Summary: Fedora infrastructure intrusion but no impact on product integrity
On January 22, 2011 a Fedora contributor received an email from the Fedora Accounts System indicating that his account details had been changed. He contacted the Fedora Infrastructure Team indicating that he had received the email, but had not made changes to his FAS account. The Infrastructure Team immediately began investigating, and confirmed that the account had indeed been compromised.
At this time, the Infrastructure Team has evidence that indicates the account credentials were compromised externally, and that the Fedora Infrastructure was not subject to any code vulnerability or exploit.
The account in question was not a member of any sysadmin or Release Engineering groups. The following is a complete list of privileges on the account: * SSH to fedorapeople.org (user permissions are very limited on this machine). * Push access to packages in the Fedora SCM. * Ability to perform builds and make updates to Fedora packages.
The Infrastructure Team took the following actions after being notified of the issue: 1. Lock down access to the compromised account 2. Take filesystem snapshots of all systems the account had access to (pkgs.fedoraproject.org, fedorapeople.org) 3. Audit SSH, FAS, Git, and Koji logs from the time of compromise to the present Here, we found that the attacker did: * Change the account's SSH key in FAS * Login to fedorapeople.org The attacker did not: * Push any changes to the Fedora SCM or access pkgs.fedoraproject.org in any way * Generate a koji cert or perform any builds * Push any package updates
Based on the results of our investigation so far, we do not believe that any Fedora packages or other Fedora contributor accounts were affected by this compromise.
While the user in question had the ability to commit to Fedora SCM, the Infrastructure Team does not believe that the compromised account was used to do this, or cause any builds or updates in the Fedora build system. The Infrastructure Team believes that Fedora users are in no way threatened by this security breach and we have found no evidence that the compromise extended beyond this single account.
As always, Fedora packagers are recommended to regularly review commits to their packages and report any suspicious activity that they notice.
Fedora contributors are strongly encouraged to choose a strong FAS password. Contributors should *NOT* use their FAS password on any other websites or user accounts. If you receive an email from FAS notifying you of changes to your account that you did not make, please contact the Fedora Infrastructure team immediately via admin@fedoraproject.org.
We are still performing a more in-depth investigation and security audit and we will post again if there are any material changes to our understanding.
-- Jared Smith Fedora Project Leader _______________________________________________ devel-announce mailing list devel-announce@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel-announce
On Tue, Jan 25, 2011 at 10:14:23AM +1000, Jared K. Smith wrote:
The account in question was not a member of any sysadmin or Release Engineering groups. The following is a complete list of privileges on the account:
- SSH to fedorapeople.org (user permissions are very limited on this machine).
- Push access to packages in the Fedora SCM.
- Ability to perform builds and make updates to Fedora packages.
Did he really not have write access to the Fedora wiki or the different trac instances (wiki, ticket system) on fedorahosted? I am not sure how it is handled, but he also might have had push access to the comps repo on fedorahosted.
Additionally it would be nice to investigate whether the account was used to access the test machine resources for package maintainers: https://fedoraproject.org/wiki/Test_Machine_Resources_For_Package_Maintainer...
Regards Till
On 2011-01-25 10:50:48 PM, Till Maas wrote:
Did he really not have write access to the Fedora wiki or the different trac instances (wiki, ticket system) on fedorahosted? I am not sure how it is handled, but he also might have had push access to the comps repo on fedorahosted.
Sorry, these are omissions on our part. All packagers have edit access to the Fedora wiki, push access to comps on fedorahosted, and all Fedora Accounts are able to login to fedorahosted trac instances (with no special privileges by default).
We found no unverifed Fedora wiki edits or pushes to comps from the account in question.
Additionally it would be nice to investigate whether the account was used to access the test machine resources for package maintainers: https://fedoraproject.org/wiki/Test_Machine_Resources_For_Package_Maintainer...
Good point. We don't run those machines, and all packagers have sudo there , so Fedora packagers should consider it unsafe to forward their SSH agent or enter any sensitive information on those machines. We'll get in touch with Kevin about checking those machines though.
Thanks, Ricky
On Tue, 25 Jan 2011 17:10:20 -0500 Ricky Zhou ricky@fedoraproject.org wrote:
Additionally it would be nice to investigate whether the account was used to access the test machine resources for package maintainers: https://fedoraproject.org/wiki/Test_Machine_Resources_For_Package_Maintainer...
Good point. We don't run those machines, and all packagers have sudo there , so Fedora packagers should consider it unsafe to forward their SSH agent or enter any sensitive information on those machines. We'll get in touch with Kevin about checking those machines though.
I see no evidence of tampering on those machines.
I checked the logs of the firewall in front of them (that logs all ssh connections to them) against the lastlogs on each. There's no 'missing' ssh connections or connections from this account.
Thanks for asking. ;)
kevin
Looks like it's made the news
http://news.slashdot.org/story/11/01/25/1723259/Fedora-Infrastructure-Compro...
Cheers Al
On Wed, Jan 26, 2011 at 11:34 AM, Kevin Fenzi kevin@scrye.com wrote:
On Tue, 25 Jan 2011 17:10:20 -0500 Ricky Zhou ricky@fedoraproject.org wrote:
Additionally it would be nice to investigate whether the account was used to access the test machine resources for package maintainers:
https://fedoraproject.org/wiki/Test_Machine_Resources_For_Package_Maintainer...
Good point. We don't run those machines, and all packagers have sudo there , so Fedora packagers should consider it unsafe to forward their SSH agent or enter any sensitive information on those machines. We'll get in touch with Kevin about checking those machines though.
I see no evidence of tampering on those machines.
I checked the logs of the firewall in front of them (that logs all ssh connections to them) against the lastlogs on each. There's no 'missing' ssh connections or connections from this account.
Thanks for asking. ;)
kevin
-- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
On Wed, 26 Jan 2011 15:25:40 +1300 Al Reay alreay1@gmail.com wrote:
Looks like it's made the news
http://news.slashdot.org/story/11/01/25/1723259/Fedora-Infrastructure-Compro...
Disappointingly the slashdot story paraphrased another site that went with a sensationalized headline and was low on facts. They didn't even point to the actual announcement for folks to read for themselves. ;( (They also seem to be using the opensource.org logo for Fedora stories instead of the Fedora logo?)
kevin
On Wed, Jan 26, 2011 at 09:30:24AM -0700, Kevin Fenzi wrote:
On Wed, 26 Jan 2011 15:25:40 +1300 Al Reay alreay1@gmail.com wrote:
Looks like it's made the news
http://news.slashdot.org/story/11/01/25/1723259/Fedora-Infrastructure-Compro...
Disappointingly the slashdot story paraphrased another site that went with a sensationalized headline and was low on facts. They didn't even point to the actual announcement for folks to read for themselves. ;( (They also seem to be using the opensource.org logo for Fedora stories instead of the Fedora logo?)
They used to use the Red Hat logo -- would that count as a modest improvement?
On 01/27/2011 01:12 AM, Paul W. Frields wrote:
On Wed, Jan 26, 2011 at 09:30:24AM -0700, Kevin Fenzi wrote:
Disappointingly the slashdot story paraphrased another site that went with a sensationalized headline and was low on facts. They didn't even point to the actual announcement for folks to read for themselves. ;( (They also seem to be using the opensource.org logo for Fedora stories instead of the Fedora logo?)
They used to use the Red Hat logo -- would that count as a modest improvement?
Don't think so. It only increases the chances of confusion for the general community and Red Hat customers. They should use the Fedora Logo.
Rahul
On Thu, Jan 27, 2011 at 01:35:05AM +0530, Rahul Sundaram wrote:
On 01/27/2011 01:12 AM, Paul W. Frields wrote:
On Wed, Jan 26, 2011 at 09:30:24AM -0700, Kevin Fenzi wrote:
Disappointingly the slashdot story paraphrased another site that went with a sensationalized headline and was low on facts. They didn't even point to the actual announcement for folks to read for themselves. ;( (They also seem to be using the opensource.org logo for Fedora stories instead of the Fedora logo?)
They used to use the Red Hat logo -- would that count as a modest improvement?
Don't think so. It only increases the chances of confusion for the general community and Red Hat customers. They should use the Fedora Logo.
Sorry I left out the <sarcasm> tag. I agree, of course.