Zero Day

Red Hat (belatedly) confirms security breach

Posted in:

Arbitrary Code Execution
Browsers
Complex Attacks
Data theft
Exploit code
Hackers
Malware
Open source
Passwords
Patch Watch
Pen testing
Responsible disclosure
Vulnerability research
Zero-day attacks

More than a week after a cryptic note hinted at a security breach at Fedora, the open-source group has finally fessed up to two separate server intrusions that compromised the security of Red Hat's OpenSSH packages. The confirmation follows eight days of media speculation and conjecture over a brief e-mail that simply mentioned "an issue in the infrastructure systems" and calls into question Red Hat's ability to promptly -- and accurately -- disclose security breaches. Today's acknowledgment is two-fold -- an e-mail on the Fedora-Announce list and a critical Red Hat advisory -- but some things surrounding the breach remain murky. In the e-mail announcement, the group said some it discovered the breach "last week" but there's no mention of when it actually occurred. It said that one of the Fedora servers was a system used for signing Fedora packages but insists with "high confidence" that the intruder was not able to capture the passphrase used to secure the Fedora package signing key.

Based on our review to date, the passphrase was not used during the time of the intrusion on the system and the passphrase is not stored on any of the Fedora servers.
While there is no definitive evidence that the Fedora key has been compromised, because Fedora packages are distributed via multiple third-party mirrors and repositories, we have decided to convert to new Fedora signing keys. This may require affirmative steps from every Fedora system owner or administrator. We will widely and clearly communicate any such steps to help users when available.

In tandem with that announcement, Red Hat shipped a critical OpenSSH update to RHEL users that mentions an "an intrusion on certain computer system" that compromised some Open SSH packages.

In connection with the incident, the intruder was able to sign a small number of OpenSSH packages relating only to Red Hat Enterprise Linux 4 (i386 and x86_64 architectures only) and Red Hat Enterprise Linux 5 (x86_64 architecture only). As a precautionary measure, we are releasing an updated version of these packages, and have published a list of the tampered packages and how to detect them at http://www.redhat.com/security/data/openssh-blacklist.html.

The company said its processes and efforts to date indicate that packages obtained by Red Hat Enterprise Linux subscribers via Red Hat Network are not at risk. The company insists the effects of the intrusion on Fedora and Red Hat are not the same.

Accordingly, the Fedora package signing key is not connected to, and is different from, the one used to sign Red Hat Enterprise Linux packages. Furthermore, the Fedora package signing key is also not connected to, and is different from, the one used to sign community Extra Packages for Enterprise Linux (EPEL) packages.

posted by Ryan Naraine
August 22, 2008 @ 11:34 am

Previous Post: Typosquatting the U.S presidential election - a security risk?
Next Post: Hundreds of Dutch web sites hacked by Islamic hackers

Last 10 posts:

Opera patches 'extremely severe' security hole (11-23)
Exploit published for critical IE 7 zero-day flaw (11-23)
Inside the Google Chrome OS security model (11-19)
Microsoft finds security hole in Google Chrome Frame (11-19)
Mozilla locks out rogue Firefox add-ons (11-18)
Thousands of web sites compromised, redirect to scareware (11-17)
Microsoft confirms 'detailed' Windows 7 exploit (11-16)
Man-in-the-middle attacks demoed on 4 smartphones (11-13)
Microsoft bracing for malware attacks from embedded fonts (11-12)
Apple Safari exposes Windows to drive-by download attacks (11-11)