Red Hat, Fedora Servers Compromised

An anonymous reader writes "In an email sent to the fedora-announce mailing list, it has been revealed that both Fedora and Red Hat servers have been compromised. As a result Fedora is changing their package signing key. Red Hat has released a security advisory and a script to detect potentially compromised openssh packages."

Nothing to see here.

[Art Popp]

These are the guys, to the annoyance of nearly everyone, who turned on SELinux on Fedora Core by default.

These are the guys who noticed they annoyed everyone, and turned on targeted-mode by default.

Coming from someone with many systems, completely exposed to the Internet, with thousand day uptimes, these RedHat folk are in fact sufficiently paranoid.

They have taken all the reasonable precautions, and if their passphrase was strong, then the danger of my servers being compromised by meteor strike is a much greater worry.

Goes to show

[BadAnalogyGuy]

Given enough time and energy, even Linux servers can be hacked.

With the growing interest in Linux, I wonder if we'll see more parity of viruses between Windows and Linux.

Re:Goes to show

[dword]

Not unless Linux gains 50+% of the end-user market share.

Re:Goes to show

[illumin8]

Given enough time and energy, even Linux servers can be hacked.

With the growing interest in Linux, I wonder if we'll see more parity of viruses between Windows and Linux.

It also goes to show that the human side is usually where compromises come in to play. Most likely some admin had a weak password that was hacked, and that admin had permission to signing packages or things he should not have had.

I don't care how secure your OS is. If you don't follow proper security procedures, including using strong passwords and giving users only the permissions they need to do their job, you will be hacked.

Re:Goes to show

[TorKlingberg]

The virus can install itself in the user home directory instead.

"Compromised?"

[Hyppy]

I could not RTFA (/.ed), but is there any indication of how this "compromise" occurred?

My hats off, though, to the Red Hat folks. Full disclosure and immediate positive action speaks volumes.

On a related note, you should not use Fedora in a production environment anyway. That's what RHEL is for. Fedora = Testing. RHEL = Stable. At least in theory.

Re:Goes to show

[jambox]

A keylogger wouldn't need root access. All it has to do is monitor the keyboard and send out packets. I'm sure there are more examples.

Re:Nothing to see here.

[Chang]

Red Hat needs to offer more info before you can make a solid judgement about this.

If the attacker gained access to the actual system where signing takes place then Red Hat needs to change the key.

But from the announcement wording - they are suggesting that the attacker was able to submit packages to be signed but the actual signing server was not compromised.

They should not have been so vague about this because it is a crucial distinction to make for their customer to make a security judgement.

As a customer I'm not happy with the vague details on what was compromised. I'm sure they did it because they have concerns about describing their package signing systems in detail but they need to open the kimono and give us the detail we need to make a decision about reloading our systems.

Merely saying, "trust us - anything that came from the official channel is safe" doesn't fly. You let an attacker gain unauthorized access - you need to re-earn trust at this point by giving us some detailed info.

Re:Nothing to see here.

[JustKidding]

Yes, that is what surprised me, too. However, I'd think they would know what they are doing, and are acting in good faith, because they could have tried to keep the whole incident secret instead.

I don't see why an attacker would sign the packages one that server, instead of just taking the key and signing them elsewhere. Because of this, Red Hat now has the signatures of the tampered OpenSSH packages. If the attacker had signed them elsewhere, they wouldn't, making the packages more valuable.

Is there a technical reason for this?

Also, I assume this means any historic packages, signed with the old key, not already in your possession at the time of the intrusion cannot be trusted. With this I mean any old versions of packages downloaded after the time the attacker got his hands on the passphrase.

Re:Goes to show

[Goaway]

The point is, there's no need to change system files or bind to privileged ports.

Your documents contains LOTS of yummy personal information for people to steal. Identity thieves and credit card thieves will love all that stuff.

Spammers need relays to send their spam through. You can run a relay just fine as a normal user. Same thing with the DDoS bot for exortotionists and script kiddies.

You can mess with the internals of Firefox without root access too, through plugins. Easy to put a password stealer in there. Or you could mess with your desktop settings so that when you try to launch a browser, you get a compromised version instead.

I'd say I've covered all the major reasons somebody would want to infect your machine here, and not a single system file or privileged port was needed for it.

Re:Goes to show

[__aamnbm3774]

No, you are wrong, and this is the mindset that scares me in the computing world.

If a custom box running JoeOS contains something extremely financially valuable, you can bet people will start trying to hack it.

Security through Obscurity is not only wrong, but terrifying that people buy into the concept.

Re:Goes to show

[Shados]

Thats correct. And as much as there are many issues with Windows security that -could- be exploited, usually, even there, the human side is easier to exploit... So those "skills" are portable... Will be interesting to see how the ecosystem reacts when it starts happening more and more... technological fixes won't do...

Re:Nothing to see here.

[Anonymous Coward]

Coming from someone with many systems, completely exposed to the Internet, with thousand day uptimes, these RedHat folk are in fact sufficiently paranoid.

Ummm, I'm quite curious, how do you keep your system up for 3 years? Do you not update your kernel? Or is there some way to update a running kernel without rebooting that I don't know about...

Re:"Compromised?"

[pembo13]

In all fairness, and not to paint them in a bad light. The sequence was more like immediate action, and then full disclosure. But I got the feeling that the delay was due to some legal issues.

Re:Goes to show

[Alwin Henseler]

Given enough time and energy, practically any network-connected system can be hacked. That is because security is *hard*, and there are few people who have the means to create chains that contain only strong links, and put those strong chains in the hands of a big audience.

But given workable tools, I think security comes down more to procedures, and a competent sysadmin than anything else. I'd put more faith in a well-managed Windows server than a Linux server with an idiot as admin. With all factors equal, I'd put more faith in a Unix-like system than anything coming from Redmond. For starters, because Unix systems (and clones) were built from the ground up as networked, multi-user systems.

Not Time for A Distro War

[Bob9113]

Pretty sure most of us are above this anyway, but let's avoid a distro flamewar. You can look through my past comments and see that RH is far from my preferred distro, and I love to take shots at them. But now is not the time. Anyone can get hacked, and it sucks. And they're being responsible about reporting and mitigating.

Godspeed, gentlemen.

Re:Goes to show

[coryking]

The virus can install itself in the user home directory instead.

And then use one of the many local exploits to get root.

The most scary and amusing thing is how quick some people on this site and others are to dismiss local exploits. They all think "you have to be on the console, so fuck it, this isn't important and doesn't affect me". They are wrong. These days, a remote exploit is just a human operator and a local exploit.

Re:Goes to show

[Goaway]

So cleanup is easier. But the damage may already be done, as criminals may now have your passwords, your credit card numbers, and your personal information. Plus you were probably sending spam up until the moment you noticed the infection.

Re:Nothing to see here.

[Anonymous Coward]

I suppose it's a matter of what you want to be secure against.

My servers are not a place where a sane person would store classified documents. I wouldn't even put sensitive documents there. But if you're looking for the "Golden Lock" it doesn't exist. Good security is about keeping the important stuff out of the hands of the bad people, not about making the perfectly invulnerable server. This is why firewalls and DMZs and SELinux are good things. And in fact, for our needs: Good enough.

I do not in any way want to dismiss the pursuit of perfection, any more than a physicist would dismiss the value of mathematics. Sometimes a risk, painstakingly calculated to 10 decimal places of accuracy is still, "Small enough."

Re:Nothing to see here.

[Timothy Brownawell]

How well does that work if you can trick someone into loading the wrong package onto that USB key?

Uhm... How?

[X.25]

I really only care to know HOW the attacker got in.

Basically, if he used unknown 0-day and RH/Fedora have no idea what he exploited, then they should say so, so people can watch out.

If he stole username/password from someone dumb - say so.

If he walked into the hosting center, say so.

I REALLY want to how know he compromised their server(s).

I might be next v0v

Re:Goes to show

[drsmithy]

Like change system files? Nope. How about bind to privileged ports? Nope.

It can send spam, participate in DDoS attacks, act as a repository for kiddy porn, or just wait to take advantage of the next 0-day local privilege exploit.

In short, lack of root-level access is a minor annoyance to malware, not a critical problem.

So... it can mess up my documents? Darn.

Yes. It can mess what are most likely the most important and least-replaceable data on your machine. This doesn't bother you ?

Re:Goes to show

[Kjella]

Not if you don't have access to the firewall settings which will open the port that allows someone to connect to your relay.

Unless you happen to run one of the desktop distros which usually have a default policy of ACCEPT.

Of course, the "only works for one user" argument is better if presented in reverse. If your less-computer-literate kid/spouse/parent can't accidentally run code that (...)

Read all my documents through the world-readable home folders? Another convienience feature.

My experience is that people don't keep the accounts truly separate, that's just for convienience. "Hey, can I just check my webmail for a sec?" "Sure" and your email's compromised.

Furthermore, you'll be in a position to be able to clean their account up for them without having to wipe and reinstall the whole machine

in theory. In practise, I expect the malware authors to find so many ways of hiding (or just when you "rescue" his documents) that it won't practicly happen. Least not without someone more experienced than the average guy.

Re:OpenSSH bug?

[Anonymous Coward]

Is this bug in OpenSSH related to the one that was found in Debian-related distros back about April?

Listen, I would appreciate if you would stop calling it an 'OpenSSH bug'. OpenBSD guys had nothing to do with it. It was a GNU/Debian bug, introduced by a clueless Debian Linux developer.

Thanks.

Re:Goes to show

[Goaway]

Not if you don't have access to the firewall settings which will open the port that allows someone to connect to your relay.

The program can just make the initial connection to the spammer server itself. This is the same on Windows and Linux, and these programs operate just fine under Windows.

Yes, but without access to the system FF folder, that plugin will go in your per-user plugin directory, and will only run for you.

How many computers do you honestly think there are out there that have more than a single user?

Documens vs system files

[SEMW]

Like change system files? Nope. ... So... it can mess up my documents? Darn.

Oh, good. My life's work is reconstructable in a mere few decades; wheras if it damages system files, a reinstall could take up to half an hour!

Re:Nothing to see here.

[moderatorrater]

You're missing the most interesting possibility in my mind: employee sabotage. Why should open source be immune to a bad apple attempting to subvert the system for their own gain? A mid-level employee signs a package and distributes it, a customer running a rootkit checker or clamav on their system notices that the copy they have is suspicious, reports it, and suddenly you have a situation where the key itself may or may not be compromised and some checking needs to be done everywhere.

Re:Goes to show

[blhack]

I think the parent is talking more about general viruses that are just sent out into the tubes with the intent of auto-rooting insecure boxen.

What you're saying is true "Any system with something desirable on it is at risk of getting wHacked", but one system with important information on it is not going to spawn a breed of viri meant to just root ALL of the boxes with that OS.

Re:roughly 30 kernel 0dayz circulating

[Anonymous Coward]

No you can't. Unless you provide solid proof, you're not confirming anything (as "Anonymous Coward" is not a known source of reliable information).