Red Hat Servers Hacked

On Friday, August 22, Red Hat announced on its web site that one or more of the servers used as part of the Fedora project had been compromised by hackers.  Even more troubling is the fact that the compromised servers included one that was used to signed Fedora packages.  Company officials claim to be confident that the passphrase that protects the private key used to sign the packages was not obtained.  However, the company did reinstall the affected systems and issued new keys for the signing of the packages as a precautionary measure which meant downtime for the affected servers.

But the hack did not stop there.  Red Hat also announced that a breach occurred on some its production systems which allowed the intruder to create and sign some OpenSSL packages for Red Hat Enterprise Linux 4 and 5!  According to Red hat:

In connection with the incident, the intruder was able to sign a small
number of OpenSSH packages relating only to Red Hat Enterprise Linux 4
(i386 and x86_64 architectures only) and Red Hat Enterprise Linux 5 (x86_64
architecture only). As a precautionary measure, we are releasing an
updated version of these packages, and have published a list of the
tampered packages and how to detect them at
http://www.redhat.com/security/data/openssh-blacklist.html
.

At this point Red Hat does not believe that its Red Hat Network (RHN) service, which allows customers to download packages from Red Hat, was compromised.  As a result, they do not think that the tampered packages have been widely distributed.  Let’s hope they are right.

The problem with type of situation is that it is very difficult to tell the extent of the damage.  Red Hat believes they caught the intrusion quickly and rectified the situation.  But what if this has been going on for months.  It seems at least possible that other packages may have been hacked, signed and distributed without their knowledge.  This demonstrates one of the major security issues for software vendors.  How to write, maintain and distribute software in a secure manner.  By all accounts Red Hat was following good practices.  They signed all their packages with their private key so that those who downloaded them could verify their authenticity and integrity.  But when your signing server is compromised all bets are off.

Red Hat is not the first company to be facing such issues.  In 2004 hackers were able to steal 800MBs of source code from Cisco leading to wide speculation about the security of their products.  A similar theft of source code occurred with Microsoft in that same year.  Software vendors must be extremely vigilent in protecting their products.  One tampered package that goes unnoticed could lead to backdoors in thousands of systems.  Let’s hope that this did not occur with Red Hat.

Comments are closed.