A realization about the recent Red Hat Enterprise security issue
For those people who haven't heard, Red Hat recently suffered a security breach that allowed an attacker to get some bogus OpenSSH RPM packages signed as valid Red Hat Enterprise Linux packages. Red Hat says that the packages were never added to RHN, the update system for Red Hat Enterprise, but presumably the attacker has copies.
(That the package signing is separate from RHN makes sense to me, since I expect that Red Hat needs to sign various sorts of RPMs for testing purposes well before they may get put into general release in RHN.)
This leaves one with the question of what the attacker can do with these packages. It recently struck me that these packages enable an unpleasant perfect conjunction of three or four security issues, like so:
- as the attacker, you use Dan Kaminsky's DNS bug to persuade your
victim system that your server is the RHN update server.
- you exploit an apparent vulnerability in
yum's SSL certificate verification code to have your server successfully masquerade as the RHN update server.
(The apparent vulnerability is mentioned, without any details, in the Attacks on Package Managers FAQ. It's possible that whatever it is, it's not exploitable by an attacker in this way.)
- you serve up package metadata that lists these compromised OpenSSH
packages as available updates (and the most current version of
- because these OpenSSH packages have valid signatures, they will
pass all of
yum's checks and be installed. Game over.
I suspect that this is one reason that Red Hat has issued a new OpenSSH
update; once you install Red Hat's update, these bogus packages will no
longer be seen as more recent versions of OpenSSH. Even if the attacker
manages to feed them to
yum under false pretenses (eg, by claiming in
the metadata that they have a different version number), I believe
yum will reject them as older than the installed versions.
(Disclaimer: that's a belief, not a certainty; I have not tested it.)
I suppose this makes a third approach to exploiting unsigned repository metadata.