Hackers Get Under Red Hat's Skin
Open source software company Red Hat warned of a network intrusion that compromised some of the company's servers. Though Red Hat considered the advisory critical and issued updated versions of affected packages, it said that a worst-case scenario -- a hacker accessing servers used to sign Fedora or Red Hat applications distributed through their auto-update process -- did not come to pass.
Aug 25, 2008 1:44 PM PT
Red Hat issued a security advisory Friday notifying customers that some of its servers were compromised last week due to a network attack. The company called the advisory critical and said it sent out the alert primarily for those who may obtain Red Hat binary packages via channels other than those of official Red Hat subscribers.
The servers -- for both the company's commercial products and free versions of Linux -- were breached; however, immediate action on the part of Red Hat prevented the attacker from gaining access to Red Hat Network (RHN) and its associated security measures, according to the company.
"This is a serious issue, rightly rated critical by Red Hat. And while there may not be cases of widespread exploitation of it, it does require prompt and direct response. I think Red Hat is doing that, and in the end I think this issue will be highlighted by the company's response," Jay Lyman, an analyst at The 451 Group, told the LinuxInsider.
The software company uses the RHN to disseminate fixes, patches, and updates of packages to Red Hat subscribers. The network is also used for several other functions, including provisioning and monitoring systems.
Last week, Red Hat detected an intrusion on certain of its computer systems, according to the security advisory. Following an immediate investigation, the company determined that the intruder was able to sign a small number of OpenSSH packages connected to Red Hat Linux Enterprise Linux 4 (i386 and x86-64 architectures only) and Red Hat Enterprise Linux 5 (x86-64 architecture only).
OpenSSH, created by the OpenBSD project, is a set of computer programs that provide encrypted communication sessions over a computer network using the SSH protocol.
The intrusion also affected Red Hat's Fedora servers, according to an e-mail alert sent out by Paul Frields, project head.
The compromised servers are used for signing Fedora packages, but according to Frields, the attacker was not able to obtain the passphrase used to secure the Fedora package signing key. However, after reviewing the break-in, Fedora investigators determined that the passphrase was not used during the timeframe of the intrusion and that the passphrase is not stored on any Fedora servers.
As a result of the intrusion Frields said that the affected servers were taken offline and that the organization was using the outages as an opportunity to conduct upgrades to improve functionality and security. The work is ongoing, he warned, and he asked users to be patient.
As a precautionary measure, Frields said, Fedora will change its package signing key and is planning and has already begun executing additional safeguards.
The worst-case scenario for Red Hat would be if the intruder had compromised the servers used to sign Fedora or Red Hat applications distributed through their auto-update process, said Andrew Jaquith, an analyst at Yankee Group.
"That would be very bad indeed, although Red Hat says that no updates appear to have been compromised," he told the LinuxInsider.
Last week's attack on Red Hat and Fedora servers are the second major issue for a Linux distributor in four months. Debian reported the discovery of a vulnerability in the OpenSSL package it had been distributing. The bug, found by Luciano Bello, was caused by the removal of a line of code.
The code was removed because it caused the Valgrind and Purify tools to produce warnings about the use of uninitialized data in any code linked to OpenSSL, Debian said.
"The Debian-OpenSSL issue was another significant security matter. Both illustrate some of the security concerns -- internal breaches or code corruption -- that may be more specific to open source," said The 451 Group's Lyman.
While these issues may heighten concerns or doubts about enterprise use of open source, it is limited to those already skeptical or unsure about deploying open source software, Lyman noted.
Though these issues might heighten concerns or doubles about enterprise use of open source software, "most enterprise users of Linux and open source software are coming to trust it and increase their use in general. I don't think this will impact that trend," he continued.
"Red Hat customers have cause to be aware and to be concerned, but with any enterprise-grade operating system, there are going to be security issues. This is why I believe it is the vendor's response that is most critical. Customers are being kept aware and updated with patches, so I would say the issue is being handled adequately," Lyman explained.
"The more serious issues seem to be on the Fedora side, and those users may be more tolerant of/prepared for such an issue since they are using a more leading-edge version of the OS, rather than the more stable and predictable enterprise RHEL (Red Hat Enterprise Linux)," he concluded.