Linux distributor Red Hat has issued a statement (Ed: via their errata) revealing that its servers were illegally infiltrated by unknown intruders. According to the company, internal audits have confirmed that the integrity of the Red Hat Network software deployment system was not compromised. The community-driven Fedora project, which is sponsored by Red Hat, also fell victim to a similar attack. More news is available around the web.
Their package signing key was compromised and the intruders managed to get some OpenSSH packages signed. Combined with DNS poisoning this could be nasty.
It could have been bad if they had not caught it. But it is pretty easily fixed as they just issue a point release with a new key and will overwrite the older version if you happened to get it. Doesnt look like too many people actually downloaded it though.
I think the point is that it should never of happened.
Prevention is always better than cure.
Actually, there were two separate attacks (although probably related) on the Red Hat and Fedora infrastructure servers. The Red Hat attacker was able to sign some openssh packages. My impression is that the intrusion was detected before the packages were pushed to users. But they did not compromise the private key since it is in a hardware device.
The Fedora attacker was not able to sign any packages but did potentially compromise the signing key so they generated a new one. In both cases, they shut down the update service until everything was fixed. They also forced all the Fedora contributors to generate new certificates and upload new SSH keys.
“Last week Red Hat detected an intrusion on certain of its computer systems and took immediate action.”
“the intruder was able to sign a small
number of OpenSSH packages”
If an outsider is able to gain Redhat’s signing authority, then there is something wrong about how and where such critical data is stored there. Redhat also mixes in a separate security fix in this errata to make the break in and internal problem seem trivial.
People were saying that Linux dont get attacked because of market share percentage. Seems they are doing just for the hell of it, linux Mint go his to as well recently.
I think this testes the state of Linux repos and key system since it’s pretty much very minor for their users. Disruption would be for the distro users only, not the whole linux community.
The obscurity only applies to the desktop as I would suspect that the majority of webservers run Linux.
Also, we do not have all the details yet. All it could be is a (now ex) disgruntled employee who had authorisation to work in these departments.
Or it could be that a person who had authority had its account hijacked.
Or it could be something else entirely.
I guess the hacker was good at it. Redhat should hire him.