Weekly Edition
Return to the Security page
| |||||||||||||
Enterprise Linux 5.2 to 5.3 risk report (Red Hat Magazine)
Red Hat's Mark Cox has put out another risk report looking at the vulnerabilities fixed from RHEL 5.2 until today's release of RHEL 5.3. In the report, he looks at the number of vulnerabilities as well as the time it took to fix them. "In fact, for Red Hat Enterprise Linux 5 since release and to date, every critical vulnerability has had an update to address it available from the Red Hat Network either the same day or the next calendar day after the issue was public."
(Log in to post comments)
Finally some news about the intrusion? Posted Jan 21, 2009 1:01 UTC (Wed) by JoeBuck (subscriber, #2330) [Link] I noticed this item:An update to OpenSSH (August), provided to mitigate an intrusion into certain Red Hat computer systems. The attacker was able to sign a small number of tampered packages, but they were not distributed on the Red Hat Network. We classified this update as critical to ensure any tampered packages would be replaced with official packages.So, is that what happened to Fedora?
Hmm... Posted Jan 21, 2009 1:06 UTC (Wed) by pr1268 (subscriber, #24648) [Link] Looks suspicious. You'd think that Red Hat would be a little more forthcoming in announcing the discovered root cause of the Fedora issue rather than quietly try to sneak it by. While I don't mean to pass summary judgment on Red Hat/Fedora, but this blurb still looks highly suspect...
Hmm... Posted Jan 21, 2009 1:36 UTC (Wed) by drag (subscriber, #31333) [Link]
I don't think it was any secret that a person was able to obtain a signing key from Fedora and sign a OpenSSH package.
http://www.scmagazineus.com/Red-Hat-warns-of-Fedora-OpenS...
none of this means that OpenSSH was what _caused_ the compromise. Probably just a developer using a shitty password or being careless about ssh'ng from one machine to another. Similar problems lead to Debian's servers getting hacked a few years ago.
Hmm... Posted Jan 21, 2009 1:43 UTC (Wed) by rahulsundaram (subscriber, #21946) [Link]
"I don't think it was any secret that a person was able to obtain a signing key from Fedora and sign a OpenSSH package."
Just as a clarification, the article you point out to is misleading. There has been no evidence that the Fedora keys were ever compromised. The keys were changed purely as a precautionary measure.
Hmm... Posted Jan 21, 2009 13:59 UTC (Wed) by hppnq (guest, #14462) [Link] Just as a clarification, the article you point out to is misleading. Objection, your Honor! The article in fact agrees with you. But I, because I am not a lawyer, would say that stressing the precautionary nature of the change of keys is somewhat misleading. It was a necessity by any reasonable security standard, even if the intruder did not actually get her hands on the signing key.
Hmm... Posted Jan 21, 2009 14:19 UTC (Wed) by rahulsundaram (subscriber, #21946) [Link]
The article introduction is definitely misleading
"Red Hat on Friday delivered an urgent fix for its OpenSSH packages after the Linux distribution provider disclosed that intruders illegally accessed a number of Fedora servers."
Hmm... Posted Jan 21, 2009 15:41 UTC (Wed) by hppnq (guest, #14462) [Link] Indeed: the Red Hat packages were updated after a Red Hat system intrusion. A similar intrusion on at least one Fedora system happened around the same time, but this was allegedly unrelated. While there was no evidence that the Fedora keys were compromised, the Red Hat ones definitely were, and a critical openssh update was released.Please bear with us for confusing at times what Red Hat or Fedora related system was compromised at what time and with what consequence. The reference to Fedora in your quote from the article is clearly meant to be "Red Hat", and this will be obvious if you actually read the article. This cannot be called "misleading".
Hmm... Posted Jan 21, 2009 16:53 UTC (Wed) by rahulsundaram (subscriber, #21946) [Link]
Yes, the rest of the article makes it more clear and I have read that already but the introduction is still misleading and atleast one person was confused reading the article as evident in the comments earlier.
If the article wanted to refer to Red Hat servers, they should just say that directly instead of saying Fedora servers since Red Hat infrastructure is typically separate from Fedora servers, that are hosted publicly and sponsored by others http://fedoraproject.org/en/sponsors) and these two terms in this context cannot be used interchangeably.
Hmm... Posted Jan 21, 2009 23:13 UTC (Wed) by jspaleta (subscriber, #50639) [Link]
It's important to stress that the RHEL process uses a physical piece of cryptographic hardware such that the key itself cannot be copied and used on an unauthorized system. This has a direct impact on what it means to compromise such a system compared to a system which uses software only keys.
A system or account with access to use the cryptographic hardware device can be compromised, and will allow the person to gain the ability to sign with the key while they continue to have access to the Red Hat system. But that person will never be able to take the key and use it later after the unauthorized system/account access is discovered and the compromised system and corrective action to restore the system is taken.
The RHEL hardware based key cannot be stolen and used later on another system without the knowledge of authorized RHEL developers. It can only be used on a system that already has authorization to access the hardware device. Unless of course someone steals the physical hardware component...but that would sort of be obvious as package signing would no longer work for authorized users.
For details on the RHEL process, I found this to be enlightening and explains why RHEL didn't need to replace its signing key:
http://www.awe.com/mark/blog/200701300906.html
Is RHEL the only linux distribution that is making use of this sort of hardware based crypto for package signing to mitigate against unauthorized use?
-jef
Hmm... Posted Jan 22, 2009 0:22 UTC (Thu) by dlang (✭ supporter ✭, #313) [Link]
I suspect that very few distros use hardware management of their encryption keys.
1. it's very expensive (tens of thousands of dollars per copy)
2. if properly done, it requires physical access to the hardware to work with it (if you can trigger signing of packages remotely then it really doesn't matter if your signing key is compromised or just the password that allows a remote system to tell the hardware to sign what it's handed)
so it adds a significant cost, slows and complicates the signing process.
and other than the bragging rights, what is the benefit of doing so?
Hmm... Posted Jan 22, 2009 0:47 UTC (Thu) by hppnq (guest, #14462) [Link] It's important to stress that the RHEL process uses a physical piece of cryptographic hardware such that the key itself cannot be copied and used on an unauthorized system. This makes the Red Hat case a bit worse than the average intrusion: someone had to break into at least two systems. And actually did.
Hmm... Posted Jan 22, 2009 1:09 UTC (Thu) by jspaleta (subscriber, #50639) [Link]
I dont know how you come to that conclusion. I think you should probably read the blog article again. Accounts are authorized to make use of the functionality, there's no indication that it requires more than unauthorized use of an account with permission to access the functionality.
-jef
Hmm... Posted Jan 22, 2009 9:30 UTC (Thu) by PaXTeam (subscriber, #24616) [Link]
> there's no indication that it requires more than unauthorized use of an account with permission to access the functionality.
maybe you know something the rest of the world doesn't? is 'permission to access the functionality' protected by hardware means? or is it all just software? because if it's the latter, then something as simple (and in abundance) as an exploitable kernel bug can trivially elevate privileges of an otherwise unauthorized account as well. but then maybe your 'no indication' is a reference to the yet-to-be-seen report everyone's been waiting for for almost half a year now.
Hmm... Posted Jan 22, 2009 10:51 UTC (Thu) by hppnq (guest, #14462) [Link] there's no indication that it requires more than unauthorized use of an account with permission to access the functionality If there was no such second system it's even worse. I do not, by the way, expect Red Hat people to blog about the exact measures taken to protect a vital part of the infrastructure.
Hmm... Posted Jan 22, 2009 19:13 UTC (Thu) by mmcgrath (subscriber, #44906) [Link]
> If there was no such second system it's even worse. I do not, by the way, expect Red Hat people to blog about the exact measures taken to protect a vital part of the infrastructure.
I hold Red Hat and Fedora to pretty high standards. I'd think they would blog about those exact measures. Anything short of that is security through obscurity. I know there's work under way in Fedora to build a completely open source rpm signing server.
/me notes he works for RH
Hmm... Posted Jan 22, 2009 21:08 UTC (Thu) by hppnq (guest, #14462) [Link] I'd think they would blog about those exact measures. Anything short of that is security through obscurity. Blogging about your security measures does not make you more secure. I wish someone would blog about the cause of the intrusions.
Hmm... Posted Jan 22, 2009 21:28 UTC (Thu) by mmcgrath (subscriber, #44906) [Link]
> Blogging about your security measures does not make you more secure.
I actually meant that good would come of it. People look to companies like Red hat to see how to do things. I'm sure lots of people would be interested in how RH does X or how they secure something with Y. That's why Fedora's entire infrastructure is on only Open Source software. Everything we do in Fedora can be replicated elsewhere.
> I wish someone would blog about the cause of the intrusions.
So do I, and I look forward to the day I can blog about it :-/
Hmm... Posted Jan 21, 2009 1:39 UTC (Wed) by rahulsundaram (subscriber, #21946) [Link]
FYI, the openssh update on RHEL 5 is not new information at all. It was mentioned in
https://www.redhat.com/archives/fedora-announce-list/2008...
Hmm... Posted Jan 21, 2009 20:11 UTC (Wed) by iabervon (subscriber, #722) [Link]
In response to the intrusion, Red Hat released new OpenSSH packages (with no changes) after rotating keys, to make sure that the newest OpenSSH packages available would be newer than any packages that could have been created and signed by the intruder.
Unless we've got a time-traveler, the intruder couldn't have gotten in by connecting to an OpenSSH server with a back door, creating a package with the back door, signing it, and sending it back in time so that the Red Hat servers pick it up and install it.
Hmm... Posted Jan 21, 2009 23:48 UTC (Wed) by hppnq (guest, #14462) [Link] Minor nitpicks: the updated Red Hat packages did contain a minor fix, and not just Red Hat systems were compromised, but also Fedora suffered an intrusion. Since they are apparently physically unconnected, it seems there must be some other connection between the Red Hat and Fedora intrusions -- probably not a wormhole.Maybe it was a really bad hair day.
Hmm Posted Jan 22, 2009 20:41 UTC (Thu) by jrandom (guest, #56274) [Link]
I dunno. if one takes a few dots, for instance
https://rhn.redhat.com/errata/RHSA-2008-0533.html https://rhn.redhat.com/errata/RHSA-2008-0855.html from the report, and another one that was not mentioned in the report http://rhn.redhat.com/errata/RHSA-2008-0815.html I would say that the picture looks bleaker if you connect the dots, and 0815 should have had the risk updated.
|
|||||||||||||