , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *