Red Hat Digital Keys Violated by Intruder
Just about the most serious breach of security possible at an OS vendor happened to this company. Red Hat is releasing updated OpenSSH packages to address the compromise of its internal systems.In perhaps the most appalling breach of security at a major operating system vendor, Red Hat has revealed that a compromise of its internal systems included the digital signing keys for its distributions. An Aug. 22 advisory from Red Hat announces new OpenSSH packages to deal with the problem:
In connection with the incident, the intruder was able to sign a small number of OpenSSH packages relating only to Red Hat Enterprise Linux 4 (i386 and x86_64 architectures only) and Red Hat Enterprise Linux 5 (x86_64 architecture only). As a precautionary measure, we are releasing an updated version of these packages, and have published a list of the tampered packages and how to detect them at http://www.redhat.com/security/data/openssh-blacklist.html.
In other words, the attacker was able to sign files with Red Hat's keys. Presumably these were not benign versions he signed. Red Hat stresses that there is no evidence that any such hacked copies got out through its normal distribution channels to its own customers, but it's possible that some mirrors picked up the code.
220.127.116.11 - Linux Apache/2.2.3 Red Hat - 19-Aug-2008 18.104.22.168 - Linux Apache/2.2.0 Fedora - 16-Aug-2008 22.214.171.124 - Linux Apache/2.2.3 Red Hat - 19-Aug-2008What could this mean? Just another abundance of caution, perhaps, but the same switch is not present in the history for redhat.com. Personally, I'm just astonished at this, even though there have been internal compromises of distributions of operating systems and major applications before. Trojaned versions of OpenSSH have been distributed in the past. And in 2007 the distribution server for WordPress was compromised and malicious code inserted. Imagine the horrifying fallout if such a thing happened at Microsoft. In fact, it sort of did happen once, back in 2001. One of the HTTP servers running Windows Update and serving download bits was hit by the CodeRed worm and taken down quickly. It's a stretch to argue that any users were affected. A CodeRed compromise primarily involved defacement of the home page (which I guess is why it was noticed quickly), an attempt to spread itself and, much later, launching a DOS against certain fixed IP addresses (including the White House). I'd argue that this Red Hat incident is a far worse and more dangerous scandal. For instance, it's not clear to me that Red Hat can be sure how long the keys were compromised. Months? Who knows? The last few years have seen a lot of bloom coming off the open-source security rose. I suspect there won't really be heavy fallout for Red Hat because, as serious as this is, it's just not all that shocking. Our standards used to be a lot higher. Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. For insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's blog Cheap Hack.