It was either an individual or a group that targeted and infiltrated the servers used by Red Hat and the Fedora Project to manage their respective Linux distributions on August 14.
Red Hat and Fedora suffered server intrusions, yet waited to report them. Why? (IMG:J.Anderson0
However, the scope and details of the breach are mostly unknown, as Red Hat isn’t talking. What is known, is that one of the compromised servers belonging to Fedora was used to sign Fedora packages, and Red Hat says a small number of OpenSSH packages.
While the intrusion into the systems owned by Fedora and Red Hat was detected and mitigated, the $10,000 USD question is why the disclosure was held for so long?
On August 14 , Paul W. Frields sent an announcement to the Fedora-announce-list, in which he said in part:
“The Fedora Infrastructure team is currently investigating an issue in the infrastructure systems. That process may result in service outages, for which we apologize in advance.”
Eight days later, on August 22 , Frields followed up by saying:
“Last week we discovered that some Fedora servers were illegally accessed. The intrusion into the servers was quickly discovered, and the servers were taken offline.”
The problem that some security professionals have is that the “issue in the infrastructure systems” turned out to be “some Fedora servers” that were straight jacked.
In addition, on the same day we learned what the Fedora infrastructure issues really were as Red Hat Inc. issued a security advisory related to the same server intrusion.
“Last week Red Hat detected an intrusion on certain of its computer systems and took immediate action… In connection with the incident, the intruder was able to sign a small number of OpenSSH packages relating only to Red Hat Enterprise Linux 4 (i386 and x86_64 architectures only) and Red Hat Enterprise Linux 5 (x86_64 architecture only),” the advisory said.
Security issues need to be crystal clear and up front. Posting a message that says something like “...there is a security-related infrastructure issue, we are looking into it, and will give you more details as soon as we have them along with facts and evidence...” would have been great.
Yes, some would have had issues with messages like that, but the point is that instead of an infrastructure issue, which could be anything from hardware issues, line issues, policy issues, routing issues, Network Operations related issues, etc., there is clear meaning to the message when you use the phrase 'security-related issue'.
The good news is that Fedora and Red Hat are both confident that there was no lasting damage.
“One of the compromised Fedora servers was a system used for signing Fedora packages. However, based on our efforts, we have high confidence that the intruder was not able to capture the passphrase used to secure the Fedora package signing key. Based on our review to date, the passphrase was not used during the time of the intrusion on the system and the passphrase is not stored on any of the Fedora servers,” Paul W. Frields wrote in his August 22 e-mail.
To add a measure of extra precaution, “...because Fedora packages are distributed via multiple third-party mirrors and repositories, we have decided to convert to new Fedora signing keys,” he added.
Red Hat is likewise taking the safe bet, and: “As a precautionary measure, we are releasing an updated version of these packages, and have published a list of the tampered packages and how to detect them...”
This list is available here . “...we remain highly confident that our systems and processes prevented the intrusion from compromising RHN or the content distributed via RHN and accordingly believe that customers who keep their systems updated using Red Hat Network are not at risk,” Red Hat added in its announcement.
Red Hat is offering mitigation, Fedora converted to new signing keys and, again, by all reports, there is no serious lasting damage. This is great news.
However, there is still the $10,000 USD question to answer, as well as others that were ignored by Red Hat. What lead to the breach? How was it discovered? How long was the compromise from the time of attack until discovery?
PatAug 25th, 2008 - 22:26:39
We really do need to know how this happened. It's not enough for RH/Fedora to say 'It's fixed, don't worry.'
We weren't worried in the first place. We're only worried now because you got hacked!
Obviously we need more information so that we can be confident about RH/Fedora in future.
Secondly, it would help the open-source industry if they explained how other projects can avoid a similar compromise.
This puts the spotlight on one of the major flaws with digitally-signed packages - if an attacker gets control of the signing system then it's game over.
Report this comment