≡ Menu

Critical Red hat / Fedora Linux Openssh Security Update

Last week one or more of Red Hat's servers got cracked. Now, it has been revealed that both Fedora and Red Hat servers have been compromised. As a result Fedora is changing their package signing key. The intruder was able to sign a small number of OpenSSH packages relating only to Red Hat Enterprise Linux 4 (i386 and x86_64 architectures only) and Red Hat Enterprise Linux 5 (x86_64
architecture only).

This update has been rated as having critical security impact. If your Red hat based server directly connected to the Internet, immediately patch up the system.

From the RHN announcement:

Last week Red Hat detected an intrusion on certain of its computer systems and took immediate action. While the investigation into the intrusion is on-going, our initial focus was to review and test
the distribution channel we use with our customers, Red Hat Network (RHN) and its associated security measures. Based on these efforts, we remain highly confident that our systems and processes prevented the intrusion from compromising RHN or the content distributed via RHN and accordingly believe that customers who keep their systems updated using Red Hat Network are not at risk. We are issuing this alert primarily for those who may obtain Red Hat binary packages via channels other than
those of official Red Hat subscribers.

Following products are affected:
=> Red Hat Desktop (v. 4)
=> Red Hat Enterprise Linux (v. 5 server)
=> Red Hat Enterprise Linux AS (v. 4)
=> Red Hat Enterprise Linux AS (v. 4.5.z)
=> Red Hat Enterprise Linux Desktop (v. 5 client)
=> Red Hat Enterprise Linux ES (v. 4)
=> Red Hat Enterprise Linux ES (v. 4.5.z)
=> Red Hat Enterprise Linux WS (v. 4)

How do I patch up my system?

Login as the root and type the following command:
# yum update

This is the main reason I don't use Fedora in a production.

More information:

Now, Red hat did not disclosed how the hell attacker got in to the server. I'd like to know more about that - was it 0 day bug or plain old good social engineering hack?

Updated for accuracy - CentOS is not affected by this bug, see the comments below.

Tweet itFacebook itGoogle+ itPDF itFound an error/typo on this page?

{ 4 comments… add one }

  • ScottB August 22, 2008, 8:24 pm

    Do you have any evidence that CentOS was affected? They seem to think they are clean.

  • nixCraft August 22, 2008, 8:44 pm

    ScottB,

    Noop, but RHEL is upstream provider for CentOS..

  • erci August 22, 2008, 10:21 pm

    CentOS is not affected.

    Earlier in the day today Red Hat made an announcement [1] that there had been an
    intrusion into some of their computer systems last week. In the same
    announcement they mention that some of the packages for OpenSSH on RHEL-4 ( i386
    and x86_64 ) as well as RHEL-5 ( x86_64 ) were signed by the intruder. In their
    announcement they also clarified that they were confident that none of these,
    potentially compromised, packages made their way into or through RHN to client
    and customer machines. As a security measure a script [3] was made available
    along with a semi-detailed description of the issue [2].

    We take security issues very seriously, and as soon as we were made aware of the
    situation I undertook a complete audit of the entire CentOS4/5 Build and Signing
    infrastructure. We can now assure everyone that no compromise has taken place
    anywhere within the CentOS Infrastructure. Our entire setup is located behind
    multiple firewalls, and only accessible from a very small number of
    places, by only a few people. Also included in this audit were all entry points
    to the build services, signing machines, primary release machines and
    connectivity between all these hosts.

    Since OpenSSH is a critical component of any Linux machine, we considered it
    essential to audit the last two released package sets (
    openssh-4.3p2-26.el5.src.rpm, openssh-4.3p2-26.el5_2.1.src.rpm ). I have just
    finished this code audit, and can assure everyone that there is no compromised
    code included in either of these packages. A similar check is also being done
    for the CentOS-4 sources.

    Packages released today, by upstream, ( based on :
    openssh-4.3p2-26.el5_2.1.src.rpm, openssh-3.9p1-11.el4_7.src.rpm ) address two
    issues. Firstly they contain a fix for
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4752 . And secondly, in
    the remote event that someone had indeed got compromised packages via RHN, their
    packages would get updated to a known good state. We wanted to get these
    packages out right away to address the first issue, and also to cover users
    converting non updated RHEL installs to CentOS in the next few weeks/months.
    Release of these packages into the mirror.centos.org network does *not* imply
    that CentOS users are affected by the intrusion at Red Hat.

    Finally, while we feel confident that there is no possibility of this compromise
    having been passed onto the CentOS userbase, we still encourage users to verify
    their packages independently using whatever resources they might have available.

    [1]: https://rhn.redhat.com/errata/RHSA-2008-0855.html

    [2]: http://www.redhat.com/security/data/openssh-blacklist.html

    [3]: https://www.redhat.com/security/data/openssh-blacklist-1.0.sh :Its
    important to note that this script *only* checks for packages built within
    Red Hat, and will *not* be a reliable source of verification on CentOS since we
    rebuild from sources, using no Red Hat binary.

  • nixCraft August 22, 2008, 10:45 pm

    The post and title has been updated.

Leave a Comment