Linux distributor Red Hat has issued a statement revealing that its servers were illegally infiltrated by unknown intruders. According to the company, internal audits have confirmed that the integrity of the Red Hat Network software deployment system was not compromised. The community-driven Fedora project, which is sponsored by Red Hat, also fell victim to a similar attack.
"Last week Red Hat detected an intrusion on certain of its computer systems and took immediate action," Red Hat said in a statement. "We remain highly confident that our systems and processes prevented the intrusion from compromising RHN or the content distributed via RHN and accordingly believe that customers who keep their systems updated using Red Hat Network are not at risk."
Although the attackers did not penetrate into Red Hat's software deployment system, they did manage to sign a handful of Red Hat Enterprise Linux OpenSSH packages. Red Hat has responded by issuing an OpenSSH update and providing a command-line tool that administrators can use to check their systems for potentially compromised OpenSSH packages.
Key pieces of Fedora's technical infrastructure were initially disabled earlier this month following a mailing list announcement which indicated only that Fedora personnel were addressing a technical issue of some kind. Fedora project and leader and board chairman Paul W. Frields clarified the situation on Friday with a follow-up post in which he indicated that the outage was prompted by a security breach.
Fedora source code was not tampered with, he wrote, and there are no discrepancies in any of the packages. The system used to sign Fedora packages was among those affected by the incursion, but he claims that the key itself was not compromised. The keys have been replaced anyway, as a precautionary measure.
"While there is no definitive evidence that the Fedora key has been compromised, because Fedora packages are distributed via multiple third-party mirrors and repositories, we have decided to convert to new Fedora signing keys," he wrote. "Among our other analyses, we have also done numerous checks of the Fedora package collection, and a significant amount of source verification as well, and have found no discrepancies that would indicate any loss of package integrity."
Assuming that Red Hat and Fedora are accurately conveying the scope and nature of the intrusion, the attacker was effectively prevented from causing any serious damage. Red Hat's security measures were apparently sufficient to stave off a worst-case scenario, but the intrusion itself is highly troubling. Red Hat has not disclosed the specific vulnerability that the intruders exploited to gain access to the systems.
Like the recent Debian openssl fiasco, which demonstrated the need for higher code review standards, this Red Hat intrusion reflects the importance of constant vigilance and scrutiny. When key components of open source development infrastructure are compromised, it undermines the trust of the end-user community. In this case, Red Hat has clearly dodged the bullet, but the situation could have been a lot worse.
No comments:
Post a Comment