A realization about the recent Red Hat Enterprise security issue

August 31, 2008

For those people who haven't heard, Red Hat recently suffered a security breach that allowed an attacker to get some bogus OpenSSH RPM packages signed as valid Red Hat Enterprise Linux packages. Red Hat says that the packages were never added to RHN, the update system for Red Hat Enterprise, but presumably the attacker has copies.

(That the package signing is separate from RHN makes sense to me, since I expect that Red Hat needs to sign various sorts of RPMs for testing purposes well before they may get put into general release in RHN.)

This leaves one with the question of what the attacker can do with these packages. It recently struck me that these packages enable an unpleasant perfect conjunction of three or four security issues, like so:

  • as the attacker, you use Dan Kaminsky's DNS bug to persuade your victim system that your server is the RHN update server.

  • you exploit an apparent vulnerability in yum's SSL certificate verification code to have your server successfully masquerade as the RHN update server.

    (The apparent vulnerability is mentioned, without any details, in the Attacks on Package Managers FAQ. It's possible that whatever it is, it's not exploitable by an attacker in this way.)

  • you serve up package metadata that lists these compromised OpenSSH packages as available updates (and the most current version of OpenSSH).

  • because these OpenSSH packages have valid signatures, they will pass all of yum's checks and be installed. Game over.

I suspect that this is one reason that Red Hat has issued a new OpenSSH update; once you install Red Hat's update, these bogus packages will no longer be seen as more recent versions of OpenSSH. Even if the attacker manages to feed them to yum under false pretenses (eg, by claiming in the metadata that they have a different version number), I believe that yum will reject them as older than the installed versions.

(Disclaimer: that's a belief, not a certainty; I have not tested it.)

I suppose this makes a third approach to exploiting unsigned repository metadata.

Written on 31 August 2008.
« Open source projects and programs versus products
There is a balance between optimism and paranoia for compromised machines »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sun Aug 31 00:40:06 2008
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.