Kernel.org Compromised

First time accepted submitter JoeF writes "There is a note posted on the main kernel.org page indicating that kernel.org was compromised earlier this month: 'Earlier this month, a number of servers in the kernel.org infrastructure were compromised. We discovered this August 28th. While we currently believe that the source code repositories were unaffected, we are in the process of verifying this and taking steps to enhance security across the kernel.org infrastructure.' The note goes on to say that it is unlikely to have affected the source code repositories, due to the nature of git."

Wishful thinking

[Mensa+Babe]

"[I]t is unlikely to have affected the source code repositories, due to the nature of git" [emphasis added] Yeah, because no one has ever downloaded the kernel any other way than by making a local fork of the git repository. No one has ever used the http, ftp and rsync links on the kernel.org website, or clicked the "Latest Stable Kernel" icon on that very website, right? Also remember that the mirrors don't mirror the git repositories but the http/ftp archives from kernel.org servers, the very same servers that has been compromised. The kernel.org home page encourages visitors to use those mirrors so it is not unreasonable to assume that some people do in fact use them. How many of them could have downloaded a compromised kernel? How many of them could be using it as we speak? Seriously people, this is big. I really mean totally freaking big. Thanks to the open source nature of the kernel it is trivial to add a rootkit and make a new tarball. If the attackers were worth their salt then they should do exactly that.

Re:Wishful thinking

And seriously, why else would you hack kernel.org?

Re:Wishful thinking

[X0563511]

Are you stupid?

The files are in a git repository. That's what matters, not what you wrap around it to provide for requests. Anyone who happened to have a local git copy will notice VERY QUICKLY what changed when they try to commit... and I'd venture to say that nearly all of the kernel developers Who Matter use git for their development workflow.

Re:Wishful thinking

[Manfre]

If the attackers were worth their salt, after gaining access they would drop in their own custom replacements for patch, make and gcc. For such a large code base, it is not easy to tell if the code going in is yielding the expected instructions.

Re:Wishful thinking

[bzipitidoo]

You know what? Linux users will go right on using plain Linux. Not SE Linux, not OpenBSD, and certainly not Windows. We're not even going to change our root passwords. Why? Because this security breach is not that big a deal.

Yes, it is embarrassing for kernel.org, but the damage is not that great. Sure, we'd all like to prevent security breaches from ever happening in the first place, but I have always thought detection and recovery is more important than prevention. Kernel.org has that covered in spades. Keep backups. Keep many backups. Keep them in many different locations. A distributed source code revision control system such as git does that automatically. Whoever did this wasn't too smart if they were seriously trying to inject a backdoor into the Linux kernel. Now they've blown their cover. They can't have seriously expected the code modifications they tried to go unnoticed for long, unless they have no idea how large projects handle source code. So either they were dumb, or all they were trying to do was embarrass Linux.

Re:Wishful thinking

[nabsltd]

If the attackers were worth their salt, after gaining access they would drop in their own custom replacements for patch, make and gcc.

Since patch, make, and gcc are all GNU tools and not part of the Linux kernel, the only harm would be to the single copy on the kernel.org machine. If that machine isn't part of the build process (i.e., if it was merely a file repository), then nothing would be compromised.

It would also be pretty easy to see because builds from other machines wouldn't match.

Re:Wishful thinking

[msauve]

"why else would you hack kernel.org?"

1337 points.

Re:Wishful thinking

[phantomfive]

It would also be pretty easy to see because builds from other machines wouldn't match.

Would it? I'm wondering because in all my life, downloading and compiling stuff, I've never compared a binary with one compiled on a different machine to see if it matched. Maybe someone would, which is why I am asking. Are there people who commonly do that? Why?

Re:Wishful thinking

[You're+All+Wrong]

What complete bollocks.

"Thanks to the open source nature of the kernel it is trivial to add a rootkit and make a new tarball."
But you've not "added a rootkit". All you've done is make a new tarball with an added rootkit. The *actual* linux source, the git repository, which due to the nature of git is cryptographically signed and distributed/mirrored on thousands of machines round the world, remains completely untouched. And were it to be touched, every other mirror of it would immediately know about the change.

This is tiny, not big. I say that as someone who _regularly_ downloads the kernel. (Three times today, for example, but that's exceptional.)

You're scaremongering, that's all.

Oops

[drolli]

This is bad. Would the same thing happen to MS i dont think /.ers would skip the possibility to bash them.

Re:Oops

[jrbrtsn]

If the same thing happened to Microsoft, Microsoft wouldn't let anybody know.

Re:Oops

[MaxBooger]

This is bad. Would the same thing happen to MS i dont think /.ers would skip the possibility to bash them.

Nah. They wouldn't bash them. cmd them, maybe. But not bash them.

Re:Oops

[Sarten-X]

...but you can't always chmod the same way you create. I can upload a nice "text file" to a web server, and it's going to sit as a text file forever, regardless of extension.

Re:Oops

Get back to me when Windows separates execute permission from the filename extension.

I sent you that e-mail 15 years ago. You should check your spam filter.

Re:Oops

[realityimpaired]

But more seriously, the fact of the matter is, most of the tripe spewed against Microsoft hasn't been true since the pre-XP era. This combines with idiots who don't comprehend what security actually is, and buy into the, "LINUX IS TOTALLY SECURE! LOLZ!" crap.

Ok... I'll bite.... I will concede that Windows is a lot more secure than some folks will have you believe, but there is still one glaringly huge security flaw in Windows that would be ridiculously easy for Microsoft to fix: the accounts created during install time are all administrative accounts.

To its credit, Windows will allow you to change those accounts to non-administrative, and it will give you the option of creating non-administrative accounts when you later go in to the user cp, but by default, it still makes everybody an administrator unless explicitly told not to.

Now... the fundamentals of securing a Windows system are exactly the same as the fundamentals of securing a Linux system: don't run any unnecessary daemons, particularly daemons that listen to outside connections, and be careful what you allow to run on your computer. When possible, run anything that executes arbitrary code (like, say, Flash or Silverlight) sandboxed, or not at all. And above all, apply all security updates as soon as they're available. (well, assuming your source of security patches didn't get compromised....)

It's not hard to lock down a Windows system, and all of the above has been doable since NT3.1 in 1993. But as long as its default setting is for users to have administrative access, and it doesn't require any kind of secondary authentication to run programs with elevated permissions (and don't get me started on the debacle that is UAC), then Windows is *not* as secure as most Linux distros. The average user is simply not going to go out of their way to lock down a system once they have gone through the initial setup, and with that in mind, Windows is defective by design. It's in the name of usability, which is certainly understandable, but don't paint it with rose coloured glasses: you can achieve the same level of security under Windows, but you have to do more to reach it.

Re:Oops

[GameboyRMH]

By default, precisely dick. If you Windows guys get to pretend that NTFS execute permissions are commonly used, we Linux guys get to pretend that people commonly set /home and /tmp noexec and use SELinux. Deal?

Re:Oops

[fluffy99]

Hey buddy, 1995 called, they wanted their antiquated filesystems back. NTFS has supported seperate "execute" permissions since its inception, I believe. In fact, call me when ext3 seperates its "write" permission from its "change permissions / take ownership" permission.

True, the NTFS filesystem supports finer grained permissions and some features that are simply not used or exposed in windows. Generally read/execute are grouped together and trying to set them differently often breaks things. The usual case for windows is that if you can read the file, you can execute it.

Linux has a great mounting option called noexec, which is very handy to apply to the home partition. Ext3 has some extensions to provide finer grained permissions and features (eg chattr), but it's not implemented consistently across all the flavors and rarely used in my experience. Most systems I see are still dorking around with the simplistic user-group-world permissions.

Re:Oops

[LordLimecat]

Again, it doesn't bloody matter because that doesn't fucking happen in reality.

BZZZZT Wrong again.

By default downloaded content-- I believe all of it-- is marked with an ADS flag, and requires approval before launching.

Additionally, I DO have a number of clients where I have restricted where executable content can come from, and I did it in about 5 minutes without having to dick around with chmods, or scripting chmods, or figuring out how to prevent them from changing the acl while still having write access to the file.

See, in EXT3, unless im mistaken, you cannot give a user write access or ownership to a file and still prevent them from executing the content-- they can just chmod a+x the file. Thats not the case in windows.

So you should really just simmer down and stop displaying your ignorance.

Re:Oops

[shutdown+-p+now]

They aren't truly administrative (so long as you have UAC enabled) - they're more like normal user accounts that can sudo to root by providing their own password (rather than root's password) - not unlike Ubuntu. The default UAC setting skips the password, but that's because the whole point of inputting it is to prevent a malicious process from programmatically elevating on user's behalf - and UAC has a different way of handling that.

Re:Oops

[benjymouse]

So I have to run AD locally to be able to disallow users to run arbitrary files? Brilliant! Let's f** home users, like we care.

No, that is what Local Security Policy is for. When in a domain, domain GPO takes preference if there are conflicts. But as a home user you can simply use the LSP.

Re:How did they hack it?

[gchaix]

The post on kernel.org states that it was possibly due to a compromised user account. They stated that they discovered it through some errors related to Xnest /dev/mem and that they captured some of the exploit code. I believe they're still looking at everything to figure how how the intruders got in and what they touched.

Kudos to the kernel.org team for their prompt action and immediate disclosure.

Re:Whoops!

[X0563511]

Not really. Try reading the summary all the way through.

he's talking about tarballs

[bill_mcgonigle]

The files are in a git repository. That's what matters, not what you wrap around it to provide for requests.

So http://www.kernel.org/pub/linux/kernel/v3.0/linux-3.0.4.tar.bz2 gets pulled dynamically from git?

the kernel developers Who Matter

Are you saying users don't?

Re:he's talking about tarballs

%Y-%m-%d please! Americans...

Re:he's talking about tarballs

[nneonneo]

Need I point out that %Y-%m-%d sorts properly, whereas %m-%d-%Y does not? When's the last time you needed releases sorted by month but not year?

Re:he's talking about tarballs

Apart from the argument that YMD sorts it is also unambiguous. The first 12 days of each month can also be interpreted as month numbers. There are DMY countries and MDY countries. Can you always be sure which convention is being used? There are no YDM countries, so YMD is unambiguous.

Re:How did they hack it?

[recoiledsnake]

The post on kernel.org states that it was possibly due to a compromised user account. They stated that they discovered it through some errors related to Xnest /dev/mem and that they captured some of the exploit code. I believe they're still looking at everything to figure how how the intruders got in and what they touched.

Kudos to the kernel.org team for their prompt action and immediate disclosure.

How did the so called user account compromise result in root access? Care to explain?

You don't git it

Also remember that the mirrors don't mirror the git repositories but the http/ftp archives from kernel.org servers, the very same servers that has been compromised. The kernel.org home page encourages visitors to use those mirrors so it is not unreasonable to assume that some people do in fact use them.

Not need to panic. Yet. Most users don't download their kernels from kernel.org. This is a fact. Most users download via the package repositories of their favorite Linux distro, say Ubuntu or Arch. And the kernel maintainers of most distros worth their salt don't use http or ftp to download a fresh copy of the kernel every time Linux decides to update it. They use git.

You are spreading FUD. Sure, it's a serious issue. But not the way you think it is. If the exploit was done through a hole in the kernel, then, and only then, is this a "seriously" "freaking big" issue. If it was done through the usual social engineering channels, then, well, I guess we need a brain patch not a kernel patch. There's simply no fix for that.

Re:Linux isn't secure

[networkBoy]

> [ 71.610908] ModPointEnabledAccount[4485]: segfault at 7f51210dfaa8 ip 000000000040c544 sp 00007fffdadb5970 error 6 in .logicParser[400000+15000]

Re:How did they hack it?

[inode_buddha]

H.P.A. has commit privs and his work laptop was trojanned. That's how. Am I the only one who reads and understands the original e-mails from the admin?

Re:Whoops!

[realityimpaired]

Better question is... what part don't you understand? They think that the source is unaffected, but have not verified that yet. There is a chance, however small, that the source has been affected by this compromise, which is scary news for anybody who's built/updated a new kernel from source since the breech happened.

Re:How did they hack it?

[rubycodez]

I know some open source os/kernel take a fanatical devotion to ensuring their code contains no possibility of "privilege escalation", and some linux users and developers make fun of them.

I love linux, for a desktop and for back end servers. but for all else I use another OS

Re:Whoops!

[Dunbal]

What's to stop an attacker from packaging a patched source and putting it in the place where most of the rolling release distributions are actually pulling it from?

git, and the SHA-1 keys.

YMD sorts

[perpenso]

Yeah, like I need to be reminded what year it is on a daily basis.

Actually YMD is useful because it sorts.

Re:How did they hack it?

You have time to lookup the slackware documentation, but not read TFA?

"Trojan initially discovered due to the Xnest /dev/mem error message w/o Xnest installed."

Re:Whoops!

[jo_ham]

Here's a can of food for you to eat.

I am in the process of verifying if it has been tampered with, but I'm not 100% certain. It's probably ok.

Why aren't you eating it?

Re:Whoops!

[Runaway1956]

But, most neanderthals can't even spell git, or SHA-1. There's no need to relieve their worries - just let them fret. That's the most exercise - mental or otherwise - that many of them will ever get.

This intrusion could be a good thing, all things considered. Maybe it will scare the morons away from using Unix-like kernels, and send them mewling back into the arms of Microsoft. It would be nice to see the "Year of the Linux Desktop", but face it. For that to happen, we'll have to welcome millions of idiots into the Linux world! *shudder*

Re:How did they hack it?

[fluffy99]

http://slackware.osuosl.org/slackware-13.37/slackware/x/xorg-server-xnest-1.9.5-i486-1.txt

Xnest is an experimental nested server for X

why is anything related to X running on a server used for source control and such things?

especially because the X server executable is usually setuid root. seems to me that is asking for trouble.

and - why would anybody run experimental software on such an important server.

I guess you didn't bother to read the article.

"Trojan initially discovered due to the Xnest /dev/mem error message w/o Xnest installed; have been seen on other systems. It is unclear if systems that exhibit this message are susceptible, compromised or not. If developers see this, and you don't have Xnest installed, please investigate."

Re:How did they hack it?

[synthespian]

Maybe he ought to use a laptop with OpenBSD, you think?

Highly unlikely the code was compromised

[seifried]

Here's a hint: the developers use git, which identifies all commits by their SHA1 value, so changing the contents of a commit will cause the SHA1 sum to mismatch which would cause git to howl and complain. So they then build a tarball and upload it to the server. They also upload signatures:

patch-3.0.4.bz2 29-Aug-2011 20:57 94K
patch-3.0.4.bz2.sign 29-Aug-2011 20:57 249
patch-3.0.4.gz 29-Aug-2011 20:57 107K
patch-3.0.4.gz.sign 29-Aug-2011 20:57 249
patch-3.0.4.sign 29-Aug-2011 20:57 249

So unless they manage to compromise the Kernel signing key any changes would be immediately noticeable (assuming people check the signatures, which they do).

Re:Highly unlikely the code was compromised

[Octoploid]

The private signing key + passphrase are normally present on hera. So all tarball signatures could be compromised.

Re:Whoops!

[kdemetter]

It depends. To check the signature , you need the signature, and a public key to verify it.

All an attacker has to do is use his own private key to sign the file , and then replace the public key with his own.
Then it would be verifying just fine.

Offcourse, if you have the public key ( rather than getting it from the site ) , you will know something is wrong.

It's about the commit

[dutchwhizzman]

Imagine the following scenario:
You Download source code from a tarball at kernel.org. You develop against that. You commit to git. You change only 3 files and git tells you there are 20 files changed. This is when you realize that somehow, the tarball differs in 17 files from the git repository.

How many developers actually develop against a freshly downloaded tarball off ftp/http kernel.org mirror, in stead of a checkout/sync from the clean git branch? Because only the ones that do, and also have commit rights to git, would notice.

Re:How did they hack it?

Intel pays him to work on operating systems that people actually use.

Re:Just so nobody is confused, this post ^^^ is wr

[benjymouse]

Second: On Windows it's really hard to disallow users to run any programs but the ones in C:\Windows and C:\Program Files while it's trivially easy in UNIX-like systems.

Ahem.

Start | Administrative tools | Local Security Policy | Software Restriction Policies | New Software Restriction Policy

Was that hard? Btw, an administrator can configure this in a group policy and apply it to select users, groups, computer sets etc. The above was a local policy.

Now you have a policy which by default allows only programs to execute from "program files" and "windows"

You can configure much more, like e.g. whether executables on a given path should be allowed to execute with admin privileges, certificate policies, hash based rules etc.

Re:How did they hack it?

[Raenex]

Am I the only one who reads and understands the original e-mails from the admin?

Are you? "Intruders gained root access on the server Hera. We believe they may have gained this access via a compromised user credential; how they managed to exploit that to root access is currently unknown and is being investigated. "

Re:How did they hack it?

[You're+All+Wrong]

Not at all, because it's false.

That log line is not of a kernel crash (we call them 'oops'es, or 'panic's), merely the kernel reporting on a userspace task (Xnest, with process ID 4485) crashing with a segfault (trying to access an invalid/protected address).

Re:How did they hack it?

[You're+All+Wrong]

Answering self - theregister.co.uk has a link to the emails
http://pastebin.com/BKcmMd47

Please educate yourself on Windows

[benjymouse]

Doesn't fucking matter, because theory is not practice.

Windows assigns execute permission based on the last 3 letters by default. It's up to the administrator to change this behavior, which hardly ever happens.

In the world of real computers, execute bits are *completely independent* of the name.

Oh please.

The .exe association is merely a convenience, not a security mechanism which "assigns execute permission" as you put it. It is equivalent to how Linux will attempt to run *anything* when you type the name or double-click it. It is a launching mechanism, not a security mechanism.

Yes, Linux has the x bit. Guess what, Windows ACLs has the Traverse/Execute permission. Remove that permission or set up a deny rule and you will not be able to execute that file or files in that directory. Want to ensure that network shares cannot be used to host executables? Set the permissions on the share to deny execute to everyone and set it to inherit.

Windows has your beloved execute permission. And unlike in Linux you can set up deny rules or allow multiple principals (multiple groups and/or users). Most of us just want it to follow the read permission, because it would never be a security boundary anyway.

And then you completely ignore - no strike that - you try to completely dismiss a very cool security feature in Windows (and OS X): Origin based execution policies. You try to dismiss it because it doesn't look like your x bit. But the fact remains that it works for users: Files downloaded from the internet (through a browser or some other agent) are tainted with the "Internet zone". Files copied from network shares are tainted with "Local intranet zone". And you can set up execution policies to deny or allow execution of such files.

forgot proper thing for sloccount data publishing

[rubycodez]

from the output:

Please credit this data as "generated using David A. Wheeler's 'SLOCCount'."