Unknown hackers hacked into the popular Android custom ROM LineageOS servers by exploiting a critical vulnerability and took control of the main servers
If you have rooted your Android smartphone and are using a custom ROM for your smartphone, you should be aware of one of the popular Android forks – LineageOS. After the demise of CyanogenMod ROM, its successor LineageOS rose to prominence as being the top custom ROM for Android smartphones. LineageOS is hugely popular among the rooting communities and brings the latest Android updates to unsupported devices.
It has been successful due to its ability to bring the latest Android features to old smartphones which do not have any chance of getting Android 10. Only last month, the developers rolled out LineageOS 17.1 based on Android 10 with several unique features.
On May 2nd, 2020, unknown hackers managed to breach a critical vulnerability in the SALT framework and took control of the servers. LineageOS has said the attack was detected before the crooks could do any harm to the Custom ROM source codes. Soon after the attack, the team took down all its servers to patch the vulnerabilities. The team behind LineageOS put out a tweet explaining the attack.
Around 8PM PST on May 2nd, 2020 an attacker used a CVE in our saltstack master to gain access to our infrastructure.
We are able to verify that:
– Signing keys are unaffected.
– Builds are unaffected.
– Source code is unaffected.
See https://t.co/85fvp6Gj2h for more info.
— LineageOS (@LineageAndroid) May 3, 2020
According to the team the operating system, signing keys, and the OS builds were unaffected. The Signing keys which are used to authenticate official OS distributions were stored separately from the LineageOS main infrastructure.
How was LineageOS hacked?
The hackers managed to breach the LineageOS servers using two critical vulnerabilities namely CVE-2020-11651 (an authentication bypass) and CVE-2020-11652 (a directory traversal). These vulnerabilities are Zero-days in the SALT framework and when combined allow attackers to bypass login procedures and remotely execute any code on Salt master servers.
What is SALT Framework?
Salt is an open-source framework provided by Saltstack that is usually deployed and used to manage and automate servers inside data centers, cloud server setups, or internal networks. Only last week, cyber-security firm F-Secure had disclosed the above two major vulnerabilities in the Salt framework that could be used to take over Salt installations.
LineageOS isn’t the only Salt Framework user that was hacked. Several Salt server owners have been reporting about hacking attacks by exploiting these two bugs from 2nd May. In fact, the same Salt vulnerability has also been used to breach servers operated by the Ghost blogging platform and the Digicert certificate authority. In some instances, attackers planted backdoors on hacked servers. But in a majority of cases, the cybercriminals chose to mint money by deploying cryptocurrency miners.
According to the F-Secure report, there are currently more than 6,000 Salt servers left exposed online that can be exploited via this vulnerability. Saltstack has released patches for both the Salt vulnerabilities and has said that Salt servers should normally be deployed behind a firewall and not left exposed on the internet.
How does the LineageOS hack affect you?
If you are already having a LineageOS custom ROM on your Android smartphone, disable updates for time being. Since the LineageOS team has taken down all of its servers last night, to investigate the incident and patch vulnerable servers, you may not receive any updates till the issue is resolved. Luckily, the latest LineageOS build 17.1, based on Android 10 was paused by the developers since April 30 because of an unrelated issue.