Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Red Hat, Fedora Servers Compromised

kdawson posted more than 5 years ago | from the quick-action dept.

Red Hat Software 278

An anonymous reader writes "In an email sent to the fedora-announce mailing list, it has been revealed that both Fedora and Red Hat servers have been compromised. As a result Fedora is changing their package signing key. Red Hat has released a security advisory and a script to detect potentially compromised openssh packages."

cancel ×

278 comments

Sorry! There are no comments related to the filter you selected.

Nothing to see here. (5, Insightful)

Art Popp (29075) | more than 5 years ago | (#24704945)

These are the guys, to the annoyance of nearly everyone, who turned on SELinux on Fedora Core by default.

These are the guys who noticed they annoyed everyone, and turned on targeted-mode by default.

Coming from someone with many systems, completely exposed to the Internet, with thousand day uptimes, these RedHat folk are in fact sufficiently paranoid.

They have taken all the reasonable precautions, and if their passphrase was strong, then the danger of my servers being compromised by meteor strike is a much greater worry.

Re:Nothing to see here. (4, Informative)

illumin8 (148082) | more than 5 years ago | (#24705065)

They have taken all the reasonable precautions, and if their passphrase was strong, then the danger of my servers being compromised by meteor strike is a much greater worry.

The only thing that concerns me is this: In the Fedora announcement, they said with a high level of confidence, they don't believe the passphrase for their signing key was compromised, because they hadn't signed any packages during the period of time the box was compromised. They are going to change the signing key anyway just in case. This is a good thing.

In the Redhat announcement, we can infer the passphrase and signing key were compromised, because the attacker signed invalid openssh packages. Even though the official RHN distribution channel was not compromised, the attacker most likely still has their private key and passphrase and can continue signing packages and attempting to distribute them. Redhat needs to step up and reissue a new signing key. There was no announcement of this.

Re:Nothing to see here. (2, Interesting)

quitte (1098453) | more than 5 years ago | (#24705213)

Or we could infer that the system was used for its purpose by the attacker. He signed those packages. Redhat looked at the logs, no other packages were signed. So the passphrase is still very likely to be save.

Re:Nothing to see here. (3, Interesting)

illumin8 (148082) | more than 5 years ago | (#24705881)

Or we could infer that the system was used for its purpose by the attacker. He signed those packages. Redhat looked at the logs, no other packages were signed. So the passphrase is still very likely to be save.

God, I seriously hope they don't have the passphrase saved so that you don't need to type it in to sign a package. If that is the case their security is very lax. Also, if it's saved, it almost certainly is compromised, because it's stored on disk somewhere. It would be trivial for the attacker to pull it out of whatever script or text file it's saved in.

Re:Nothing to see here. (5, Insightful)

Chang (2714) | more than 5 years ago | (#24705455)

Red Hat needs to offer more info before you can make a solid judgement about this.

If the attacker gained access to the actual system where signing takes place then Red Hat needs to change the key.

But from the announcement wording - they are suggesting that the attacker was able to submit packages to be signed but the actual signing server was not compromised.

They should not have been so vague about this because it is a crucial distinction to make for their customer to make a security judgement.

As a customer I'm not happy with the vague details on what was compromised. I'm sure they did it because they have concerns about describing their package signing systems in detail but they need to open the kimono and give us the detail we need to make a decision about reloading our systems.

Merely saying, "trust us - anything that came from the official channel is safe" doesn't fly. You let an attacker gain unauthorized access - you need to re-earn trust at this point by giving us some detailed info.

Re:Nothing to see here. (5, Interesting)

calmond (1284812) | more than 5 years ago | (#24705953)

What surprises me about this the most is that the system was connected to the network/Internet at all. I had always been of the understanding that to prevent this, the signing server was a stand-alone system accessible only by sneaker-net with physical media. You take your package on CD/DVD/USB key to the server, sign it, then take the signed package back via physical media and distribute it. One Federal Gov.t agency in my home town does this and the server is behind three locked doors too, with three different people needed to get physical access. Why didn't RedHat/Fedora do something like this? It really isn't that much of a pain in the ass when you think about it...

Re:Nothing to see here. (2, Insightful)

JustKidding (591117) | more than 5 years ago | (#24705465)

Yes, that is what surprised me, too. However, I'd think they would know what they are doing, and are acting in good faith, because they could have tried to keep the whole incident secret instead.

I don't see why an attacker would sign the packages one that server, instead of just taking the key and signing them elsewhere. Because of this, Red Hat now has the signatures of the tampered OpenSSH packages. If the attacker had signed them elsewhere, they wouldn't, making the packages more valuable.

Is there a technical reason for this?

Also, I assume this means any historic packages, signed with the old key, not already in your possession at the time of the intrusion cannot be trusted. With this I mean any old versions of packages downloaded after the time the attacker got his hands on the passphrase.

Re:Nothing to see here. (1)

illumin8 (148082) | more than 5 years ago | (#24706147)

Also, I assume this means any historic packages, signed with the old key, not already in your possession at the time of the intrusion cannot be trusted. With this I mean any old versions of packages downloaded after the time the attacker got his hands on the passphrase.

Good point. If the attacker still has the private key and passphrase, he can trivially repackage any older RPMs and sign them again.

Re:Nothing to see here. (4, Informative)

uslinux.net (152591) | more than 5 years ago | (#24706031)

Our RedHat TAM tells us that "the signing infrastructure is completely different between fedora and RHEL" and that RHEL uses "a submit to be signed" method. So essentially, someone submitted packages and the system automatically signed them.

Re:Nothing to see here. (5, Informative)

Anonymous Coward | more than 5 years ago | (#24706093)

In the Redhat announcement, we can infer the passphrase and signing key were compromised, because the attacker signed invalid openssh packages.

Incorrect. The signing key used by Red Hat is inside a hardware security token.

So even though it was possible to use the token to sign packages as soon as access to the token has been removed for the intruder, he is unable to sign any more packages.

Mark Cox of the Red Hat security team explained this setup in a blog post some time ago at http://www.awe.com/mark/blog/200701300906.html [awe.com] .

Re:Nothing to see here. (-1, Troll)

Anonymous Coward | more than 5 years ago | (#24705297)

And for all that annoyance, what good did it do them here? LOL SELINUX FTL

It didn't happen anyway! (-1, Flamebait)

Anonymous Coward | more than 5 years ago | (#24705335)

Teh Lunix Is Ulweeze Teh Secure! Dere Know Sekurities Floss In Teh Lunix, It Ull Be Teh MiKKKr0$$$l0th Prupogundaz!!!

Re:Nothing to see here. (2, Insightful)

Anonymous Coward | more than 5 years ago | (#24705627)

Coming from someone with many systems, completely exposed to the Internet, with thousand day uptimes, these RedHat folk are in fact sufficiently paranoid.

Ummm, I'm quite curious, how do you keep your system up for 3 years? Do you not update your kernel? Or is there some way to update a running kernel without rebooting that I don't know about...

Re:Nothing to see here. (3, Funny)

Anonymous Coward | more than 5 years ago | (#24705741)

Yea I guess they don't care that a kernel compromise completely negates any security benefit from SELinux.

Re:Nothing to see here. (0)

Anonymous Coward | more than 5 years ago | (#24705979)

There were some cool methods by which to update a running kernel by loading a module and having it hijack the old kernel and switch to the new. I never tried this. Never cared enough.

I only have two exposed services. Basic web functions and open ssh. I've updated Apache and OpenSSH twice in the last 1014 days as new security announcements, Nessus and other security tools suggested. None of the kernel security issues between 2.6.9-1.667 and now has seemed worth the effort. I may have missed an issue, but so too have all the script kiddies who waste their time lengthening my Logwatch e-mails to no avail.

Re:Nothing to see here. (0)

Anonymous Coward | more than 5 years ago | (#24705643)

These are the guys who have very little competence with regards to security development. The grsecurity developers have been whistleblowing on their poor attempts for years. The linux kernel has been getting worse and worse in terms of security. The development rate is far too high for any attempt to iron out holes. There is no way you could have 1000 day uptimes and be anywhere near "secure". There is a new kernel nearly every week, and with linus' cavalier approach to security issues, one has to assume that every single release contains fixes for security issues. IMO the only real security inhancements for linux (and practically every other OS for that matter) have come from the Grsecurity and PaX projects.

Re:Nothing to see here. (1, Insightful)

Anonymous Coward | more than 5 years ago | (#24706231)

I suppose it's a matter of what you want to be secure against.

My servers are not a place where a sane person would store classified documents. I wouldn't even put sensitive documents there. But if you're looking for the "Golden Lock" it doesn't exist. Good security is about keeping the important stuff out of the hands of the bad people, not about making the perfectly invulnerable server. This is why firewalls and DMZs and SELinux are good things. And in fact, for our needs: Good enough.

I do not in any way want to dismiss the pursuit of perfection, any more than a physicist would dismiss the value of mathematics. Sometimes a risk, painstakingly calculated to 10 decimal places of accuracy is still, "Small enough."

Re:Nothing to see here. (2, Informative)

pembo13 (770295) | more than 5 years ago | (#24705699)

Targeted mode is actually the weaker of the two modes. The other mode, whose title I've forgotten, checks everything. While targeted mode only does... targeted apps.

Re:Nothing to see here. (0)

armanox (826486) | more than 5 years ago | (#24706067)

That would be enforcing mode, which can be quite troublesome, but is useful for the paranoid..

Do they run linux? (5, Funny)

mulvane (692631) | more than 5 years ago | (#24704959)

They should have ran a secure OS like vista.

Re:Do they run linux? (5, Funny)

GXTi (635121) | more than 5 years ago | (#24705127)

Don't worry, whatever this "linux" thing is, it can't possibly run without an Operating System to support it, e.g. Microsoft Windows®. All applications require an Operating System to run, including "linux".

Re:Do they run linux? (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#24706003)

Richard Stallman is that you?! When's Hurd coming out?

Re:Do they run linux? (0, Funny)

Anonymous Coward | more than 5 years ago | (#24706277)

Your both wrong. Linux in general has a much better security record and problems tend to be fixed much quicker aswell (plus microsoft have a history of just denying blatant security holes).

Also linux *IS* an operating system. It does not in any way rely on windows and most certainly does not run *ON* windows. It is completely seperate to windows and will run on computers even if they have never had windows on them.

Re:Do they run linux? (1)

obergfellja (947995) | more than 5 years ago | (#24705631)

That's not Red Hat Server... It is Vista in Disguise!

Goes to show (5, Insightful)

BadAnalogyGuy (945258) | more than 5 years ago | (#24704969)

Given enough time and energy, even Linux servers can be hacked.

With the growing interest in Linux, I wonder if we'll see more parity of viruses between Windows and Linux.

Re:Goes to show (4, Insightful)

dword (735428) | more than 5 years ago | (#24705039)

Not unless Linux gains 50+% of the end-user market share.

Re:Goes to show (1)

jessedorland (1320611) | more than 5 years ago | (#24705221)

As a Linux user I would like to think this is not going to be easy. Giving the nature of Linux. Installing a software require root account, and as far as I know no Linux user will be surfing the internet with full admin. Building viruses for Unix base operating system including OS X is not very easy, yes it can be done but it will not have Windows' like affect.

Re:Goes to show (3, Insightful)

TorKlingberg (599697) | more than 5 years ago | (#24705241)

The virus can install itself in the user home directory instead.

Re:Goes to show (4, Insightful)

coryking (104614) | more than 5 years ago | (#24705795)

The virus can install itself in the user home directory instead.

And then use one of the many local exploits to get root.

The most scary and amusing thing is how quick some people on this site and others are to dismiss local exploits. They all think "you have to be on the console, so fuck it, this isn't important and doesn't affect me". They are wrong. These days, a remote exploit is just a human operator and a local exploit.

Re:Goes to show (3, Informative)

Goaway (82658) | more than 5 years ago | (#24705299)

There's absolutely nothing to stop anybody from installing an executable that runs automatically under a user account, without ever needing root. And that executable can do a lot of the things it may want to do without ever needing root access, either.

Re:Goes to show (1, Troll)

bconway (63464) | more than 5 years ago | (#24705393)

Like change system files? Nope. How about bind to privileged ports? Nope. So... it can mess up my documents? Darn.

Re:Goes to show (5, Insightful)

Goaway (82658) | more than 5 years ago | (#24705467)

The point is, there's no need to change system files or bind to privileged ports.

Your documents contains LOTS of yummy personal information for people to steal. Identity thieves and credit card thieves will love all that stuff.

Spammers need relays to send their spam through. You can run a relay just fine as a normal user. Same thing with the DDoS bot for exortotionists and script kiddies.

You can mess with the internals of Firefox without root access too, through plugins. Easy to put a password stealer in there. Or you could mess with your desktop settings so that when you try to launch a browser, you get a compromised version instead.

I'd say I've covered all the major reasons somebody would want to infect your machine here, and not a single system file or privileged port was needed for it.

Re:Goes to show (2, Interesting)

Karellen (104380) | more than 5 years ago | (#24706179)

"Spammers need relays to send their spam through. You can run a relay just fine as a normal user"

Not if you don't have access to the firewall settings which will open the port that allows someone to connect to your relay.

"You can mess with the internals of Firefox without root access too, through plugins. Easy to put a password stealer in there."

Yes, but without access to the system FF folder, that plugin will go in your per-user plugin directory, and will only run for you. So only your passwords will be stolen, and not those of anyone else on the computer.

"Or you could mess with your desktop settings so that when you try to launch a browser, you get a compromised version instead."

Again, only works for one user.

Of course, the "only works for one user" argument is better if presented in reverse. If your less-computer-literate kid/spouse/parent can't accidentally run code that sets up a visible relay, or installs a system-wide password sniffer, or messes with your desktop, then your desktop/browsing experience will not be fucked with no matter what they accidentally do.

Furthermore, you'll be in a position to be able to clean their account up for them without having to wipe and reinstall the whole machine (including all your precious stuff) which you would have to do if system files had been cracked.

Re:Goes to show (1)

frodo from middle ea (602941) | more than 5 years ago | (#24705743)

Like tryout various local exploits to gain root access...

Re:Goes to show (1, Informative)

Anonymous Coward | more than 5 years ago | (#24705773)

Actually, there is a possibility that it can do all of these privileged things, and more.

Not natively, but there have even been some recent exploits where processes, run without admin privs, can do various things that get it root. Check out vmsplice for instance.

You ALWAYS want to do everything you can to keep unauthorized people off your system. Once they are in, they can exploit known and unpatched, or not yet widely known issues.

Privileges are a great way of stopping some compromises but it doesn't stop everything. It's what defense in depth is all about.

Sudo FTF (1)

dhTardis (1326285) | more than 5 years ago | (#24705935)

All it has to do is wait for you to run sudo, or wait for a root shell to be open in an xterm and send it fake keystrokes. All that without needing to even read your keystrokes.

Or it can just phone home and use a 0-day local privilege escalation attack before whatever update manager can do its thing. Or just pose as the update manager.

Re:Goes to show (1)

gnuman99 (746007) | more than 5 years ago | (#24706051)

The point is, they want root access or effective root access to install root kits so their network sockets and processes are hidden from the user.

With user account their virus is visible. Their network traffic is visible.

Re:Goes to show (4, Interesting)

vadim_t (324782) | more than 5 years ago | (#24705869)

There are plenty things that can be done.

Mounting /home with noexec
Using the grsecurity patch, which can deny execution of files not in directories owned by root, as well as usage of network sockets.
Using SELinux

The tools are there. All that's needed is to use them.

The need to download random binaries to your home directory and run them is infrequent in Linux. The most frequent case is application installers, but many of those need root access anyway (nvidia drivers for instance), and most come with the distribution. A way to fix the occasional need to do this would be a sudo-like tool that needs to be used to execute a file, but doesn't grant root privileges.

Re:Goes to show (0)

Anonymous Coward | more than 5 years ago | (#24705991)

Hypothetical situation:
User: Oh my god I have been infected by a Linux virus!
Me: do you have backups of your documents and important files?
User: yes but it is messing with my programs...
Me: rm -R /home/$user && mkdir /home/$user
Me: Login and restore your backups sir, the threat has been eliminated.
(not even going on with "here use this shell script it'll remove the virus automagically")

Now compare this to MS Windows: Your system has been infected. Internet explorer can no longer view sites(curious virus/bot/worm, but I saw it more than once), you cannot search for help online, the virus exists system-wide, the USER can affect the administrator.

I know which I prefer, do you?

Re:Goes to show (2, Insightful)

Goaway (82658) | more than 5 years ago | (#24706097)

So cleanup is easier. But the damage may already be done, as criminals may now have your passwords, your credit card numbers, and your personal information. Plus you were probably sending spam up until the moment you noticed the infection.

Re:Goes to show (1)

Goaway (82658) | more than 5 years ago | (#24706133)

PS: It's pretty disingenuous to make a point of that the Windows virus doesn't let you "search for help online", when your Linux scenario was all about asking help from a friend in the first place.

The Windows cleanup is a merely a little longer, as it requires an OS re-install and backup restore (also, that is what most people would do on Linux anyway). The vast majority of systems out there are single-user, you know.

Re:Goes to show (0)

Anonymous Coward | more than 5 years ago | (#24706209)

Uh, neither? Anyone that has gained access to your machine may have used some kernel or other exploit and gained privileges. Maybe they just dictionary attacked the root password.

Blowing away and recreating a user's directory won't do squat if you have already been rooted. If anything, it destroys forensic evidence of what might have been done to get privs, if root privs were indeed achieved.

Even in Linux, the user can affect the administrator.

The best defense is keeping unauthorized people off of a machine in the first place and then watching logs and files like a hawk for any evidence of intrusion. Once someone has made it inside, you have a lot of work to do to make sure your system has not been compromised.

Re:Goes to show (1)

AdamWill (604569) | more than 5 years ago | (#24706297)

"Me: do you have backups of your documents and important files?
User: yes"

Ahahahaha! Hahahahahaha! Hahahahahahahahahahah!

*rolls in aisles*
*holds sides*
*wipes tears of laughter from eyes*

Re:Goes to show (2, Insightful)

jambox (1015589) | more than 5 years ago | (#24705429)

A keylogger wouldn't need root access. All it has to do is monitor the keyboard and send out packets. I'm sure there are more examples.

Re:Goes to show (0)

Anonymous Coward | more than 5 years ago | (#24705857)

Users though will gladly give away their bank account information to anybody just asking for it. People have been proven to click on a link saying "Get Infected Here!"

most of your current Linux crop are techies who don't run admin on Windows either (I don't run admin nor do I allow my users to run as admin, my home PC is vista and it does not run as admin either).

People still send out spam because people will click on it.

Re:Goes to show (1)

JeffSchwab (1159723) | more than 5 years ago | (#24705369)

I wonder what % Linux already has, if we count embedded systems and devices that aren't ordinarily considered "computers." Cars, ATMs, portable media players, DVRs, household appliances...

MIT students hacking the T notwithstanding, it seems virus authors are still mainly interested in desktop systems. Maybe because financial data are more likely stored on desktops than on portable devices? Are there PDA viruses?

Re:Goes to show (1)

Clairvoyant (137586) | more than 5 years ago | (#24705835)

I'd much rather think this data is stored on servers that are more secure than the average desktop (how was the market share of Linux/Windows on Desktop/Servers again?)

Re:Goes to show (3, Insightful)

berwiki (989827) | more than 5 years ago | (#24705483)

No, you are wrong, and this is the mindset that scares me in the computing world.

If a custom box running JoeOS contains something extremely financially valuable, you can bet people will start trying to hack it.

Security through Obscurity is not only wrong, but terrifying that people buy into the concept.

Re:Goes to show (2, Insightful)

illumin8 (148082) | more than 5 years ago | (#24705239)

Given enough time and energy, even Linux servers can be hacked.

With the growing interest in Linux, I wonder if we'll see more parity of viruses between Windows and Linux.

It also goes to show that the human side is usually where compromises come in to play. Most likely some admin had a weak password that was hacked, and that admin had permission to signing packages or things he should not have had.

I don't care how secure your OS is. If you don't follow proper security procedures, including using strong passwords and giving users only the permissions they need to do their job, you will be hacked.

Re:Goes to show (2, Insightful)

Shados (741919) | more than 5 years ago | (#24705497)

Thats correct. And as much as there are many issues with Windows security that -could- be exploited, usually, even there, the human side is easier to exploit... So those "skills" are portable... Will be interesting to see how the ecosystem reacts when it starts happening more and more... technological fixes won't do...

Re:Goes to show (1)

betterunixthanunix (980855) | more than 5 years ago | (#24705745)

I wouldn't even assume it was an admin. My guess is that a HR person of some sort had a weak password, and that from there the attacker was able to sneak into Red Hat's internal network. Within that network, the attacker would have had a much easier time getting into higher security systems, and eventually start getting those packages signed. Whoever it was probably spent several weeks working on this, especially given the sophistication of the attack (targeting the signing server to apparently compromise Red Hat's customers).

Re:Goes to show (1)

berwiki (989827) | more than 5 years ago | (#24705287)

and dont forget OS X.

as 'stable' and 'secure' as that is marketed, all it takes is a few dollar signs and someone will find an exploit somewhere.

Re:Goes to show (2, Insightful)

Alwin Henseler (640539) | more than 5 years ago | (#24705691)

Given enough time and energy, practically any network-connected system can be hacked. That is because security is *hard*, and there are few people who have the means to create chains that contain only strong links, and put those strong chains in the hands of a big audience.

But given workable tools, I think security comes down more to procedures, and a competent sysadmin than anything else. I'd put more faith in a well-managed Windows server than a Linux server with an idiot as admin. With all factors equal, I'd put more faith in a Unix-like system than anything coming from Redmond. For starters, because Unix systems (and clones) were built from the ground up as networked, multi-user systems.

Re:Goes to show (0)

ebuck (585470) | more than 5 years ago | (#24706025)

Before you go harping about parity of viruses between Linux and Windows. Show me evidence of parity of viruses between Macintosh and Windows.

Nobody has proven their case that any operating system can achieve virus parity with windows. Everything I've learned about operating system design implies that Windows might be secured, but has a design that makes it much, much, much harder to achieve.

While it is true that more viruses could exist for Linux, asserting that with Linux acceptance comes virus parity with windows is FUD. I mean Windows beats Linux by three orders of magnitude. Windows beats Macintosh by three orders of magnitude. It beats commercial Unix by five orders of magnitude.

Sure my data is a little old, but here's the source: http://www.theregister.co.uk/2003/10/06/linux_vs_windows_viruses/ [theregister.co.uk]

You'd better provide some exceptional evidence for making the exceptional claim that Linux virus proliferation is going to grow 50000%. More recent data will be appreciated.

OpenSSH bug? (4, Interesting)

samcan (1349105) | more than 5 years ago | (#24704979)

Is this bug in OpenSSH related to the one that was found in Debian-related distros back about April? Maybe I'm reading the article summary incorrectly.

Re:OpenSSH bug? (2, Funny)

3p1ph4ny (835701) | more than 5 years ago | (#24705125)

In keeping with the spirit of /., I didn't read TFA.

However, I'd say this is totally unrelated to the Debian bug. The Debian bug was caused as a result of a change a Debian package maintainer made. Since he only made the change for the Debian package and didn't push it back upstream, it's highly unlikely that they are related.

Re:OpenSSH bug? (0)

Anonymous Coward | more than 5 years ago | (#24706125)

And yet, people shit frisbees over the problem with Debian, yet everyone wants to give RedHat the benefit of the doubt.

Re:OpenSSH bug? (2, Informative)

tuffy (10202) | more than 5 years ago | (#24705203)

Red Hat's OpenSSH bug involves X11 forwarding. As I recall, Debian's OpenSSH bug was a "fix" that dramatically reduced the entropy available for randomizing. I don't believe the two are related.

Re:OpenSSH bug? (1)

AndGodSed (968378) | more than 5 years ago | (#24705291)

I read TFA and it seems that this is not a bug. It is rather a compromise as a result of illicit access to the servers.

Exactly HOW or WHO did this is not mentioned in TFA.

Re:OpenSSH bug? (1)

tuffy (10202) | more than 5 years ago | (#24705381)

The bottom paragraph of the security advisory "details" section lists a minor bugfix, in addition to clean packages related to the breakin.

Follow-up on comprised packages? (1)

Alwin Henseler (640539) | more than 5 years ago | (#24706145)

Exactly HOW or WHO did this is not mentioned in TFA

If they have/get their hands on these modified (but signed) packages, it would be nice if they'd do some reverse engineering, and publish a follow-up detailing *what* was modified. That might provide some insight on why it was done (and perhaps who was behind it).

Re:OpenSSH bug? (2, Informative)

xsuchy (963813) | more than 5 years ago | (#24706027)

I'm from RH...
No, they are not related. Offical OpenSSH from Fedora or RH repositories do not contain bug (but the low priority X11 forwarding).

As a precautionary measure, we are releasing an updated version of these SSH packages, if you happend to install previous package from untrusted source (i.e. not RHN).

damn't (2, Funny)

extirpater (132500) | more than 5 years ago | (#24704985)

source code filching! nothing else.

when? (2, Interesting)

stoolpigeon (454276) | more than 5 years ago | (#24705011)

Last week? Does that mean earlier this week, or the week before the week I'm in? At what point in whatever week was last week? If I did an install/update after a certain date am I covered?
 
It would be nice if they weren't so vague about the time frame. Maybe it is to encourage people to check and not assume they will not have problems, but in a situation like this, the more accurate a picture I have of what is going on, the better I feel.

Re:when? (0)

Anonymous Coward | more than 5 years ago | (#24705255)

Last week? Does that mean earlier this week, or the week before the week I'm in? At what point in whatever week was last week? If I did an install/update after a certain date am I covered?

It doesn't matter. Just run the script provided (linked to in the summary) on (say) every system updated during August, and it will tell you if you have installed a potentially compromised package.

Re:when? (0)

Anonymous Coward | more than 5 years ago | (#24705689)

Careful about that script. When you do:

gpg --verify openssh-blacklist-1.0.sh.asc openssh-blacklist-1.0.sh

you get the following warning:

gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.

I wouldn't run that script until this problem is fixed.

Re:when? (0)

Anonymous Coward | more than 5 years ago | (#24705503)

According to This [redhat.com] , it would have been before 14 August as that is when they announced that they noticed something.

Re:when? (1)

AvitarX (172628) | more than 5 years ago | (#24705515)

Last week either means the last 7 days, or the week before the week we were in (last Saturday through the Sunday before last).

So it does not preclude earlier this week, but I would say it is a less common usage to mean the last seven days without a qualifier (such as within the last week).

Re:when? (1)

fbjon (692006) | more than 5 years ago | (#24705715)

I've never heard of anyone saying "last week" meaning an arbitrary 7-day period.

ROFLMAO (-1, Troll)

Anonymous Coward | more than 5 years ago | (#24705019)

linux
secure
mythbusted
nuff-said

any OS is only as secure as the system is set up to be...looks like the admin did a WEAK job.

What? (0, Flamebait)

Slash.Poop (1088395) | more than 5 years ago | (#24705031)

It must be April 1st because this can't be true.
slashDot has told me that the only unsecure OS platforms are produce by Microsoft.

______________
Once in a while you get shone the light in the stargest of places if you look at it right

roughly 30 kernel 0dayz circulating (2, Interesting)

Anonymous Coward | more than 5 years ago | (#24705099)

I can confirm that roughly 30 kernel 0dayz circulate in the underground. Working for all kernelz 2.6.X up to 2.6.27-rc3 :)

happy birthday.

Re:roughly 30 kernel 0dayz circulating (0)

Anonymous Coward | more than 5 years ago | (#24705217)

I can confirm that I am the son of Jesus.

Re:roughly 30 kernel 0dayz circulating (0)

Anonymous Coward | more than 5 years ago | (#24705289)

I can confirm that Captain Falcon was selected for Obama's VP.

Re:roughly 30 kernel 0dayz circulating (1, Funny)

Anonymous Coward | more than 5 years ago | (#24705623)

I can confirm that Jesus falcon punched Obama until he gave up the secret 30 government 0-days in the kernel.

Suuure... (2, Funny)

Anonymous Coward | more than 5 years ago | (#24705191)

"Just run this shell script to verify you're not infected"

No way I'm falling for that one.

Back to work.

Karma is a bitch! HAHAHAHAHA (0, Troll)

n1_111 (597775) | more than 5 years ago | (#24705327)

That's what you get for all the years of stupid bashing.

"Compromised?" (5, Insightful)

Hyppy (74366) | more than 5 years ago | (#24705361)

I could not RTFA (/.ed), but is there any indication of how this "compromise" occurred?

My hats off, though, to the Red Hat folks. Full disclosure and immediate positive action speaks volumes.

On a related note, you should not use Fedora in a production environment anyway. That's what RHEL is for. Fedora = Testing. RHEL = Stable. At least in theory.

Re:"Compromised?" (4, Informative)

corbettw (214229) | more than 5 years ago | (#24705603)

On a related note, you should not use Fedora in a production environment anyway. That's what RHEL is for. Fedora = Testing. RHEL = Stable. At least in theory.

I thought it was, RHEL == RedHat Support, Fedora == Community Support. Fedora might have some bleeding edge stuff in it, if you upgrade often, but it seems about as stable as the corresponding RHEL release. The difference is the support you can count on.

Re:"Compromised?" (2, Informative)

betterunixthanunix (980855) | more than 5 years ago | (#24705665)

Fedora is not as stable as RHEL. If you want "community support" with RHEL's stability, you should use CentOS. In Fedora 9, we have a beta X server, a bleeding edge kernel, and the disastrous KDE 4.0.

Re:"Compromised?" (0)

Anonymous Coward | more than 5 years ago | (#24706001)

Fedora releases also have limited support lifetimes. I forget the length of time but I think it's only one year. After that, you need to upgrade or run without updates - as you note. But doing full OS upgrades is also disruptive in a production environment and there will always be configuration issues and such to bring forward, new bugs, new incompatibilities, etc.

The parent is exactly right - for production, your best option is RHEL or some other supported distro. Then you can upgrade based on features. Not when you start having to run unpatched. The system remains more stable and users see less down time.

At home, I run openSuSe and have the latest release running (with KDE 4.1 - sweet!). No way would I suggest running that production, though, unless there was a very compelling reason for doing so. Right now, at least, there isn't by any stretch of the imagination.

Re:"Compromised?" (0)

Anonymous Coward | more than 5 years ago | (#24705653)

/Luthor

WRONG!!!!

Nowt wrong with using Fedora in production. I use it productively on my home machine.

Probably not a great idea to use it in production in an enterprise environment though.

No idea how the intrusion took place- it is not mentioned in tfe (email).

Re:"Compromised?" (2, Insightful)

pembo13 (770295) | more than 5 years ago | (#24705675)

In all fairness, and not to paint them in a bad light. The sequence was more like immediate action, and then full disclosure. But I got the feeling that the delay was due to some legal issues.

Re:"Compromised?" (0)

Anonymous Coward | more than 5 years ago | (#24705687)

Last time I checked the servers that host the Fedora infrastructure are running RedHat, not Fedora as you indirectly suggest.

Re:"Compromised?" (1)

Hyppy (74366) | more than 5 years ago | (#24705849)

I didn't suggest any such thing, Coward.

The Fedora repository and signed packages may or may not have been compromised. RHEL packages are believed to be safe. Ergo, it's not much of an issue for production (read: critical) servers, since they should not be running a non-production distro.

Re:"Compromised?" (0)

Anonymous Coward | more than 5 years ago | (#24705693)

Better RTFA when you can. 1) There hasn't been full disclosure (yet, I expect they'll tell more when they know more). 2) 'Immediate' is the wrong word here. The problems started last week (and were noticeable to outsiders as the repositories went down) and RH just stonewalled all enquiries until now.

If MS or Sun or any other company behaved this way then Slashdot would be rightly ripping them a new one. I mean, letting your customers run a possibly compromised SSH for over a week???

Re:"Compromised?" (1)

MrMr (219533) | more than 5 years ago | (#24705787)

...At least in theory.
Your theory fails on its first test because of the little detail that only RHEL appears to have been compromised and not Fedora.

Re:"Compromised?" (-1, Flamebait)

Hyppy (74366) | more than 5 years ago | (#24705873)

The Fedora repositories are believed to have been compromised. The RHEL repositories appear to be safe.

Pray tell, which detail did I miss?

Re:"Compromised?" (2, Informative)

assassinator42 (844848) | more than 5 years ago | (#24706195)

I'd suggest reading both advisories again. But I'll be nice and spell it out. It seems neither OS's repositories were compromised.
From the Fedora advisory: "Among our other analyses, we have also done numerous checks of the Fedora package collection, and a significant amount of source verification as well, and have found no discrepancies that would indicate any loss of package integrity."
From the RHEL advisory: "Based on these efforts, we remain highly confident that our systems and processes prevented the intrusion from compromising RHN or the content distributed via RHN and accordingly believe that customers who keep their systems updated using Red Hat Network are not at risk.".
Fedora is changing their key as a precaution "because Fedora packages are distributed via multiple third-party mirrors and repositories". While it seems Red Hat doesn't care as much about people getting packages from non-RHN sources, so they just issued an advisory.
It seems pretty much the same thing happened to each. However, "In connection with the incident, the intruder was able to sign a small number of OpenSSH packages relating only to Red Hat Enterprise Linux 4 (i386 and x86_64 architectures only) and Red Hat Enterprise Linux 5 (x86_64 architecture only)."

Re:"Compromised?" (1)

Hyppy (74366) | more than 5 years ago | (#24706267)

It seems neither OS's repositories were compromised.

Fedora is changing their key as a precaution "because Fedora packages are distributed via multiple third-party mirrors and repositories". While it seems Red Hat doesn't care as much about people getting packages from non-RHN sources, so they just issued an advisory.

Your two statements seem to contradict each other, if you consider the third-party mirrors and distribution sources as "Fedora" repositories.

Re:"Compromised?" (0)

Anonymous Coward | more than 5 years ago | (#24706181)

Someone uploaded "hacked" packages which went to all of the official repositories. So anyone doing a simple yum update would potentially get the bad packages...

Re:"Compromised?" (1)

njhunter (613589) | more than 5 years ago | (#24706255)

...On a related note, you should not use Fedora in a production environment anyway. That's what RHEL is for. Fedora = Testing. RHEL = Stable. At least in theory.

Fedora is for those that didn't want change from running Redhat through the years. Those with a higher tolerance for change went to CentOS and the more daring to Debian (the really daring may have tried ports from FreeBSD in between and returned).

Not Time for A Distro War (4, Insightful)

Bob9113 (14996) | more than 5 years ago | (#24705781)

Pretty sure most of us are above this anyway, but let's avoid a distro flamewar. You can look through my past comments and see that RH is far from my preferred distro, and I love to take shots at them. But now is not the time. Anyone can get hacked, and it sucks. And they're being responsible about reporting and mitigating.

Godspeed, gentlemen.

Probably a dictionary user/passwd (1, Interesting)

billsf (34378) | more than 5 years ago | (#24705809)

While it seems likely there are some flaws in SSH (if you know, you know) that won't be posted here, the most likely attack was probably from those lame SSH dictionary scans on port 22. This is usually just an extreme annoyance to admins who must provide port 22 service and haven't heard of 'SSHguard'.

Since it seems impossible to educate people about good pass words, these lame attacks will sometimes succeed. Any corporate admin should run 'crack' often. Moving SSH to any port other than 22 will eliminate 99.9% of these lame scans. SSH is secure for today, if used properly. All suspected exploits of the code itself are unproven.

Nothing to be alarmed about here. Problems that affect corporations are unlikely to affect knowledgeable users. To them, computers are 'a necessary evil'. To us, that is our thing.

Re:Probably a dictionary user/passwd (0)

Anonymous Coward | more than 5 years ago | (#24706129)

SSHguard sounds nice, but if I install it I add to the risk that SSHguard will have a remote exploit. I'll stick to strong passwords.

Re:Probably a dictionary user/passwd (1)

zrq (794138) | more than 5 years ago | (#24706189)

I hadn't heard of SSHguard [sourceforge.net] , but I do use fail2ban [fail2ban.org] .
Any thoughts on which is better SSHguard or Fail2ban ?

Does anyone know of a simple SSH honeypot that looks like a ssh server, but just logs the IP address, usernames and passwords that the robots are trying to use ?

You FaIl it (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#24705917)

If Microsoft servers had been compromised... (-1, Troll)

Anonymous Coward | more than 5 years ago | (#24705983)

...you people would be lolling and rofling until you soiled your pants. Smelly bed-wetting OSS hypocrites.

CentOS? (1)

wiedzmin (1269816) | more than 5 years ago | (#24706249)

So, does this mean that CentOS is also affected?

Hmm (0, Flamebait)

AP31R0N (723649) | more than 5 years ago | (#24706257)

So, Fedora and Red Hat use Windows Server 2003 for development?

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?