Slashdot Mirror

← Back to Stories (view on slashdot.org)

Red Hat, Fedora Servers Compromised

Posted by kdawson on from the quick-action dept.

An anonymous reader writes "In an email sent to the fedora-announce mailing list, it has been revealed that both Fedora and Red Hat servers have been compromised. As a result Fedora is changing their package signing key. Red Hat has released a security advisory and a script to detect potentially compromised openssh packages."

9 of 278 comments (clear)

  1. Re:Nothing to see here. by illumin8 · · Score: 4, Informative

    They have taken all the reasonable precautions, and if their passphrase was strong, then the danger of my servers being compromised by meteor strike is a much greater worry.

    The only thing that concerns me is this: In the Fedora announcement, they said with a high level of confidence, they don't believe the passphrase for their signing key was compromised, because they hadn't signed any packages during the period of time the box was compromised. They are going to change the signing key anyway just in case. This is a good thing.

    In the Redhat announcement, we can infer the passphrase and signing key were compromised, because the attacker signed invalid openssh packages. Even though the official RHN distribution channel was not compromised, the attacker most likely still has their private key and passphrase and can continue signing packages and attempting to distribute them. Redhat needs to step up and reissue a new signing key. There was no announcement of this.

    --
    "When the president does it, that means it's not illegal." - Richard M. Nixon
  2. Re:Goes to show by Goaway · · Score: 3, Informative

    There's absolutely nothing to stop anybody from installing an executable that runs automatically under a user account, without ever needing root. And that executable can do a lot of the things it may want to do without ever needing root access, either.

  3. Re:"Compromised?" by corbettw · · Score: 4, Informative

    On a related note, you should not use Fedora in a production environment anyway. That's what RHEL is for. Fedora = Testing. RHEL = Stable. At least in theory.

    I thought it was, RHEL == RedHat Support, Fedora == Community Support. Fedora might have some bleeding edge stuff in it, if you upgrade often, but it seems about as stable as the corresponding RHEL release. The difference is the support you can count on.

    --
    God invented whiskey so the Irish would not rule the world.
  4. Re:Nothing to see here. by uslinux.net · · Score: 4, Informative

    Our RedHat TAM tells us that "the signing infrastructure is completely different between fedora and RHEL" and that RHEL uses "a submit to be signed" method. So essentially, someone submitted packages and the system automatically signed them.

  5. Re:Nothing to see here. by Anonymous Coward · · Score: 5, Informative

    In the Redhat announcement, we can infer the passphrase and signing key were compromised, because the attacker signed invalid openssh packages.

    Incorrect. The signing key used by Red Hat is inside a hardware security token.

    So even though it was possible to use the token to sign packages as soon as access to the token has been removed for the intruder, he is unable to sign any more packages.

    Mark Cox of the Red Hat security team explained this setup in a blog post some time ago at http://www.awe.com/mark/blog/200701300906.html.

  6. Re:Probably a dictionary user/passwd by Hatta · · Score: 3, Informative

    the most likely attack was probably from those lame SSH dictionary scans on port 22. This is usually just an extreme annoyance to admins who must provide port 22 service and haven't heard of 'SSHguard'.

    Or just use SSH key authentication, this is what it's for. Anyone clever enough to use SSH on a redhat project server should be able to manage key authentication.

    --
    Give me Classic Slashdot or give me death!
  7. Re:Goes to show by Maznio · · Score: 4, Informative

    Thankfully we have the noexec mounting option available.

    That's no good. Scripts can be run by invoking the interpreter first, like so:
    /usr/bin/perl /home/user/proggie

    and binaries by starting them like so:
    /lib/ld-linux.so.2 /home/user/proggie

  8. Re:Nothing to see here. by Trahald · · Score: 3, Informative

    This is why they don't need new keys: http://www.awe.com/mark/blog/200701300906.html (keys are secure in a hardware device)

  9. Re:Goes to show by Wee · · Score: 4, Informative

    If you're going to mount /home noexec, you should also mount /tmp as noexec as well. In fact, I'd wager you should do that well before you bother with /home. A lot of wormy/trojany stuff wants to write, unpack, build and execute in /tmp. In fact, while you're at it, make sure only root can run make and gcc, or get at any of the libs. All command line network tools (wget, ftp, etc) should also only be run by root. Now go through and get rid of most (all?) of the setuid root stuff. Then crank down the firewall to only allow incoming 22 and 80 (or whatever). That will take care of a wide range of automated stuff.

    -B

    --

    Ash and Hickory, straight-grained and true, make excellent bludgeons, dandy for the cudgeling of vegetarians.