[ISN] Attempted attack on Linux kernel foiled

From: InfoSec News (isn@private)
Date: Thu Nov 06 2003 - 22:56:02 PST

  • Next message: InfoSec News: "[ISN] Hackers in attack on RBS credit card firm"

    http://news.com.com/2100-7355_3-5103670.html
    
    By Robert Lemos 
    Staff Writer, CNET News.com
    November 6, 2003
    
    An unknown intruder attempted to insert a Trojan horse program into 
    the code of the next version of the Linux kernel, stored at a publicly 
    accessible database. 
    
    Security features of the source-code repository, known as BitKeeper, 
    detected the illicit change within 24 hours, and the public database 
    was shut down, a key developer said Thursday. The public database was 
    used only to provide the latest beta, or test version, of the Linux 
    kernel to users of the Concurrent Versions System (CVS), a program 
    designed to manage source code. 
    
    The changes, which would have introduced a security flaw to the 
    kernel, never became a part of the Linux code and, thus, were never a 
    threat, said Larry McVoy, founder of software company BitMover and 
    primary architect of the source code database BitKeeper. 
    
    "This never got close to the development tree," he said. "BitKeeper is 
    really paranoid about integrity, and it turns out that was key to 
    finding this Trojan horse." 
    
    Linus Torvalds, the original creator of Linux and the lead developer 
    of the kernel, uses BitKeeper to keep track of changes in the core 
    software for the operating system. On a daily basis, the software 
    exports those changes to public and private databases other developers 
    use. 
    
    An intruder apparently compromised one server earlier, and the 
    attacker used his access to make a small change to one of the source 
    code files, McVoy said. The change created a flaw that could have 
    elevated a person's privileges on any Linux machine that runs a kernel 
    compiled with the modified source code. However, only developers who 
    used that database were affected--and only during a 24-hour period, he 
    added. 
    
    "The first thing we did was fix the difference," he said. "It took me 
    five minutes to find the change." 
    
    When BitKeeper exports the source code to other servers, it checks the 
    integrity of every file, matching a digital fingerprint of its 
    official version of the file with the version on the remote machine. 
    That comparison caught the change to the code stored on the server. 
    
    The changes looked like they were made by another developer, but that 
    programmer said he hadn't submitted them, McVoy said. 
    
    The recent incident raises questions about the security of open-source 
    development methods, particularly how well a development team can 
    guarantee that any changes are not introducing intentional security 
    flaws. While Microsoft code has had similar problems, closed 
    development is widely considered to be harder to exploit in that way. 
    
    Linus Torvalds addressed the issue in a post to the Linux kernel 
    mailing list. 
    
    "A few things do make the current system fairly secure," he stated. 
    "One of them is that if somebody were to actually access the 
    (BitKeeper) trees (software repositories) directly, that would be 
    noticed immediately." 
    
    A critical security flaw was found in CVS in January, but it's unknown 
    whether the attacker used the vulnerability to gain access to the CVS 
    database. 
    
    BitKeeper's McVoy hopes the current incident will quash objections 
    raised by some members of the development who don't want to add a new 
    feature that would require all changes to be digitally signed. 
    
    Even so, he said, the open-source development model likely would have 
    quickly turned up any security flaws. 
    
    "A Trojan horse is just a bug that a person has put into the system 
    deliberately," he said. "The open-source security model is that 
    everyone is using this stuff, so bugs get found and get fixed. That's 
    one of the reasons that you are not hearing me freak about this." 
    
    McVoy said the disk from the compromised server has been saved for 
    later analysis, but any decision to contact law enforcement belongs to 
    Torvalds and others. Torvalds could not be immediately reached for 
    comment. 
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Fri Nov 07 2003 - 02:37:21 PST