Red Hat, Fedora Servers Face Hack Attack
A rare Linux security breach occurred when Red Hat Enterprise Linux and Fedora project servers were compromised by an illegal intrusion. Red Hat advised Red Hat Enterprise Linux and Fedora customers on how to determine if they had been affected. Red Hat security specialists say the Fedora package signing key was not breached.
Last week, Red Hat security specialists had a problem on their hands when they detected an illegal intrusion on the company’s computer systems. The attack affected both the Red Hat Enterprise Linux servers and the servers of the Fedora Project, a Linux-based operating system supported by Red Hat.
Servers were instantly taken offline. Red Hat issued an advisory to its customers, telling them how to check to see if they had been compromised and offering an updated version of the affected packages, including Red Hat Enterprise Linux 4 and Red Hat Enterprise Linux 5.
“Security specialists and administrators have been working since [they discovered the attack] to analyze the intrusion and the extent of the compromise, as well as reinstall Fedora systems,” said Paul W. Fields, Fedora’s project leader. “We are using the requisite outages as an opportunity to do other upgrades for the sake of functionality as well as security.”
Affected Systems
A system used for signing Fedora packages was compromised, according to Fields. He also said he believes the intruder did not steal the pass phrase used to secure the Fedora package signing key, but had not yet confirmed that.
“While there is no definitive evidence that the Fedora key has been compromised, because Fedora packages are distributed via multiple third-party mirrors and repositories, we have decided to convert to a new Fedora signing key,” Fields said.
Red Hat has built a custom hardware solution to prevent having to disclose private keys to developers. “Assuming that [this was done correctly], there was no risk of their key being compromised,” said Justin Cappos, a post-doc student at the University of Washington who has studied and written papers on the subject. “Someone was able to get a token, but was not actually able to get the key.”
Packages obtained by Red Hat Enterprise Linux subscribers via the Red Hat Network were not at risk, according to the company.
Fields also pleaded with users to come forward and contact Red Hat’s legal team if they have any information about the intrusion.
Vulnerabilities Exposed
A group of techies at the University of Arizona wanted to prove how easy it is for a malicious person to obtain a mirror (a Web site that is an exact copy of another Web site, often used for downloads). So the group of post-doc, undergraduate students and their associate professor ran an experiment where they created a fake company name, leased a server from a provider, and created a fake administrator.
“We were able to get our mirror listed on every distribution we tried,” wrote the group in a paper about their experiment.
The experiment included Fedora along with Debian, Ubuntu and openSUSE. Mirrors set up by the group were contacted by thousands of clients, including military and government computers.
Cappos, who worked on the project while a student at the University of Arizona, said the problems that exist in this area are not unique to Fedora or Red Hat. They are prevalent across a wide variety of distributions.
“Distributions have done a great job at looking at code created by developers. What receives a lot less attention is how they package the code and get it to the users,” Cappos said.
Another problem, according to Cappos, is how developers get the code into main depositories. “This is an area that I don’t think distributions have paid just as close attention to. There is a lot of work that they need to do in this area.”
How To Handle the Tampering
Red Hat has provided a shell script that lists the affected OpenSSH packages (Linux 4, i386 and x86_64 architectures only; and Linux 5 x86_64 architecture only) and can verify that none of them are installed on a system. Users are being asked to go to the Red Hat Web site, where they will find scripts to run to test their systems.
