, SecurityFocus 2008-08-22
Unknown intruders breached the security of several computers used by Linux firm Red Hat and the Fedora Project, forcing administrators to take the systems offline for over a week, Fedora and Red Hat announced on Friday.
The most significant breach involved a system used by the Fedora Project to sign the software packages used to automatically update end users' systems. The breach also affected the Fedora Project's database and proxy servers, hosted systems and collaboration network. A smaller number of servers used by Red Hat were affected by the breach, the Fedora Project stated in its announcement.
Yet, while the extent of the breach appeared to be significant, the Fedora Project claimed that the intruders did not get the package signing key, the cryptological master key with which attackers could introduce malicious software onto Fedora users' systems through the update process.
"Based on our efforts, we have high confidence that the intruder was not able to capture the passphrase used to secure the Fedora package signing key," Paul Frields, Fedora Project Leader for Red Hat, said in an announcement released on Friday. "Based on our review to date, the passphrase was not used during the time of the intrusion on the system and the passphrase is not stored on any of the Fedora servers."
The Fedora Project manages the development and distribution of Red Hat's freely available version of the Linux operating system. The software created by Fedora's developers finds its way into a variety of commercial and non-commercial versions of Linux, including Red Hat Enterprise Linux.
While the Fedora Project has no evidence that the intruders compromised the signing key, the company has decided to create and distributed new keys. The Fedora Project administrators have also performed numerous checks on the collection of software components and have not found anything to suggest that a Trojan horse had been introduced into the software, Frields stated.
While the intruders had only limited impact on Red Hat's systems, they were able to create several signed versions of a potentially malicious OpenSSH package, the company said.
Red Hat declined to comment on the issue except to refer reporters to the published announcements. In May, the Debian Linux project announced, that a change to its crypto libraries had caused its OpenSSL, OpenSSH and OpenVPN software to generate weak encryption keys.