Forgot your password?
typodupeerror
Open Source Red Hat Software Security News Linux

Fedora Infrastructure Compromised 115

Posted by CmdrTaco
from the hate-when-that-happens dept.
Trailrunner7 writes "The infrastructure of the Fedora Project was compromised over the weekend and an account belonging to a Fedora contributor was taken over by an attacker. However, Fedora officials said they don't believe that the attacker was able to push any changes to the Fedora package system or make any actual changes to the infrastructure. The attack appears to have targeted one specific user account, which had some high-value privileges. The attacker was able to compromise the account externally, and then had the ability to connect remotely to some Fedora systems. The attacker also changed the account's SSH key, Fedora officials said."
This discussion has been archived. No new comments can be posted.

Fedora Infrastructure Compromised

Comments Filter:
  • by amicusNYCL (1538833) on Tuesday January 25, 2011 @02:14PM (#34997172)

    However, Fedora officials said they don't believe that the attacker was able to push any changes to the Fedora package system or make any actual changes to the infrastructure.

    What do you mean you "don't believe"? You don't have logs?

    • Re:Believe? (Score:5, Insightful)

      by syntap (242090) on Tuesday January 25, 2011 @02:17PM (#34997240)

      Logs can be faked. How about a bitwise comparison to the known-good package system?

      • by h00manist (800926)

        Logs can be faked. How about a bitwise comparison to the known-good package system?

        Fake information can be even more useful, if you detect it's fake of course.

      • by timeOday (582209)
        A compromised server could store the packages unchanged but modify them on the way out.

        The critical piece as I see it is the distribution of the checksums. If package maintainers and end users agree on the checksums (and neither of their systems is initially compromised), then everything should be fine. Or am I overlooking something?

      • by jd (1658)

        If you're using Nulfs2 for the filesystem the logs are on, then you can determine if data within the logs have been altered.

        Alternatively, if the logging daemon writes events to a logger on another machine, then logs could only ever be appended to and never altered.

        In this day and age, it seems pitiful that anyone would use a setup where the logs could be faked.

        • by arth1 (260657)

          Alternatively, if the logging daemon writes events to a logger on another machine, then logs could only ever be appended to and never altered.

          This is why there's still a market for dot matrix printers, especially those with a dip switch that disables reverse paper feed.
          Good luck erasing or modifying that audit trail remotely.

      • by Darinbob (1142669)
        This is why you should periodically save your game.
      • Is there a 'known-good' Fedora system?

      • Re:Believe? (Score:5, Informative)

        by Anonymous Coward on Tuesday January 25, 2011 @03:59PM (#34998602)

        Logs can be faked. How about a bitwise comparison to the known-good package system?

        As a fedora dev account holder, I got the notification email. The filesystem was compared with a previous 'good' snapshot to determine what changes were made.

      • by BitwiseX (300405)

        Logs can be faked. How about a bitwise comparison to the known-good package system?

        Sorry, I'm busy remodeling my house..

      • I'm sure these guy's know all the security protocols as this is Fedora. But what needs to be made open is any security breach that may affect users and the exact nature of this breach. As we all know Fedora is a particularly security conscious OS. This needs to be nailed now!
    • by 0racle (667029)
      Perhaps this is an early release of the information and given the amount of time they have spent in researching the issue they don't believe anything was actually done, but a more thorough investigation is still needed.
    • would you trust the logs if you had them?

      • Well, I would update my local repository, and then check the change logs to see what's different. So yeah, I would trust that.

    • These things take time to analyze. Surely they will be finding out more things.
    • Yep... Make the devs change all passwords, wipe the affected system, and re-install. Or, they can do that thing were you put important data on a non-volatile media and put it somewhere in case you lose a system...

    • "The Infrastructure Team took the following actions after being notified of the issue:

      1. Lock down access to the compromised account

      2. Take filesystem snapshots of all systems the account had access to

      (pkgs.fedoraproject.org, fedorapeople.org)

      3. Audit SSH, FAS, Git, and Koji logs from the time of compromise to the present

      Here, we found that the attacker did:

      * Change the account's SSH key in FAS

      * Login to fedorapeople.org

    • Re:Believe? (Score:5, Funny)

      by Chapter80 (926879) on Tuesday January 25, 2011 @03:59PM (#34998610)

      However, Fedora officials said they don't believe that the attacker was able to push any changes to the Fedora package system or make any actual changes to the infrastructure.

      What do you mean you "don't believe"? You don't have logs?

      Thankfully, I am on Windows, so I don't have to wonder whether hackers are conducting malicious activity.

    • However, Fedora officials said they don't believe that the attacker was able to push any changes to the Fedora package system or make any actual changes to the infrastructure.

      What do you mean you "don't believe"? You don't have logs?

      Yeah No spin doctors, we're probably all administrators or more. What exactly has happened?

  • ...because I thought this was about shoddy hats.

    • by h00manist (800926)
      I only recently discovered what the hell does "fedora" mean apart from a Linux distro.
      • by foobsr (693224)
        I only recently discovered what the hell does "fedora" mean apart from a Linux distro.

        You encountered a red fedora?

        CC.
      • by Chapter80 (926879)

        I only recently discovered what the hell does "fedora" mean apart from a Linux distro.

        Red Hat Fedora
        Apple MacIntosh (McIntosh Apples)
        Sun SOLARis

        There are a lot of plays on words out there in the tech field.

        • by angus77 (1520151)

          Apple MacIntosh (McIntosh Apples)

          Bonus points for noticing the difference in the spelling!

    • You can't have my Fancy Fedora [teamfortress.com]. :|

    • by jd (1658)

      Yeah, turns out the mercury used was driving the hatters mad.

    • by MoriaOrc (822758)
      My first thought was "How will Bogart cope with a compromised fedora infrastructure?!"
      Then I remembered Bogart was dead.
      Then I remembered Fedora is a Linux distro.
  • didn't something very similar happen last year, too?
    • by bsDaemon (87307)

      I think last year it was CentOS that got hit, not Fedora. Also, the nature of the attack was different and I believe some packages were compromised, or at least the repo signing keys.

  • The first action the intruder took, changing the SSH password, set off an automatic email notification, which is how the compromise was detected. Pretty stupid.

    A pity that the clueless black hats eventually learn, tho. Not that this means that open-source is totally helpless. In the past, malevolent software updates have been caught. If this becomes widespread, it just means that the development is slowed by the necessity for peer review.

    • slowed by the necessity for peer review.

      What credible software organization feels that peer review isn't necessary? Automated testing only gets you so far...

      • by Mathinker (909784) *

        I'd guess that most open-source projects are one- or two-developer deals, max (actually, if you look at SourceForge, you'd end up saying that most projects are zero-developer deals!). However, the most-used projects are much better "staffed", which might mean that there is more of a chance that the people in charge of vetting the commits have some specialized training to catch malevolent changes (and also that more than one set of eyeballs might be looking at every commit).

        In the end, it comes down to a mat

  • by MSG (12810) on Tuesday January 25, 2011 @02:31PM (#34997458)

    The infrastructure was not compromised. One user's password appears to have been compromised and changed. That account did not have "high value privileges".

    • Debian: [1 [debian.org]], [2 [slashdot.org]]
    • Ubuntu: [1 [slashdot.org]]
    • Gentoo: [1 [gentoo.org]]
    • So am I to infer from this that I should switch to SuSE (/spits foul taste from mouth) or slackware? Or are those distros just too insignificant to make the news when compromised?
      • by snookiex (1814614)
        I could swear I read something about Slackware some years ago, but I've never heard about SuSE/OpenSUSE servers compromised. It's not that they're insignificant, but they simply kept themselves secured or no one ever realized they were compromised. Besides OpenSUSE is among the top five Linux distros I can't get your point.
  • by seifried (12921) on Tuesday January 25, 2011 @02:49PM (#34997740) Homepage

    http://lists.fedoraproject.org/pipermail/devel-announce/2011-January/000746.html [fedoraproject.org]

    Summary: Fedora infrastructure intrusion but no impact on product integrity

    On January 22, 2011 a Fedora contributor received an email from the Fedora Accounts System indicating that his account details had been changed. He contacted the Fedora Infrastructure Team indicating that he had received the email, but had not made changes to his FAS account. The Infrastructure Team immediately began investigating, and confirmed that the account had indeed been compromised.

    At this time, the Infrastructure Team has evidence that indicates the account credentials were compromised externally, and that the Fedora Infrastructure was not subject to any code vulnerability or exploit.

    The account in question was not a member of any sysadmin or Release Engineering groups. The following is a complete list of privileges on the account:

    • SSH to fedorapeople.org (user permissions are very limited on this machine).
    • Push access to packages in the Fedora SCM.
    • Ability to perform builds and make updates to Fedora packages.

    The Infrastructure Team took the following actions after being notified of the issue:

    • 1. Lock down access to the compromised account
    • 2. Take filesystem snapshots of all systems the account had access to (pkgs.fedoraproject.org, fedorapeople.org)
    • 3. Audit SSH, FAS, Git, and Koji logs from the time of compromise to the present. Here, we found that the attacker did:
      • Change the account's SSH key in FAS
      • Login to fedorapeople.org

      The attacker did not:

      • Push any changes to the Fedora SCM or access pkgs.fedoraproject.org in any way
      • Generate a koji cert or perform any builds
      • Push any package updates

    Based on the results of our investigation so far, we do not believe that any Fedora packages or other Fedora contributor accounts were affected by this compromise.

    While the user in question had the ability to commit to Fedora SCM, the Infrastructure Team does not believe that the compromised account was used to do this, or cause any builds or updates in the Fedora build system. The Infrastructure Team believes that Fedora users are in no way threatened by this security breach and we have found no evidence that the compromise extended beyond this single account.

    As always, Fedora packagers are recommended to regularly review commits to their packages and report any suspicious activity that they notice.

    Fedora contributors are strongly encouraged to choose a strong FAS password. Contributors should *NOT* use their FAS password on any other websites or user accounts. If you receive an email from FAS notifying you of changes to your account that you did not make, please contact the Fedora Infrastructure team immediately via admin@fedoraproject.org.

    We are still performing a more in-depth investigation and security audit and we will post again if there are any material changes to our understanding.

    --

    Jared Smith

    Fedora Project Leader

  • by Anonymous Coward

    I will be releasing Fedora 15 Desktop Edition next week. Standby for download links.

  • If you compromised an account, why would you change the key, an action that would quite likely trigger some sort of alert (as it did). Wouldn't you just silently look around until you knew what you wanted to do with it and then do all your damage at once before they could cut you off?
    • by Ignacio (1465)

      Because, as they say, "you can't get there from here". Changing the key is the only way to get any further into the system, unless you already have the private key and passphrase.

Never say you know a man until you have divided an inheritance with him.

Working...