== A realization about the recent Red Hat Enterprise security issue For those people who haven't heard, Red Hat recently suffered a [[security breach http://rhn.redhat.com/errata/RHSA-2008-0855.html]] that allowed an attacker to get some bogus OpenSSH RPM packages signed as valid Red Hat Enterprise Linux packages. Red Hat says that the packages were never added to RHN, the update system for Red Hat Enterprise, but presumably the attacker has copies. (That the package signing is separate from RHN makes sense to me, since I expect that Red Hat needs to sign various sorts of RPMs for testing purposes well before they may get put into general release in RHN.) This leaves one with the question of what the attacker can do with these packages. It recently struck me that these packages enable an unpleasant perfect conjunction of three or four security issues, like so: * as the attacker, you use Dan Kaminsky's DNS bug to persuade your victim system that your server is the RHN update server. * you exploit an apparent vulnerability in _yum_'s SSL certificate verification code to have your server successfully masquerade as the RHN update server. (The apparent vulnerability is mentioned, without any details, in the [[Attacks on Package Managers FAQ http://www.cs.arizona.edu/people/justin/packagemanagersecurity/faq.html]]. It's possible that whatever it is, it's not exploitable by an attacker in this way.) * you serve up package metadata that lists these compromised OpenSSH packages as available updates (and the most current version of OpenSSH). * because these OpenSSH packages have valid signatures, they will pass all of _yum_'s checks and be installed. Game over. I suspect that this is one reason that Red Hat has issued a new OpenSSH update; once you install Red Hat's update, these bogus packages will no longer be seen as more recent versions of OpenSSH. Even if the attacker manages to feed them to _yum_ under false pretenses (eg, by claiming in the metadata that they have a different version number), I *believe* that _yum_ will reject them as older than the installed versions. (Disclaimer: that's a *belief*, not a certainty; I have not tested it.) I suppose this makes a third approach to [[exploiting unsigned repository metadata UnsignedMetadataExploits]].