[ale] Redhat and Fedora servers compromised
Jason Fritcher
jkf at wolfnet.org
Fri Aug 22 20:49:10 EDT 2008
On Aug 22, 2008, at 6:37 PM, Jim Kinney wrote:
> The RedHat unauthorized access did involve malicious activity which
> changed the openssh binaries on an unspecified number of RHN
> servers. Currently, RedHat has not released a change in signing keys
> which indicates the either the binaries were not signed (and thus
> would not be loadable in a properly configured RedHat system) or the
> signature is invalid (thus again not affecting a properly installed
> RedHat - or CentOS - server). There is an outside chance that
> RedHats signing key was stolen and they have not revealed that but
> given the history of RedHat and their openess in general, I
> currently do not think the key has been compromised.
According to the following blog post...
http://www.awe.com/mark/blog/200701300906.html
...Red Hat is using a hardware crypto module to do package signing for
RHEL 5 packages. Unless the intruder figured out a way to extract the
private key from the hardware module, then it should be safe to say
that the key has not been compromised. From what I've read elsewhere,
it appears the intruder managed to get the openssh packages signed by
the system, so I would guess they would appear valid to receiving
machine, hence the reason for the script to detect if you have one of
them installed.
What I'd like to know is how the machines were compromised so I can
protect myself from the same exploit(s).
--
Jason Fritcher
jkf at wolfnet.org
More information about the Ale
mailing list