Slashdot Mirror
Red Hat, Fedora Servers Compromised
An anonymous reader writes "In an email sent to the fedora-announce mailing list, it has been revealed that both Fedora and Red Hat servers have been compromised. As a result Fedora is changing their package signing key. Red Hat has released a security advisory and a script to detect potentially compromised openssh packages."
These are the guys, to the annoyance of nearly everyone, who turned on SELinux on Fedora Core by default.
These are the guys who noticed they annoyed everyone, and turned on targeted-mode by default.
Coming from someone with many systems, completely exposed to the Internet, with thousand day uptimes, these RedHat folk are in fact sufficiently paranoid.
They have taken all the reasonable precautions, and if their passphrase was strong, then the danger of my servers being compromised by meteor strike is a much greater worry.
They should have ran a secure OS like vista.
Given enough time and energy, even Linux servers can be hacked.
With the growing interest in Linux, I wonder if we'll see more parity of viruses between Windows and Linux.
Is this bug in OpenSSH related to the one that was found in Debian-related distros back about April? Maybe I'm reading the article summary incorrectly.
source code filching! nothing else.
Last week? Does that mean earlier this week, or the week before the week I'm in? At what point in whatever week was last week? If I did an install/update after a certain date am I covered?
It would be nice if they weren't so vague about the time frame. Maybe it is to encourage people to check and not assume they will not have problems, but in a situation like this, the more accurate a picture I have of what is going on, the better I feel.
It's hard to believe that's how Micronians are made. Why don't we see it right now by having you both kiss one another?
I can confirm that roughly 30 kernel 0dayz circulate in the underground. Working for all kernelz 2.6.X up to 2.6.27-rc3 :)
happy birthday.
"Just run this shell script to verify you're not infected"
No way I'm falling for that one.
Back to work.
I could not RTFA (/.ed), but is there any indication of how this "compromise" occurred?
My hats off, though, to the Red Hat folks. Full disclosure and immediate positive action speaks volumes.
On a related note, you should not use Fedora in a production environment anyway. That's what RHEL is for. Fedora = Testing. RHEL = Stable. At least in theory.
Pretty sure most of us are above this anyway, but let's avoid a distro flamewar. You can look through my past comments and see that RH is far from my preferred distro, and I love to take shots at them. But now is not the time. Anyone can get hacked, and it sucks. And they're being responsible about reporting and mitigating.
Godspeed, gentlemen.
Stop-Prism.org: Opt Out of Surveillance
While it seems likely there are some flaws in SSH (if you know, you know) that won't be posted here, the most likely attack was probably from those lame SSH dictionary scans on port 22. This is usually just an extreme annoyance to admins who must provide port 22 service and haven't heard of 'SSHguard'.
Since it seems impossible to educate people about good pass words, these lame attacks will sometimes succeed. Any corporate admin should run 'crack' often. Moving SSH to any port other than 22 will eliminate 99.9% of these lame scans. SSH is secure for today, if used properly. All suspected exploits of the code itself are unproven.
Nothing to be alarmed about here. Problems that affect corporations are unlikely to affect knowledgeable users. To them, computers are 'a necessary evil'. To us, that is our thing.
Or it can just phone home and use a 0-day local privilege escalation attack before whatever update manager can do its thing. Or just pose as the update manager.
Exactly HOW or WHO did this is not mentioned in TFA
If they have/get their hands on these modified (but signed) packages, it would be nice if they'd do some reverse engineering, and publish a follow-up detailing *what* was modified. That might provide some insight on why it was done (and perhaps who was behind it).
So, does this mean that CentOS is also affected?
Bow before me, for I am root.
So, Fedora and Red Hat use Windows Server 2003 for development?
Utilizing the synergization of benchmark e-solutions to pre-workaround action items!
I really only care to know HOW the attacker got in.
Basically, if he used unknown 0-day and RH/Fedora have no idea what he exploited, then they should say so, so people can watch out.
If he stole username/password from someone dumb - say so.
If he walked into the hosting center, say so.
I REALLY want to how know he compromised their server(s).
I might be next v0v
With several distros being compromised in the last year, it's hard not to suspect some common link. Could this be an attack on free software in general from those that stand to loose money? Conspire if you will.
I just call them as I see them.
Oh and by the way.....Is there any way I could get a rating of -2, Complete Douchebag? Being modded down to that level by the people that mod these messages, the slashDot TROLLS, will complete my life and bring a smile to my face. Please?
I'll try anything once. Twice if it tastes good
No, I'm afraid I can't be bothered. Your miserable life will never be complete.
Like change system files? Nope. ... So... it can mess up my documents? Darn.
Oh, good. My life's work is reconstructable in a mere few decades; wheras if it damages system files, a reinstall could take up to half an hour!
What's purple and commutes? An Abelian grape.
Note that the first detection for this was back in 1994, but still... it's proof that viruses can (and have) be written for Macs.
Now that OS X 10.5 is fully Unix (BSD) in the back end and most Macs are Intel-based architecture and not protected with more than the firewall, I say that it probably just is not noticed as much.
Like change system files? Nope. How about bind to privileged ports? Nope. So... it can mess up my documents? Darn.
Why do you have the computer? Just so you can have some privileged ports and system files that a remote exploit to an unprivileged account can't touch? Or do you actually, you know, use your computer for stuff?
Because if you're using your computer for anything, then that's what's really valuable.
Case in point: The private keys used to sign Red Hat/Fedora packages qualify as "documents" in your scenario.
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
I applaud Redhat and Fedora for disclosing this and hope that the whole open source community will join forces to help prevent this from happening again.
Unfortunately as the popularity of open source increases it is likely that the community will become a bigger target.
I am sure all the major distributions and most high-profile projects have already been attacked and will continue to be attacked.
Now may be a good time for all of us to review our security procedures and put measures in place to protect the integrity of the source code, binary packages and all systems used for development.
Port randomization, brute force detection and prevention, strong passwords, strong encryption, intrusion detection and source code/binary integrity verification systems should be deployed and updated regularly.
I hate to speculate in the absence of concrete evidence and information on the compromise, but it is quite possible that two or three factor authentication and the measures enumerated earlier might have prevented this compromise from occurring.
I am confident Redhat and Fedora will disclose more information as their investigation proceeds and as any legal issues are addressed.
May the source be with you!
Every time one of these awful exploits are found, it seems majority of them are Redhat vulnerabilities (with the exception of the recent Debian hole). What's up with that?
is that the hardware is a PCI card.
http://www.ncipher.com/cryptographic_hardware/hardware_security_modules/8/nshield/
Could that be flashed by software? Hope not.
Should be a dip switch on the card to disable/enable flash upgrade by compromised host PC.
The need to download random binaries to your home directory and run them is infrequent in Linux. The most frequent case is application installers, but many of those need root access anyway (nvidia drivers for instance), and most come with the distribution.
Quite a few people who have posted comments to other Slashdot articles have claimed that the difficulty of installing software that did not "come with the distribution" holds back the spread of GNU/Linux on the home and small-office desktop. There are plenty of apps that just aren't suitable for the major distributions' repositories. For example, some apps are not notable because they're for a vertical market. Others have good reason not to be free software with free content, such as many video games.
A way to fix the occasional need to do this would be a sudo-like tool that needs to be used to execute a file, but doesn't grant root privileges.
How smoothly would this work for college students taking a programming class?
A keylogger wouldn't need root access. All it has to do is monitor the keyboard and send out packets.
In an ideal operating environment, any process that monitors the keyboard would show up in a list of accessibility tools, and the user could view this list using the "access" icon (shaped like a stylized man in a wheelchair) in the system notification area.
> A keylogger wouldn't need root access.
Amazingly enough the designers of X back in the Elder Days thought of that possibility and took steps. X has the ability to stop keyloggers from getting things like passwords (barring root, then all bets are off) by including the exclusive keyboard grab. Of course since Moz Corp basically just ports from Windows and Windows doesn't have anything of the sort I'd bet good money Firefox doesn't even use it in dialogs it KNOWS are asking for a password.
It would be an instructive exercise to look at the various places where passwords are requested and see if any of them use it. Does the new GNOME root protection wrappers use it? Does KDE, or any of the distro specific tools? Security is a process, drop the ball at any step and the bad guys win. X did it's bit, did anyone else follow through?
For example xterm does support Secure Keyboard while gnome-terminal doesn't. That said, how many of us have actually USED the secure keyboard feature?
Democrat delenda est
> I'd bet good money Firefox doesn't even use it in dialogs it KNOWS are asking for a password.
Replying to myself.... Doh, I could have checked it myself so I just did and nope, Firefox doesn't lock the keyboard. Even when it pops up a specific box asking for a username/password pair. Of course if you allow FF to autofill passwords it is a moot point anyway since any process that can run as you can read the obfuscated passwords.
Democrat delenda est
In combination with "New Attack Against Multiple Encryption Functions," everybody running Fedora or RHEL would do good to turn off nightly updates. At least until you have the new package signing keys.
Especially if you're worried about DNS poisoning.
-=/\- Jizzbug -/\=-
I remember a bug with a W2k service pack that completely disabled the network for non administrators. The word at the time was that even the testers ran as Admin all the time because trying to do anything as a normal user was such a pain.
I don't know about Macs but in Unix the whole running as a normal user thing is enforced by very strong developer policies. MS should have been stricter about enforcing similar polices before NT became mainstream; instead they're having to hack it in late in the game with stuff like UAC.
Also, I don't think people write malware for Windows because they don't care about the platform, it's just because it's the biggest target. If Unix/Mac/ was as huge on the desktop as Windows, that platform would be the target. It's just how it goes.
Nick
In combination with "New Attack Against Multiple Encryption Functions," everybody running Fedora, RHEL, or any variant configured against Red Hat update repo's would do good to turn off nightly updates. At least until you have the new package signing keys.
Especially if you're worried about DNS poisoning.
-=/\- Jizzbug -/\=-
In combination with "New Attack Against Multiple Encryption Functions," everybody running Fedora, RHEL, or any variant configured against Red Hat update repo's would do good to turn off nightly updates. At least until you have the new package signing keys.
Especially if you're worried about DNS poisoning.
Go read the NT kernel whitepaper. Its fine by me if you dont, people who actually understand kernel architecture will just look at your post and laugh and probably feel sorry.
Its obvious you're trolling , and anyway its not my job to educate people. I know the 12yr olds here just love the "[citation needed]" meme so I wont take the cliche route. I'm not making any claims, you are. It helps when you're informed and not make a complete and utter fool of yourself.
Our RHEL5/x86_64 system has been affected by this problem: I have ran the script from Red Hat openssh blacklist page, and found that all four openssh packages (openssh, openssh-clients, openssh-askpass, openssh-server) had their checksum on the blacklist. I took the server down, created a backup snapshot of the root disk, and I am currently reinstalling it, while checking other volumes and the root volume snapshot for any signs of intrusion.
The most annoying thing is that Red Hat remains silent on the main problem: what the compromised packages contained, how to determine whether the possible attacker exploited the access offered by those packages or not, when exactly were the packages signed, what other precautions to do on other servers (notify users which use the same password as on a compromised server, check for other modified binaries, etc.). I have verified that I had a trojanized binaries on my system, but apart from that, it is not clear what else the possible attacker managed to do.
Red Hat says the packages were not distributed over RHN, so I wonder how I got them. I had another repository in my yum.conf: rpmforge. Maybe this was the source of the malware. My syslog (even a copy on a syslog server) did not say anything about upgrading openssh in the last month or so. However, on Aug 15 it upgraded the YUM RHN plugin. On the same day our dovecot stopped responding, saying the time went backwards (and yes, there was time move several weeks back and then forward, according to dovecot log). Also the rpm -qi said the package was built on Aug 13 13:13:03, and signed five minutes later. However, the install time reported by rpm on my system was July 25 (which would corelate with the time slip reported by dovecot).
Did anybody else met the trojanized openssh mentioned in the advisory? Please share your findings.
Posting as AC for obvious reasons, sorry.
What about CentOS? Did the compromised code flowed down to CentOS?
Fedora is NOT appropriate for a production environment, period.
This is entirely dependent on what your production environment does, what its requirements are, and what your server infrastructure looks like. Not every environment has the problem where switching out OS versions is a big deal or results in downtime.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
No one uses Debian or Ubuntu or Slack all that much so they go after the popular OS.
It can mess what are most likely the most important and least-replaceable data on your machine. This doesn't bother you ?
No, because I actually have backups that go back several weeks. (Thank you Time Machine.)
Can SELinux just quietly go away now? Pretty please? I don't mean just disabling it, which I can already do, I mean not install it at all.
I didn't know Fedora was Debian based..
...to pay your $699 licensing fee you cock smoking teabaggers!
But, but! Linux is more secure!!111!!!
Yea, when was the last time the Windows Update site got hacked....oh yea, never.
Fail.....
Yes, Linux has a small place in business, yes it's a good O/S, NO it is not more secure than Windows no matter how bad the fanboys agrue. Just look at how DHS had to step in and "fix" some projects and now this.
Please, don't flame because you have no other "proof" to backup any claim linux is more secure. Don't be simple Jack.....
"Mama, I'll see you again tonight in my head movies. But this head movies makes my eyes rain!"