[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Fwd: Debian Server restored after Compromise

   How worried should I be? Do you think it is OK to wait for an official
Debian packaged kernel or should I download some tonight from
kernel.org and compile myself?


> ----------  Missatge transmès  ----------
> Subject: Debian Server restored after Compromise
> Date: Dijous 13 Juliol 2006 19:54
> From: Martin Schulze <joey@infodrom.org>
> To: Debian News Channel <debian-news@lists.debian.org>
> ------------------------------------------------------------------------
> The Debian Project                                http://www.debian.org/
> Debian Server restored after Compromise          debian-admin@debian.org
> July 13th, 2006                 http://www.debian.org/News/2005/20060713
> ------------------------------------------------------------------------
> Debian Server restored after Compromise
> One core Debian server has been reinstalled after a compromise and
> services have been restored.  On July 12th the host gluck.debian.org
> has been compromised using a local root vulnerability in the Linux
> kernel.  The intruder had access to the server using a compromised
> developer account.
> The services affected and temporarily taken down are: cvs, ddtp,
> lintian, people, popcon, planet, ports, release.
> Details
> -------
> At least one developer account has been compromised a while ago and
> has been used by an attacker to gain access to the Debian server.  A
> recently discovered local root vulnerability in the Linux kernel has
> then been used to gain root access to the machine.
> At 02:43 UTC on July 12th suspicious mails were received and alarmed
> the Debian admins.   The following investigation turned out that a
> developer account was compromised and that a local kernel
> vulnerability has been exploited to gain root access.
> At 04:30 UTC on July 12th gluck has been taken offline and booted off
> trusted media.  Other Debian servers have been locked down for further
> investigation whether they were compromised as well.  They will be
> upgraded to a corrected kernel before they will be unlocked.
> Due to the short window between exploiting the kernel and Debian
> admins noticing, the attacker hadn't had time/inclination to cause
> much damage.  The only obviously compromised binary was /bin/ping.
> The compromised account did not have access to any of the restricted
> Debian hosts.  Hence, neither the regular nor the security archive had
> a chance to be compromised.
> An investigation of developer passwords revealed a number of weak
> passwords whose accounts have been locked in response.
> The machine status is here: <http://db.debian.org/machines.cgi>
> Kernel vulnerability
> --------------------
> The kernel vulnerability that has been used for this compromise is
> referenced as CVE-2006-2451.  It only exists in the Linux kernel
> 2.6.13 up to versions before, and 2.6.16 before
> The bug allows a local user to gain root privileges via the
> PR_SET_DUMPABLE argument of the prctl function and a program that
> causes a core dump file to be created in a directory for which the
> user does not have permissions.
> The current stable release, Debian GNU/Linux 3.1 alias 'sarge',
> contains Linux 2.6.8 and is thus not affected by this problem.  The
> compromised server ran Linux
> If you run Linux 2.6.13 up to versions before, or Linux
> 2.6.16 up to versions before, please update your kernel
> immediately.
> About Debian
> ------------
> Debian GNU/Linux is a free operating system, developed by more than
> thousand volunteers from all over the world who collaborate via the
> Internet.  Debian's dedication to Free Software, its non-profit nature,
> and its open development model make it unique among GNU/Linux
> distributions.
> The Debian project's key strengths are its volunteer base, its dedication
> to the Debian Social Contract, and its commitment to provide the best
> operating system possible.
> --
> To UNSUBSCRIBE, email to debian-news-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
> -------------------------------------------------------

Reply to: