Re: Fwd: Debian Server restored after Compromise

To: debian-amd64@lists.debian.org
Subject: Re: Fwd: Debian Server restored after Compromise
From: "Gudjon I. Gudjonsson" <gudjon@mc2.chalmers.se>
Date: Thu, 13 Jul 2006 23:23:22 +0200 (CEST)
Message-id: <[🔎] 43426.195.67.245.44.1152825802.squirrel@webmail.chalmers.se>
In-reply-to: <[🔎] 200607132024.49263.lepalom@wol.es>
References: <[🔎] 200607132024.49263.lepalom@wol.es>

Hi
   How worried should I be? Do you think it is OK to wait for an official
Debian packaged kernel or should I download some tonight from
kernel.org and compile myself?

/Gudjon

>
>
> ----------  Missatge transmès  ----------
>
> Subject: Debian Server restored after Compromise
> Date: Dijous 13 Juliol 2006 19:54
> From: Martin Schulze <joey@infodrom.org>
> To: Debian News Channel <debian-news@lists.debian.org>
>
> ------------------------------------------------------------------------
> The Debian Project                                http://www.debian.org/
> Debian Server restored after Compromise          debian-admin@debian.org
> July 13th, 2006                 http://www.debian.org/News/2005/20060713
> ------------------------------------------------------------------------
>
> Debian Server restored after Compromise
>
> One core Debian server has been reinstalled after a compromise and
> services have been restored.  On July 12th the host gluck.debian.org
> has been compromised using a local root vulnerability in the Linux
> kernel.  The intruder had access to the server using a compromised
> developer account.
>
> The services affected and temporarily taken down are: cvs, ddtp,
> lintian, people, popcon, planet, ports, release.
>
>
> Details
> -------
>
> At least one developer account has been compromised a while ago and
> has been used by an attacker to gain access to the Debian server.  A
> recently discovered local root vulnerability in the Linux kernel has
> then been used to gain root access to the machine.
>
> At 02:43 UTC on July 12th suspicious mails were received and alarmed
> the Debian admins.   The following investigation turned out that a
> developer account was compromised and that a local kernel
> vulnerability has been exploited to gain root access.
>
> At 04:30 UTC on July 12th gluck has been taken offline and booted off
> trusted media.  Other Debian servers have been locked down for further
> investigation whether they were compromised as well.  They will be
> upgraded to a corrected kernel before they will be unlocked.
>
> Due to the short window between exploiting the kernel and Debian
> admins noticing, the attacker hadn't had time/inclination to cause
> much damage.  The only obviously compromised binary was /bin/ping.
>
> The compromised account did not have access to any of the restricted
> Debian hosts.  Hence, neither the regular nor the security archive had
> a chance to be compromised.
>
> An investigation of developer passwords revealed a number of weak
> passwords whose accounts have been locked in response.
>
> The machine status is here: <http://db.debian.org/machines.cgi>
>
>
> Kernel vulnerability
> --------------------
>
> The kernel vulnerability that has been used for this compromise is
> referenced as CVE-2006-2451.  It only exists in the Linux kernel
> 2.6.13 up to versions before 2.6.17.4, and 2.6.16 before 2.6.16.24.
> The bug allows a local user to gain root privileges via the
> PR_SET_DUMPABLE argument of the prctl function and a program that
> causes a core dump file to be created in a directory for which the
> user does not have permissions.
>
> The current stable release, Debian GNU/Linux 3.1 alias 'sarge',
> contains Linux 2.6.8 and is thus not affected by this problem.  The
> compromised server ran Linux 2.6.16.18.
>
> If you run Linux 2.6.13 up to versions before 2.6.17.4, or Linux
> 2.6.16 up to versions before 2.6.16.24, please update your kernel
> immediately.
>
>
> About Debian
> ------------
>
> Debian GNU/Linux is a free operating system, developed by more than
> thousand volunteers from all over the world who collaborate via the
> Internet.  Debian's dedication to Free Software, its non-profit nature,
> and its open development model make it unique among GNU/Linux
> distributions.
>
> The Debian project's key strengths are its volunteer base, its dedication
> to the Debian Social Contract, and its commitment to provide the best
> operating system possible.
>
>
> --
> To UNSUBSCRIBE, email to debian-news-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
>
> -------------------------------------------------------
>
>

Reply to:

Follow-Ups:
- Re: Debian Server restored after Compromise
  - From: Adam James <ad@heliosphan.co.uk>

References:
- Fwd: Debian Server restored after Compromise
  - From: Leopold Palomo-Avellaneda <lepalom@wol.es>

Prev by Date: Re: No sound on etch when using video players
Next by Date: Re: No sound on etch when using video players
Previous by thread: Fwd: Debian Server restored after Compromise
Next by thread: Re: Debian Server restored after Compromise
Index(es):
- Date
- Thread