After several days of extensive forensic work, officials at Gentoo Technologies Inc. believe that they have identified the vulnerability and exploit that were used to compromise one of the servers that house the code for the companys Linux distribution.
The attacker appears to have used a combination of the recently discovered flaw in the do_brk( ) function in the Linux kernel and a newly found vulnerability in rsync, the open source software that Gentoo uses to distribute new versions and packages to its users. Gentoo officials said they are not positive that this was the exact attack scenario, but say there is a good amount of evidence pointing in that direction.
Both the flaw in the Linux kernel and the rsync weakness were just identified this week, and the rsync problem was not publicly known until after the Gentoo attack. This means that the compromise of Gentoos server is likely that rarest of all attacks: the zero-day attack. A zero-day attack involves a cracker exploiting a vulnerability before it is publicly known.
Gentoo officials spent the last two days poring over the forensic data from the compromised server, looking for clues to the attackers methods and identity. But even with the help of a number of experts, they still were unable to say for sure what happened.
“We believe that the rsync vulnerability possibly led to the Gentoo rsync mirror compromise this week. This is after careful review of the forensics by the mirror administrator, the Gentoo security team, the Indiana University IT Security Office, and the X-Force Research arm of Internet Security Systems,” said Corey Shields, a member of the Gentoo Infrastructure Team and rsync mirror coordinator at Indiana University in Bloomington. “Even though the forensics uncovered very good and convincing information, it was still not complete enough to be certain that rsync was the cause in this case.”
The rsync flaw exists in Version 2.5.6 of the software, which is used to transfer files across networks. In Gentoos case, the company maintains several rsync servers to enable users to download the latest version and updates for the Gentoo Linux operating system. A number of other Linux distributors use rsync as well and have released new packages in the last couple of days to fix the new vulnerability.
The Gentoo incident wasnt the only high profile Linux-related compromise this week. Officials at the Free Software Foundation discovered on Monday that someone had broken into the Savannah system and installed a rootkit on the machine. Savannah is used to provide development services and CVS (Concurrent Version System) services to developers working on projects maintained by the foundation, including GNU.
In a message on the FSFs Web site, the group said that the attack appeared to be identical to the one that was used to compromise several of the Debian Projects servers recently. The FSF did not say whether any of the code stored on Savannah was damaged, but said they would be making some changes to shore up the security of the system. Savannah has been taken offline, but the FSF hoped to have it back up on Friday sometime.