Cyber Incident Victim: LineageOS
Date:
May 2020
Location:
United States of America
Summary
A cyberattack exploiting critical vulnerabilities in the Salt management framework compromised the primary infrastructure of LineageOS, causing a widespread service outage. Attackers leveraged authentication bypass and path traversal flaws to gain remote code execution, targeting unpatched systems shortly after the vulnerabilities were publicly disclosed. The breach disrupted email, download mirrors, statistics, and code collaboration platforms, though pre-existing build pauses and segregated signing key storage prevented distribution tampering. Core services including the website, wiki, and internal systems were restored within approximately a day, with code review functionality subsequently returning to normal operation. The incident highlighted risks associated with delayed patching of critical infrastructure components.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On May 2, 2020, LineageOS administrators responded to a full infrastructure outage caused by hackers exploiting a critical vulnerability in the Salt management framework. The attackers leveraged two high-severity Salt vulnerabilities (CVE-2020-11651 and CVE-2020-11652) disclosed publicly on April 30, which enabled authentication bypass and path traversal leading to remote code execution with root privileges. Within two days of the vulnerability disclosure, the intruders conducted internet-wide scans to identify unpatched Salt master installations, including LineageOS's infrastructure. This forced LineageOS to take all services offline as a containment measure. The breach impacted core operational systems including mail servers, download mirrors, statistics tracking, the download portal, and the Gerrit Code Review collaboration platform. Notably, the incident did not compromise distribution signing keys due to their storage on isolated hosts, and no builds were altered since compilation had been paused since April 30 for unrelated reasons.
By 3 a.m. on May 3, LineageOS restored partial functionality including the website, email services, wiki, and select internal systems, with Gerrit Code Review becoming operational subsequently. The intrusion occurred despite SaltStack maintainers releasing patches for the vulnerabilities on April 29, indicating the attackers exploited the narrow window between patch availability and widespread implementation. F-Secure researchers had documented the vulnerabilities' capabilities, revealing over 6,000 internet-exposed Salt instances were potentially at risk during this period. The outage disrupted development workflows and user access to downloads but maintained integrity of cryptographic signing mechanisms essential for firmware validation. Service restoration prioritized public-facing components while forensic investigation into the breach scope continued internally.