Hackers compromised a private e-mail list used by distributors of open-source software to discuss security vulnerabilities and forced the list to shut down.
The “Vendor Sec” security list was used by Linux and BSD distributors and developers to discuss potential security vulnerabilities in the kernel, libraries or applications. An unknown attacker opened up a backdoor to the mail server hosting the list and was able to sniff all e-mail traffic, wrote Marcus Meissner, the moderator of the mailing list, in a message to the OSS Security mailing list on March 3. Even though Meissner closed that particular hole, the attacker managed to re-enter and destroy the server a day later. As a result, Meissner decided to not resurrect the server or the mailing list.
“So everyone please consider vendor-sec@….de is dead and gone at this point, successors (or not) will hopefully result out of this discussion,” he wrote on March 4.
Meissner detected the original breach in late February, but the timestamp on the logs indicate the break-in may have occurred on Jan. 20, he wrote in the first note notifying members of the breach. However, he acknowledged there was a possibility the breach may have existed before Jan. 20. He also said he didn’t know how the attacker had managed to compromise the machine.
The attacker likely used the security backdoor to examine e-mail traffic and capture confidential information about security vulnerabilities found in free and open-source products, Meissner said. Members use the list to coordinate release schedules for security updates and patches resolving bugs. Much of the information on the list was under embargo to give vendors time to close their holes. This is valuable information for criminals, as the list was a direct source of exploits for unpatched vulnerabilities in Linux and BSD.
In his March 3 note, Meissner said the system hosting the mail server was “quite old” and the administrators, including himself, no longer had the time to keep the machine secure. He’d disabled the backdoor, but said he expected it to reappear as he was still unclear as to the actual attack path taken by the attacker.
He suggested moving the list to another server and proposed using Gnu Privacy Guard, an open-source implementation of the PGP (Pretty Good Privacy) encryption standard for e-mail so that all e-mail messages on the list are signed and encrypted.
Until the move, he recommended that embargoed issues not be sent to the list.
The attacker re-entered the server shortly after Meissner’s e-mail and “went amok and destroyed the machine installation,” Meissner wrote in a follow-up note. With the system out of commission, Meissner decided to not try to repair the machine or move to the new host. Instead, he suggested the community discuss whether there should be any changes in how the closed list was set up and managed.
Meissner also questioned whether there was any need for this kind of a closed mailing list considering there are other mailing lists such as OSS Security. He also noted that many projects are beginning to be more active about doing their own management, so the usefulness of the list may have “diminished.”
There were about 80 to 100 people from both commercial and non-commercial firms on the mailing list, Meissner said, “making leaks by members always a possibility.” Access to the list was provided on request.