An attacker stole the account credentials of a Fedora contributor and accessed Fedora servers, but project leaders say the attackers apparently didn't succeed in compromising any software packages or servers.
An attacker attempted to compromise the servers for the Fedora Project, the
community version of the Red Hat Enterprise Linux, but didn't damage any
servers or code, according to an e-mail sent to the Fedora mailing list on Jan.
In the message, titled "A
security incident on Fedora infrastructure
," Fedora Project leader
Jared Smith disclosed that a Fedora contributor's log-in and password credentials
were stolen and used to access the systems on Jan. 22.
The account belonged to a contributor who had access to push code packages
in the Fedora SCM, to perform builds and to
make updates to Fedora packages, according to Smith. The contributor was not a
member of any sysadmin or Release Engineering groups and had only limited
privileges on fedorapeople.org, he wrote.
The Fedora Infrastructure Team investigated the incident, and was able to
conclude that the attacker did not push any changes to the Fedora SCM,
access the project repositories at pkgs.fedoraproject.org, perform any builds
or push out any package updates, according to Smith. "We do not believe
that any Fedora packages or other Fedora contributor accounts were affected,"
and there is "no evidence" that the compromise "extended beyond
this single account," he wrote.
What the attacker did manage to do was to change the value of the SSH key
saved in the Fedora Accounts System and log in to fedorapeople.org, Smith said.
The breach was discovered because the original account user received an e-mail
from Fedora Account System indicating some account details had been changed. As
soon as the Infrastructure Team was notified, the compromised account was
locked down and a thorough audit of the logs was conducted to track all
attacker activity, Smith wrote. The Infrastructure Team took snapshots of all
the filesystems the account had access to and compared it with previous
snapshots to ensure no changes had been made.
With the compromise of fedorapeople.org, the attacker could have pushed
changes to Fedora's SCM system, but Smith
said it wasn't likely. He still encouraged Fedora package maintainers to report
anything they considered suspicious.
The account information was "compromised externally," and the "Fedora
Infrastructure was not subject to any code vulnerability or exploit,"
Smith wrote. He reminded contributors of the importance of choosing a strong
password and to not reuse their Fedora password on other Websites or accounts.
This is the third attack on an open-source project in the past few weeks. In
December, the main source code repository for the Free Software Foundation was
shut down after attackers compromised the site's account passwords. Also in
December, attackers hacked
servers via an unpatched vulnerability in the application. For
three days, anyone downloading the open-source file transfer application
received an infected version that provided attackers with unauthorized access
to their systems.
twice in 2010, and Fedora was compromised once before in 2008. In
that incident, both Fedora and Red
Hat servers were "illegally accessed,"
according to a note by
Fedora Project Leader Paul Frields at the time. But again, attackers did not have
any impact on Fedora Linux or related packages. After the compromise, both Red
Hat and Fedora reissued security keys and improved security practices, even
though it meant delaying Fedora product releases.