On GameSpot: Xbox 360 vs. PS3 Graphics Comparison
BNET Business Network:
BNET
TechRepublic
ZDNet

August 22nd, 2008

Red Hat (belatedly) confirms security breach

Posted by Ryan Naraine @ 11:34 am

Categories: Patch Watch, Hackers, Zero-day attacks, Browsers, Vulnerability research, Responsible disclosure, Exploit code, Data theft, Open source, Pen testing, Passwords, Arbitrary Code Execution, Complex Attacks, Malware

Tags: Red Hat Enterprise Linux, Security, Red Hat Inc., Fedora Project, Open Source, Servers, Hardware, Ryan Naraine

Red Hat (belatedly) confirms major security breachMore than a week after a cryptic note hinted at a security breach at Fedora, the open-source group has finally fessed up to two separate server intrusions that compromised the security of Red Hat’s OpenSSH packages.

The confirmation follows eight days of media speculation and conjecture over a brief e-mail that simply mentioned “an issue in the infrastructure systems” and calls into question Red Hat’s ability to promptly — and accurately — disclose security breaches.

Today’s acknowledgment is two-fold — an e-mail on the Fedora-Announce list and a critical Red Hat advisory — but some things surrounding the breach remain murky.

In the e-mail announcement, the group said some it discovered the breach “last week” but there’s no mention of when it actually occurred.

It said that one of the  Fedora servers was a system used for signing Fedora packages but insists with “high confidence” that the intruder was not able to capture the passphrase used to secure the Fedora package signing key.

  • Based on our review to date, the passphrase was not used during the time of the intrusion on the system and the passphrase is not stored on any of the Fedora servers.
  • While there is no definitive evidence that the Fedora key has been compromised, because Fedora packages are distributed via multiple
    third-party mirrors and repositories, we have decided to convert to new Fedora signing keys. This may require affirmative steps from every Fedora system owner or administrator. We will widely and clearly communicate any such steps to help users when available.

In tandem with that announcement, Red Hat shipped a critical OpenSSH update to RHEL users that mentions an “an intrusion on certain computer system” that compromised some Open SSH packages.

  • In connection with the incident, the intruder was able to sign a small number of OpenSSH packages relating only to Red Hat Enterprise Linux 4  (i386 and x86_64 architectures only) and Red Hat Enterprise Linux 5 (x86_64 architecture only). As a precautionary measure, we are releasing an  updated version of these packages, and have published a list of the tampered packages and how to detect them at http://www.redhat.com/security/data/openssh-blacklist.html.

The company said its processes and efforts to date indicate that packages obtained by Red Hat Enterprise Linux subscribers via Red Hat Network are not at risk.

The company insists the effects of the intrusion on Fedora and Red Hat are not the same.

  • Accordingly, the Fedora package signing key is not connected to, and is different from, the one used to sign Red Hat Enterprise Linux packages. Furthermore, the Fedora package signing key is also not connected to, and is different from, the one used to sign community Extra Packages for Enterprise Linux (EPEL) packages.
Ryan Naraine is a security evangelist at Kaspersky Lab, an anti-malware company with operations around the world. See his full profile and disclosure of his industry affiliations.

Email Ryan Naraine

For daily updates on Ryan's activities, follow him on Twitter.

  • Talkback
  • Most Recent of 111 Talkback(s)
darkknight me old mate-
be like me , I read of the virtues of Linux too, and lo,I wanted it.

So I got Ubuntu 8.04 , and although I hear that Red Hat had a wee problem, it does not effect Ubuntu.

Be Happy, don't worry .

Love from elderlybloke.... (Read the rest)
Posted by: elderlybloke Posted on: 08/29/08 You are currently: Logged In as: a Guest  | Login | Terms of Use
this is the evidence that open source linux security sucks!  qmlscycrajg | 08/22/08
How?  matt10 | 08/22/08
I agree, LiNuX sux.  bananatwinkie | 08/22/08
With people like this...  storm14k | 08/22/08
That's curious  xuniL_z | 08/22/08
What assumption....  storm14k | 08/23/08
Ummmm...  todbran@... | 08/25/08
Say what !  Intellihence | 08/25/08
I am confused  elderlybloke | 08/29/08
Good Windows customer  djchandler | 08/22/08
I agree...Windows sux.  linux for me | 08/23/08
Mandriva  pgit | 08/25/08
Ummmm....  todbran@... | 08/25/08
You tried the WRONG Linux: Give Sabayon Linux a Try!!! wink  i2fun@... | 08/25/08
I've Tried Ubuntu  nfhiggs@... | 08/25/08
I've tried Ubuntu, too  Billsey | 08/25/08
Good for you  nfhiggs@... | 08/25/08
Not Sure You Realise I'm NOT knocking Linux, just Ubuntu! grin  i2fun@... | 08/26/08
Well, that makes it conclusive...  rx7racer | 08/25/08
See the problem has been...  ye | 08/22/08
true dat  bmonster | 08/22/08
The real problem has been that...  storm14k | 08/22/08
The "microbrains" do so because...  ye | 08/22/08
But with the majority...  storm14k | 08/22/08
To my knowledge...  ye | 08/22/08
YAWN at Ye ONCE AGAIN trotting out the old market share bs  bmerc | 08/25/08
This is slightly different  GuidingLight | 08/22/08
That's the problem!  bill@... | 08/23/08
No...  zkiwi | 08/24/08
It is?...  storm14k | 08/22/08
How does this compare  rpmyers1 | 08/22/08
sucks is good, bites is bad  dragon@... | 08/22/08
One.......  todbran@... | 08/25/08
RE: Red Hat (belatedly) confirms security breach  Loverock Davidson | 08/22/08
I think you're being a bit extreme.  ye | 08/22/08
Now you do know...  storm14k | 08/22/08
I don't care. (nt)  ye | 08/22/08
The difference is..  peter_erskine@... | 08/24/08
Both sides of the fence  Pliny the Elder | 08/24/08
Waste of time  markdean | 08/25/08
.....  Linux User 147560 | 08/22/08
Keep laughin Lovey boy...  deefburger | 08/25/08
download.microsoft.com  deefburger | 08/25/08
Huh? How do you figure?  daboochmeister | 08/25/08
ROTFLMAO!  Loverock Davidson | 08/22/08
Wake up in a new world every day?  IT_User | 08/22/08
This proves your a troll!  deefburger | 08/25/08
None. Anti-malware programs do not secure...  ye | 08/25/08
What?  davidhite | 08/25/08
Strange, I've been running XP for about 3 years  nfhiggs@... | 08/25/08
Even stranger  null.next()++ | 08/27/08
re: This proves "your" a troll!  null | 08/25/08
One....  todbran@... | 08/25/08
Trolling  zomalaja | 08/25/08
LOL!  Loverock Davidson | 08/22/08
Is filling up the page  AndyCee | 08/22/08
Everyone is laughing AT you......  linux for me | 08/23/08
What concerns me...  ye | 08/22/08
.....  Linux User 147560 | 08/22/08
Irrelevent.  ye | 08/22/08
I wouldn't say they were tight lipped.  storm14k | 08/22/08
Anything less the complete, full, open disclosure...  ye | 08/22/08
.....  Linux User 147560 | 08/22/08
Full disclosure of what they know as soon as they know it.  ye | 08/22/08
I think ...  LBiege | 08/22/08
Actually 147560, the facts are that Red Hat's infrastructure is insecure  Scrat | 08/23/08
@Scrat: This is a wise thing to do.  ye | 08/23/08
Actually Scrat, not doing so would be dereliction  bmerc | 08/25/08
I'd say it was handled very poorly  TtfnJohn | 08/23/08
That doesn't appear to be accurate.  storm14k | 08/22/08
.....  Linux User 147560 | 08/22/08
Overall I agree  LiquidLearner | 08/22/08
.....  Linux User 147560 | 08/22/08
I think it was handled properly.  linux for me | 08/23/08
So much for "FOSS = quick response to defects"  LBiege | 08/22/08
So much for..  IT_User | 08/22/08
Red Hat users beware...  HypnoToad | 08/22/08
All computer users beware...  LiquidLearner | 08/22/08
I aint scared  davidhite | 08/25/08
RHN didn't send out the packages...no harm...no foul  sys_engineer | 08/22/08
Irrelevant.  ye | 08/22/08
Really?  sys_engineer | 08/22/08
They may have done a good job of limiting any damage.  ye | 08/25/08
So, limiting damage is less important ?  Hemlock Stones | 08/25/08
Did I say limiting damages was less important?  ye | 08/25/08
No, you just keep going on and on about a non-problem  Hemlock Stones | 08/25/08
No, that would be you playing whack-a-mole semantics games again  bmerc | 08/25/08
No Sorry  davidhite | 08/25/08
No surprise here...Here comes the FOSS apologists (nt)  transposeIT | 08/23/08
Even a day later its still funny!  Loverock Davidson | 08/23/08
Stupid infrastructure choice and poor security  Bozhidar | 08/23/08
LINUX FAILS AGAIN!  ShadeTreee | 08/23/08
Details unclear  rileinc | 08/25/08
Social engineering never seemed to be acceptable when...  ye | 08/25/08
Try again  Hemlock Stones | 08/25/08
One merely look at all the reference to Windows malware which...  ye | 08/25/08
It's only an example  rileinc | 08/25/08
"Doing so is simply immature and a waste of time. "  bmerc | 08/25/08
No need to wait...  User07734 | 08/25/08
RE: Red Hat (belatedly) confirms security breach  phatkat | 08/25/08
RE: Red Hat (belatedly) confirms security breach  eliwap | 08/25/08
Oh... One Other Thing  eliwap | 08/25/08
So True.  joe.smetona@... | 08/25/08
RE: Red Hat (belatedly) confirms security breach  I_Byte | 08/25/08
Linux sucks?  fourijm@... | 08/25/08
I thought Linux was indestructible  darkknightCECIL@... | 08/26/08
Not a problem.  joe.smetona@... | 08/27/08
Perfection is the enemy of good  starcannon99022@... | 08/27/08
darkknight me old mate-  elderlybloke | 08/29/08
That's why we migrate  pirewit | 08/28/08
RE: Red Hat (belatedly) confirms security breach  SysAdminII | 08/29/08

What do you think?

No Trackbacks Yet

The URI to TrackBack this entry is:
http://blogs.zdnet.com/security/wp-trackback.php?p=1784

advertisement

Recent Entries

advertisement

Archives

ZDNet Blogs

IP Networking

  • Anywhere, anytime productivity isn’t just for cyber-geeks and overachievers. It’s the state of business today, made possible through integrated wired and wireless networks, secure remote access, and advanced mobile applications and devices. Your users have what they need; do you?
  • From our sponsors
  • IT Solutions
  • AT&T IP Networking for your IT needs With AT&T IP Networking, you get flexible solutions designed specifically for your company’s IT needs Learn more
advertisement
Click Here