More than a week after a cryptic note hinted at a security breach at Fedora, the open-source group has finally agreed that two separate server intrusions compromised the security of Red Hat’s OpenSSH packages. Red Hat has warned that hackers were able to commandeer its systems and tamper with code – but said that since its content distribution was not hit, it is confident that polluted code has not served up to users.
The first hint that something was wrong came last week when Fedora rebuilt its systems, a reconstruction that was accompanied by extended outages. Fortunately Fedora packages weren’t interfered with following the attack, but Red Hat Enterprise Linux packages were touched up by as yet unidentified miscreants.
According to a critical security advisory issued on Friday, Red Hat detected an intrusion on certain of its computer systems and took immediate action. While checks on its content distribution networks came back clean, it did show that an intruder was able to sign a small number of OpenSSH packages relating only to Red Hat Enterprise Linux 4 (i386 and x86_64 architectures only) and Red Hat Enterprise Linux 5 (x86_64 architecture only).
Red Hat Desktop (v. 4)
Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux AS (v. 4)
Red Hat Enterprise Linux AS (v. 4.5.z)
Red Hat Enterprise Linux Desktop (v. 5 client)
Red Hat Enterprise Linux ES (v. 4)
Red Hat Enterprise Linux ES (v. 4.5.z)
Red Hat Enterprise Linux WS (v. 4)
As a precautionary measure, Red Hat released an updated version of these packages, and have published a list of the tampered packages and how to detect them.
In a parallel posting to the Fedora announce mailing list early on Friday morning Paul Frields, Fedora project leader, confirmed that an intrusion by computer hackers had prompted the unprecedented rebuild by the Linux distribution, which is sponsored by Red Hat.
Among the compromised Fedora servers was a machine used for signing Fedora packages. Following a forensic examination, the Linux distribution is convinced that hackers were not able to capture the passphrase used to secure the Fedora package signing key. The passphrase was not used during the time of the intrusion on the system and the passphrase is not stored on any of the Fedora servers.
As a precaution, Fedora has changed its signing key. Access to the key would have potentially allowed hackers to offer up code with built-in backdoors carrying the Fedora hallmark, the risk Red Hat is grappling with in the case of the doctored OpenSSH packages.
Fedora has carried out checks that suggest the integrity of its packages and source code have not been affected by the breach. It said it was simply playing it safe when it advised users to hold off from downloads last week, a piece of advice that stoked speculation that a security breach was behind the then unexplained outage.
The company said its processes and efforts to date indicate that packages obtained by Red Hat Enterprise Linux subscribers via Red Hat Network are not at risk.
The company insists the effects of the intrusion on Fedora and Red Hat are not the same. The Fedora package signing key is not connected to, and is different from, the one used to sign Red Hat Enterprise Linux packages. Furthermore, the Fedora package signing key is also not connected to, and is different from, the one used to sign community Extra Packages for Enterprise Linux (EPEL) packages.
Red Hat shipped a critical OpenSSH update to RHEL users that mentions an “intrusion on certain computer system that compromised some Open SSH packages”. Red Hat has also released a shell script which lists the affected packages and can verify that none of them are installed on a system.
More on CyberInsecure: