Red Hat-signed OpenSSH RPMs were tampered

The Fedora and Red Hat intrusion started in public with silence, which is why the incident still reads like a case study in distribution trust. On August 14, Fedora warned users not to download or update packages while it investigated an infrastructure issue. A week later, Fedora confirmed that one compromised machine had been used to sign Fedora packages, but said the signing passphrase had not been used during the intrusion and source/package checks had found no evidence of Fedora package tampering. Fedora rotated signing keys anyway.

Red Hat's disclosure landed inside RHSA-2008:0855, an OpenSSH security update. The important supply-chain fact was separate from the ordinary OpenSSH X11-cookie fix in the same advisory: an intruder had managed to sign a small number of tampered OpenSSH packages for RHEL 4 on i386 and x86_64, and RHEL 5 on x86_64. That made the trust boundary different from a random mirrored RPM. The packages carried a legitimate Red Hat signature, which is the exact signal RPM tooling and administrators normally use to decide that an update came from the vendor.

Red Hat said its review found that Red Hat Network and RHN-distributed content were not compromised, so customers updating through RHN were not believed to be at risk. The risk sat with people who might have obtained Red Hat binary packages outside the subscriber channel. To make that concrete, Red Hat published openssh-blacklist-1.0.sh, a signed detection script that checked installed packages or candidate RPM files against the SIGMD5 values of the known tampered packages.

The tampered versions were compact but high-value: openssh-3.9p1-8.RHEL4.24, openssh-3.9p1-9.el4, openssh-4.3p2-26, and openssh-4.3p2-26.el5, across the OpenSSH client, server, askpass, debuginfo, and related subpackages. Public CVE records later tracked the trojaned package issue as CVE-2008-3844 with unknown impact. The lasting lesson is that package signing protects the distribution path only while the signing environment remains controlled; once that boundary is crossed, a signature can authenticate the attacker's artifact.

Motive

Unauthorized Access Control

Cause

Compromised Infrastructure

Transitive

No

• Red Hat alert RHSA-2008:0855-01 (openssh)lwn.net
• RHSA-2008:0855 - Critical: openssh security updateaccess.redhat.com
• Red Hat OpenSSH blacklist script advisorysecurity.access.redhat.com
• Red Hat openssh-blacklist-1.0.shsecurity.access.redhat.com
• Something going on with Fedoralwn.net
• One week of infrastructure issueslwn.net
• What happened with Fedora - and Red Hat toolwn.net
• Fedora, Red Hat, and distributor securitylwn.net
• Re: non-disclosure of infrastructure problem a management issue?lwn.net
• Red Hat hack prompts critical OpenSSH updatetheregister.com
• Red Hat breached as hackers target Linux serversitpro.com
• Red Hat belatedly confirms security breachzdnet.com
• ASA-2008-399: openssh security update (RHSA-2008-0855)support.avaya.com
• CVE-2008-3844nvd.nist.gov