[ale] Redhat and Fedora servers compromised

Jason Fritcher jkf at wolfnet.org
Fri Aug 22 20:49:10 EDT 2008


On Aug 22, 2008, at 6:37 PM, Jim Kinney wrote:
> The RedHat unauthorized access did involve malicious activity which  
> changed the openssh binaries on an unspecified number of RHN  
> servers. Currently, RedHat has not released a change in signing keys  
> which indicates the either the binaries were not signed (and thus  
> would not be loadable in a properly configured RedHat system) or the  
> signature is invalid (thus again not affecting a properly installed  
> RedHat - or CentOS - server). There is an outside chance that  
> RedHats signing key was stolen and they have not revealed that but  
> given the history of RedHat and their openess in general, I  
> currently do not think the key has been compromised.

According to the following blog post...

http://www.awe.com/mark/blog/200701300906.html

...Red Hat is using a hardware crypto module to do package signing for  
RHEL 5 packages. Unless the intruder figured out a way to extract the  
private key from the hardware module, then it should be safe to say  
that the key has not been compromised. From what I've read elsewhere,  
it appears the intruder managed to get the openssh packages signed by  
the system, so I would guess they would appear valid to receiving  
machine, hence the reason for the script to detect if you have one of  
them installed.

What I'd like to know is how the machines were compromised so I can  
protect myself from the same exploit(s).

-- 
Jason Fritcher
jkf at wolfnet.org






More information about the Ale mailing list