Hackers kept busy this weekend exploiting vulnerable Salt instances used in various infrastructures for server management and automation.
Among the organizations that announced an intrusion are LineageOS, Vates (creators of open source Xen Orchestra), Ghost blogging platform, and DigiCert. Hundreds of servers, both masters and clients (minions) have likely been compromised at this point.
Bugs and exploit code are public
Salt versions before 3000.2 and 2019.2.4 are vulnerable to CVE-2020-11651 and CVE-2020-11652. F-Secure disclosed the two vulnerabilities last week saying that “any competent hacker” would need less than 24 hours to develop a 100% reliable exploit.