Slashdot Mirror

← Back to Stories (view on slashdot.org)

Red Hat, Fedora Servers Compromised

Posted by kdawson on from the quick-action dept.

An anonymous reader writes "In an email sent to the fedora-announce mailing list, it has been revealed that both Fedora and Red Hat servers have been compromised. As a result Fedora is changing their package signing key. Red Hat has released a security advisory and a script to detect potentially compromised openssh packages."

10 of 278 comments (clear)

  1. Nothing to see here. by Art+Popp · · Score: 5, Insightful

    These are the guys, to the annoyance of nearly everyone, who turned on SELinux on Fedora Core by default.

    These are the guys who noticed they annoyed everyone, and turned on targeted-mode by default.

    Coming from someone with many systems, completely exposed to the Internet, with thousand day uptimes, these RedHat folk are in fact sufficiently paranoid.

    They have taken all the reasonable precautions, and if their passphrase was strong, then the danger of my servers being compromised by meteor strike is a much greater worry.

    1. Re:Nothing to see here. by Chang · · Score: 5, Insightful

      Red Hat needs to offer more info before you can make a solid judgement about this.

      If the attacker gained access to the actual system where signing takes place then Red Hat needs to change the key.

      But from the announcement wording - they are suggesting that the attacker was able to submit packages to be signed but the actual signing server was not compromised.

      They should not have been so vague about this because it is a crucial distinction to make for their customer to make a security judgement.

      As a customer I'm not happy with the vague details on what was compromised. I'm sure they did it because they have concerns about describing their package signing systems in detail but they need to open the kimono and give us the detail we need to make a decision about reloading our systems.

      Merely saying, "trust us - anything that came from the official channel is safe" doesn't fly. You let an attacker gain unauthorized access - you need to re-earn trust at this point by giving us some detailed info.

    2. Re:Nothing to see here. by calmond · · Score: 5, Interesting

      What surprises me about this the most is that the system was connected to the network/Internet at all. I had always been of the understanding that to prevent this, the signing server was a stand-alone system accessible only by sneaker-net with physical media. You take your package on CD/DVD/USB key to the server, sign it, then take the signed package back via physical media and distribute it. One Federal Gov.t agency in my home town does this and the server is behind three locked doors too, with three different people needed to get physical access. Why didn't RedHat/Fedora do something like this? It really isn't that much of a pain in the ass when you think about it...

    3. Re:Nothing to see here. by Anonymous Coward · · Score: 5, Informative

      In the Redhat announcement, we can infer the passphrase and signing key were compromised, because the attacker signed invalid openssh packages.

      Incorrect. The signing key used by Red Hat is inside a hardware security token.

      So even though it was possible to use the token to sign packages as soon as access to the token has been removed for the intruder, he is unable to sign any more packages.

      Mark Cox of the Red Hat security team explained this setup in a blog post some time ago at http://www.awe.com/mark/blog/200701300906.html.

    4. Re:Nothing to see here. by Timothy+Brownawell · · Score: 5, Insightful

      How well does that work if you can trick someone into loading the wrong package onto that USB key?

  2. Do they run linux? by mulvane · · Score: 5, Funny

    They should have ran a secure OS like vista.

    1. Re:Do they run linux? by GXTi · · Score: 5, Funny

      Don't worry, whatever this "linux" thing is, it can't possibly run without an Operating System to support it, e.g. Microsoft Windows®. All applications require an Operating System to run, including "linux".

  3. Goes to show by BadAnalogyGuy · · Score: 5, Insightful

    Given enough time and energy, even Linux servers can be hacked.

    With the growing interest in Linux, I wonder if we'll see more parity of viruses between Windows and Linux.

    1. Re:Goes to show by Goaway · · Score: 5, Insightful

      The point is, there's no need to change system files or bind to privileged ports.

      Your documents contains LOTS of yummy personal information for people to steal. Identity thieves and credit card thieves will love all that stuff.

      Spammers need relays to send their spam through. You can run a relay just fine as a normal user. Same thing with the DDoS bot for exortotionists and script kiddies.

      You can mess with the internals of Firefox without root access too, through plugins. Easy to put a password stealer in there. Or you could mess with your desktop settings so that when you try to launch a browser, you get a compromised version instead.

      I'd say I've covered all the major reasons somebody would want to infect your machine here, and not a single system file or privileged port was needed for it.

  4. "Compromised?" by Hyppy · · Score: 5, Insightful

    I could not RTFA (/.ed), but is there any indication of how this "compromise" occurred?

    My hats off, though, to the Red Hat folks. Full disclosure and immediate positive action speaks volumes.

    On a related note, you should not use Fedora in a production environment anyway. That's what RHEL is for. Fedora = Testing. RHEL = Stable. At least in theory.