WARN: Red Hat Update for Tampered OpenSSH Packages

win32sux · 08-24-2008, 04:12 AM

Quote:

Description:
Red Hat has issued an update for openssh, which corrects a small number of OpenSSH packages that have been tampered with.

Some packages have been signed during an intrusion incident on the Red Hat computer systems. The vendor is still investigating the incident.

An issue that prevents ssh from using a trusted X11 cookie if creation of an untrusted cookie fails has also been corrected.

Solution:
Updated packages are available via Red Hat Network.

Secunia Advisory | CVE-2007-4752

You can read about this security breach on several sites, such as The Register, CNET News, and SecurityFocus.

Red Hat, Inc. has set up an informational page for its users here.

xnomad · 08-24-2008, 06:18 PM

Hi,

Just a quick question. During the recent intrusion on the Red Hat systems the intruder signed some of the packages. What's the motivation behind that? Surely a different PGP signature is going to alert people installing that package with yum?

pinniped · 08-24-2008, 06:34 PM

Who knows - it could be someone breaking in and signing for bragging rights. Then again, people often ignore warnings if they believe the software is from a trusted source. When I play around with Debian archives I often get a "signature cannot be verified" and I can choose to ignore that, or else update my key file and try again. So if someone cracked the Debian servers and changed the archive keyring as well as signed some packages, if someone updated from the bad keyring then they could install bad packages without ever knowing.

win32sux · 08-24-2008, 06:45 PM

I moved your posts into this thread in order to keep the discussion in one place.

chort · 08-24-2008, 09:06 PM

Quote:

Originally Posted by xnomad

Hi,

Just a quick question. During the recent intrusion on the Red Hat systems the intruder signed some of the packages. What's the motivation behind that? Surely a different PGP signature is going to alert people installing that package with yum?

They were apparently able to use Red Hat's signing key.

win32sux · 08-25-2008, 08:55 PM

Hopefully once Red Hat, Inc. has completed its forensic analysis they will provide us with some details as to what exactly happened (and what they are doing to prevent it from happening again). I've been monitoring the news and haven't seen anything of that sort yet, though. And the Red Hat website is still down for "planned maintenance".

Quote:

We are currently performing routine systems maintenance and our on-line systems are temporarily unavailable. We apologize for this inconvenience, and we will work with you over the phone to help. Please call us at the numbers below or try your web request again later.

My guess is that the Fedora Project will come clean first, though.