Code Undamaged As Fedora Site Is Hacked

An attacker attempted to compromise the servers for the Fedora Project, the community version of the Red Hat Enterprise Linux, but didn’t damage any servers or code, according to an email sent to the Fedora mailing list on January 25.

In the message, entitled “A security incident on Fedora infrastructure,” Fedora Project leader Jared Smith disclosed that a Fedora contributor’s login and password credentials were stolen and used to access the systems on January 22.

Rapid Action Minimised The Danger

The account belonged to a contributor who had access to push code packages in the Fedora SCM, to perform builds and to make updates to Fedora packages, according to Smith. The contributor was not a member of any sysadmin or Release Engineering groups and had only limited privileges on fedorapeople.org, he wrote.

The Fedora Infrastructure Team investigated the incident, and was able to conclude that the attacker did not push any changes to the Fedora SCM, access the project repositories at pkgs.fedoraproject.org, perform any builds, or push out any package updates, according to Smith.

“We do not believe that any Fedora packages or other Fedora contributor accounts were affected”, and there is “no evidence” that the compromise “extended beyond this single account”, he wrote.

What the attacker did manage to do was to change the value of the SSH key saved in the Fedora Accounts System and login to fedorapeople.org, Smith said. The breach was discovered because the original account user received an email from Fedora Account System indicating some account details had been changed.

As soon as the Infrastructure Team was notified, the compromised account was locked down and a thorough audit of the logs was conducted to track all attacker activity, Smith wrote. The Infrastructure Team took snapshots of all the file systems the account had access to and compared it with previous snapshots to ensure no changes had been made.

With the compromise of fedorapeople.org, the attacker could have pushed changes to Fedora’s SCM system, but Smith said it wasn’t likely. He still encouraged Fedora package maintainers to report anything they considered suspicious.

The account information was “compromised externally,” and the “Fedora Infrastructure was not subject to any code vulnerability or exploit,” Smith wrote. He reminded contributors the importance of choosing a strong password and not re-use their Fedora password on other Web sites or accounts.

This is the third attack on an open-source project in the past few weeks. In December, the main source code repository for the Free Software Foundation was shut down after attackers compromised the site’s account passwords.

Also in December, attackers hacked ProFTPD servers via an unpatched vulnerability in the application. For three days, anyone downloading the open-source file transfer application received an infected version that provided attackers with unauthorised access to their systems.

Apache was hit twice in 2010 and Fedora was compromised once before in 2008. In that incident, both Fedora and Red Hat servers were “illegally accessed,” according to a note by Fedora Project Leader Paul Frields at the time. But again, attackers did not have any impact on Fedora Linux or related packages.

After the compromise, both Red Hat and Fedora re-issued security keys and improved its security practices, even though it meant delaying Fedora product releases.

Fahmida Y Rashid eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved.

Share
Published by
Fahmida Y Rashid eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved.
Tags: fedorahacker

Recent Posts

Hate Speech Watchdog CCDH To Quit Musk’s X

Target for Elon Musk's lawsuit, hate speech watchdog CCDH, announces its decision to quit X…

50 mins ago

Meta Fined €798m Over Alleged Facebook Marketplace Violations

Antitrust penalty. European Commission fines Meta a hefty €798m ($843m) for tying Facebook Marketplace to…

2 hours ago

Elon Musk Rebuked By Italian President Over Migration Tweets

Elon Musk continues to provoke the ire of various leaders around the world with his…

3 hours ago

VW, Rivian Launch Joint Venture, As Investment Rises To $5.8 Billion

Volkswagen and Rivian officially launch their joint venture, as German car giant ups investment to…

4 hours ago

AMD Axes 4 Percent Of Staff, Amid AI Chip Focus

Merry Christmas staff. AMD hands marching orders to 1,000 employees in the led up to…

7 hours ago

Tesla Recalls 2,431 Cybertrucks Over Propulsion Issue

Recall number six in 2024 for Tesla Cybertruck, and this time the fault cannot be…

8 hours ago