Fedora, Red Hat, and distributor security
Fortunately for the Fedora Project (and its users), an audit has determined that nobody made use of the key while the intruder was present. So, even if some means for capturing something as transient as the passphrase were in place, that passphrase was not exposed, and, thus, cannot have been compromised.
Needless to say, the project is changing its package signing key anyway.
Interestingly, the Fedora Project was not the only target in this attack: Red Hat,
too, was compromised. Unlike Fedora, Red Hat did not issue a statement
specifically about this intrusion; instead, the information was included in
an openssh
security update. In this case, the attacker was more successful, to
the point of being able to sign "...a small number of OpenSSH
packages relating only to Red Hat Enterprise Linux 4 (i386 and x86_64
architectures only) and Red Hat Enterprise Linux 5 (x86_64 architecture
only).
" This language deserves to be questioned: it is only
necessary to sign a single openssh package (certainly qualifying as a
"small number") to compromise thousands of RHEL hosts, and the "only" terms
describe what must be a large majority of deployed RHEL systems. Seriously
scary, but Red Hat has been able to convince itself that none of the
compromised packages were fed out to RHEL subscribers. So this attack,
too, failed - but not by much.
Needless to say, disclosures like this raise more questions than they answer. The one question that Fedora and Red Hat will have to answer at some point is this: how did the intruder get in? One assumes that Fedora and Red Hat are running their own distributions on their internal systems; it thus stands to reason that, if those distributions contained a vulnerability that allowed the attacker to get in, many other systems will also be vulnerable. If, instead, this compromise is the result of administrator or developer error (or, say, of a lost laptop), administrators responsible for Fedora and RHEL systems can breathe a little easier. Either way, they deserve to know how this series of events came to pass.
Some people would like to have that information immediately. Beyond that, there has, predictably, been a fair amount of grumbling (also predictably, from a relatively small number of people) on the Fedora lists on how this incident was handled. Your editor, too, has argued that some information took too long to emerge. He will now argue that, while Fedora still has more to disclose, the project has said enough to give itself some breathing room while it struggles to put its infrastructure back together and figure out what really happened. There's all kinds of good reasons why more information may not be immediately forthcoming, including the obvious possibility that nobody really knows yet how the intruder gained access. There is little to be gained from hammering on Fedora at this point at this time.
That said, anything the project can say to tell its users whether they should be worried about an undisclosed vulnerability in their systems would be most welcome, and sooner would be better than later.
Meanwhile, what can be done, and what Fedora board member Jeff Spaleta, in particular, has been pushing for, is to think about how things should be handled the next time. Says Jeff:
If people want things to be better, if god forbid something like this happens again, then a serious effort to write a communication process has to be written up and it must be agreeable to legal as a workable process that won't set off any legal liability landmines.
The Fedora Project should certainly write up a policy for situations like this. It would be good for Fedora's users, but it could have an effect far beyond that: such a policy could serve as an example for other distributors as well. It is, after all, probably safe to say that Fedora is not the only distributor which has, thus far, neglected to put plans in place for this sort of disaster.
We all need such plans. For better or for worse, distributors have come to occupy an important position with regard to the security of much of the net. Millions of systems run packages signed by Linux distributors; they depend, implicitly, on the security of the process used to create those packages. That process is not a small one; it can involve hundreds of developers, before even counting all of those involved in upstream development projects. The consequences of a failure anywhere in that chain of trust can be severe. It is not surprising that the distribution system was attacked; perhaps the only real surprise is that it has not happened more often - that we know of. These attacks will happen again; distributors need to have a firm idea of how they will respond.
A related subject is worth a quick mention: as of this writing, the Fedora Project has issued no security updates since August 12, almost a full two weeks. A number of significant vulnerabilities, including the postfix symbolic link vulnerability, remain unpatched for Fedora users. Red Hat has done better, but not by much. Linux users depend heavily on the distributor security update process, and, for these two distributions, that process has been severely disrupted. If there had been a truly serious vulnerability disclosed during this time, people charged with keeping Fedora and RHEL systems secure might have found themselves in a difficult position. One need not be overly paranoid to envision this type of disruption being done intentionally as part of a zero-day attack on the net.
This incident should serve as a sort of wake-up call for both distributors and their users. Distributors wanting to retain their users' trust should be thinking about documenting things like:
- How the packaging chain is kept secure. It would be good to know
how many people are able to sign packages, and how they gain access to
the systems where this signing is done.
- What sort of plans the distributor has in place for dealing with
security problems. One can only assume that Red Hat dedicated (and
continues to dedicate) a large amount of staff time to understanding
and recovering from this incident. Would other distributors be willing
and able to do the same?
- What are the plans for dealing with a major security breach? How
might a critical security update be propagated during a time when the
integrity of the packaging system has been compromised?
- Should something go wrong, when and how will information be communicated to the wider community?
Conversely, anybody who is deploying an important Linux-based system should be asking such questions when choosing a distribution for that system. If the system requires high-assurance guarantees in this regard, it probably makes sense to look at the vendors who are willing to provide such guarantees for a fee. But, again, the lesson we have learned from recent events is that the time to ask these questions is now, and not when something has gone wrong and people are running around in circles.
As a whole, Linux users have been very well served by distributors since
the very beginning. The distributors pull together thousands of software
releases and integrate them into a coherent whole; they then make the
results available, often for free. They provide fixes when things break,
and most of them pay particular attention to fixing security-related
problems. And they have done a top-quality job of not being used as a
conduit for hostile software. It's a great system, and that has not
changed. But we have learned something about how heavily we depend on that
system, and how it can fail. Proper application of the lessons from this
episode should help us all to be more secure in the future.
Posted Aug 25, 2008 20:46 UTC (Mon)
by gnu_lorien (subscriber, #44036)
[Link] (1 responses)
1] An explanation of how they discovered, tracked, and have verified the damage that the intruder caused.
2] What, if anything, can we users do to alert Fedora/Red Hat if we come across a package that seems to be forged or exploited in their distribution?
Posted Aug 25, 2008 21:00 UTC (Mon)
by rahulsundaram (subscriber, #21946)
[Link]
Posted Aug 25, 2008 23:57 UTC (Mon)
by bojan (subscriber, #14302)
[Link]
It would be relatively easy to physically separate the system used for signing packages, so that no network access is possible (i.e. backup built packages to a medium, take it to the signing machine, sign, backup again, put into repository). Sure, this would make things slower, but even now there is quite a delay between building a new package in koji and having it available in the repo. But that would only deal with half the problem.
If the build system gets compromised (which is used by _many_), it may be all over too. In such a case you would have legitimate signers signing packages that are no good. I guess having a disconnected replica of the build system may be a solution, where all built packages destined to land in updates would be rebuilt for verification, but that would be quite complicated and expensive to do.
Of course, all the above would assume that Fedora contributors themselves are not subverting the system (knowingly or not). Maybe the real solution is to actually use this potential vulnerability to create more protection, by requiring certain number of contributors to sign all packages with their own private keys before they are considered valid. In such a scenario, attackers would have to compromise many private keys owned by many different people in order to have an effect. And these signers would have an opportunity to verify that the builds are correct, by performing their own.
Posted Aug 25, 2008 23:58 UTC (Mon)
by jengelh (guest, #33263)
[Link]
My guess is that a company like Microsoft would not even tell the world that intrusions have happened. So Redhat is a big step ahead already.
Posted Aug 26, 2008 0:47 UTC (Tue)
by kov (subscriber, #7423)
[Link] (3 responses)
The Debian servers compromise of 2003 was handled much more timely and in a better fashion, and should be taken as example and standard for comparison in my opinion. Taking a look at the history for the 2003 compromise may be a good way of understanding what I am talking about:
Initial announcement: http://www.debian.org/News/2003/20031121
Initial detailed report for the public developers announce mailing list: http://lists.debian.org/debian-devel-announce/2003/11/msg...
Final detailed report: http://www.debian.org/News/2003/20031202
Posted Aug 26, 2008 1:01 UTC (Tue)
by jspaleta (subscriber, #50639)
[Link] (1 responses)
-jef
Posted Aug 26, 2008 5:45 UTC (Tue)
by sbergman27 (guest, #10767)
[Link]
Please do let us know how it goes and what comes of the discussion.
Posted Aug 28, 2008 9:54 UTC (Thu)
by hadess (subscriber, #24252)
[Link]
And it's easier to report about a break-in when the problem has been diagnosed. It's most likely still being diagnosed and plugged before making the full timeline public.
Posted Aug 26, 2008 6:10 UTC (Tue)
by sbergman27 (guest, #10767)
[Link] (5 responses)
Uhhh, how do we know that, exactly?
"""
And how, exactly, can we be sure of that?
The strictly proper, though perhaps impractical procedure, at this point, would be for affected RHEL users to reinstall. And Fedora users, too, really. In this particular situation, there is too much at stake on all sides to allow for blind trust on the users' part.
Posted Aug 26, 2008 6:16 UTC (Tue)
by drag (guest, #31333)
[Link] (2 responses)
Compile it from scratch or whatever you want.
Posted Aug 26, 2008 17:16 UTC (Tue)
by sbergman27 (guest, #10767)
[Link] (1 responses)
Recompiling Fedora, though, is not as trivial as you seem to imply. It takes the CentOS team two weeks to a month to make the much smaller and more stable recompiled RHEL available after a new release. (Though individual package/security updates are lightning fast to arrive.)
Posted Aug 26, 2008 18:22 UTC (Tue)
by drag (guest, #31333)
[Link]
If you want a entire new OS, just use Debian or CentOS! :D
Posted Aug 26, 2008 6:18 UTC (Tue)
by JoeBuck (subscriber, #2330)
[Link] (1 responses)
There's no rational reason why a reinstall would be a good move.
Posted Aug 26, 2008 17:39 UTC (Tue)
by sbergman27 (guest, #10767)
[Link]
Good point. It really depends upon how many hours, days, or weeks, one thinks that the "infrastructure issues" have actually been going on. Their carefully worded statement (written by RH Legal and channeled through Paul, IMO) implies that they caught it quickly. If one believes that, then one could simply reinstall and apply only the security related updates. (There is a yum plugin to do that.) As of Aug 25, 2008, they have not released any security updates since Aug 12, 2008 anyway. And I think that we can be reasonably certain that they have expunged the intruders at this time. If the baddies had actually been into their infrastructure for longer, it may make more sense to reinstall... another distro. (I would not be in that camp, though.) The problem, there, is deciding what to install. For servers SLES comes to mind. But I'd trust Novell even less during such a time of crisis. I'm really, really, not one to push Debian. But, in this context, I must admit that I would trust them, more than just about anyone else, to be forthcoming, communicative, and to do the right thing (after a number of absolutely *huge* and entertaining flame wars on their mailing lists) even if it meant damaging their reputation. Viewed from a financial liability standpoint, whereas Red Hat has much to protect, with Debian... well... you can't get blood out of a turnip.
Oh my. I fear that I may have succeeded in offending pretty much everybody with this post. Try to take it in the spirit in which it was intended. :-)
-Steve
Posted Aug 26, 2008 11:06 UTC (Tue)
by tialaramex (subscriber, #21167)
[Link]
If the encrypted Fedora key was stolen then the only things protecting a typical Fedora installation from trojans and similar attacks are a trustworthy communication channel (dubious since they mostly update via HTTP or FTP) and the strength of the passphrase for the encryption. Let's hope they chose well.
Posted Aug 26, 2008 19:07 UTC (Tue)
by OLPC (guest, #47981)
[Link] (1 responses)
Depending on the precise circumstances it may be quick, or very slow to be able to come to a final conclusion on happened....
When freedesktop was compromised, it was several months before the *last* project hosted there verified that no source had been tampered with, and we could finally conclude it was extremely likely the compromise was just a spammer attracted to a fast machine on a gigabit/second link. Everything important was up within a week or so. In the RH/Fedora case, they are in a much worse situation.
So your milage will vary....
Posted Aug 28, 2008 19:57 UTC (Thu)
by jcvw (subscriber, #50475)
[Link]
Don't forget Ken Thompson's Turing award lecture...
See http://cm.bell-labs.com/who/ken/trust.html
Posted Aug 28, 2008 10:16 UTC (Thu)
by ortalo (guest, #4654)
[Link]
Obviously, compromission of the primary package signing key of a major distributor is a kind of a big deal. But while adressing communication concerns, crisis organization, etc., shouldn't we ask ourselves too if there are there other big risks (possibly unadressed) and try to propose some sensible list?
Furthermore, with open-source systems, we can do no less than trying to do such risk analysis in the open too, no? And, an "open" risk analysis would be some rather new and possibly very interesting thing in that area (my humble opinion).
There is also a recurrent problem with this kind of debate: for a while after a big incident happened, everyone listens to the question but also heavily focusses on the specific incident; and when everything goes well, nobody really listens to those trying to prepare (quietly) for bad things... (Well, I suppose that's human...;-)
Posted Sep 13, 2008 2:00 UTC (Sat)
by lsatenstein (guest, #34741)
[Link]
Suppose the method of breaking in is common to Debian, and any other linux distribution. Should explaining the breakin in public add comfort to end-users and clues to hackers? I would say yes to the latter situation.
A comparison was made that Debian released an announcement and fix within three days of determining / solving the problem. But that was a SSH problem, not a compromise of any of their packages that would end up around the world.
Thank you Red Hat for following the course of action you did.
Leslie Satenstein
Posted Sep 23, 2008 1:35 UTC (Tue)
by ch (guest, #4097)
[Link]
Fedora, Red Hat, and distributor security
Fedora, Red Hat, and distributor security
Packaging chain
Fedora, Red Hat, and distributor security
Fedora, Red Hat, and distributor security
Fedora, Red Hat, and distributor security
Fedora, Red Hat, and distributor security
I think this will make for an excellent point of discussion for Fedora policy.
"""
Fedora, Red Hat, and distributor security
Fedora, Red Hat, and distributor security
Fortunately for the Fedora Project (and its users), an audit has determined that nobody made use of the key while the intruder was present.
"""
...but Red Hat has been able to convince itself that none of the compromised packages were fed out to RHEL subscribers. So this attack, too, failed - but not by much.
"""
Fedora, Red Hat, and distributor security
Fedora, Red Hat, and distributor security
Fedora, Red Hat, and distributor security
If you've suddenly decided not to trust that Red Hat and Fedora are telling the truth, what are you going to install? You could install from older media, and then you get the security bugs back. To get the bug fixes, you have to upgrade, but since you say that you won't trust that they've gotten the bad guys out, how are you going to do that?
Fedora, Red Hat, and distributor security
Fedora, Red Hat, and distributor security
If you've suddenly decided not to trust that Red Hat and Fedora are telling the truth, what are you going to install?
"""
key storage
Fedora, Red Hat, and distributor security
Trust: Fedora, Red Hat, and distributor security
You cannot ever trust what you get, not even when you recompile yourself, not even when recomiling gcc.
Fedora, Red Hat, and distributor security
I can think of several other "big threats" that could be "amusing" to consider (if we do that before they occur):
- single-file compiler compromission;
- top-level administrator compromission (via big amount of money or other kind of human pressure)
- whole company compromission (e.g. company acquisition by an open-source hostile competitor)
- theoretical cryptanalysis breakthrough (ouch, AES in the dustbin!)
- [your idea here]
[Start another list with safety-related issues: fire, water, electricity, etc.]
Fedora, Red Hat, and distributor security
Montreal Quebec, Canada
Fedora, Red Hat, and distributor security