Re: Debian Server restored after Compromise. Which kernels???

To: Leopold Palomo-Avellaneda <lepalom@wol.es>
Cc: debian-amd64@lists.debian.org
Subject: Re: Debian Server restored after Compromise. Which kernels???
From: Art Edwards <edwardsa@afrl.kirtland.af.mil>
Date: Fri, 14 Jul 2006 11:03:06 -0600
Message-id: <[🔎] 200607141702.k6EH2ctn006718@bell.kirtland.af.mil>
In-reply-to: <[🔎] 200607132024.49263.lepalom@wol.es>
References: <[🔎] 200607132024.49263.lepalom@wol.es>

Thanks very much for this post. However, I am confused about 
Do you mean 2.6.13 up to 2.6.13.4? As written, 2.6.13 up to 2.6.17.4 would
include all of the 2.6.14, 2.6.15, and 2.6.16 kernels, rendering the
last part of that line inconsistent. This has propagated through
the debian lists, so, at the least, a clarification would be very useful.
the span of kernels effected. 

I assume that this is also a problem for 32bit machines?

Art Edwards

On Thu, Jul 13, 2006 at 08:24:48PM +0200, Leopold Palomo-Avellaneda wrote:
> 
> 
> ----------  Missatge transmès  ----------
> 
> Subject: Debian Server restored after Compromise
> Date: Dijous 13 Juliol 2006 19:54
> From: Martin Schulze <joey@infodrom.org>
> To: Debian News Channel <debian-news@lists.debian.org>
> 
> ------------------------------------------------------------------------
> The Debian Project                                http://www.debian.org/
> Debian Server restored after Compromise          debian-admin@debian.org
> July 13th, 2006                 http://www.debian.org/News/2005/20060713
> ------------------------------------------------------------------------
> 
> Debian Server restored after Compromise
> 
> One core Debian server has been reinstalled after a compromise and
> services have been restored.  On July 12th the host gluck.debian.org
> has been compromised using a local root vulnerability in the Linux
> kernel.  The intruder had access to the server using a compromised
> developer account.
> 
> The services affected and temporarily taken down are: cvs, ddtp,
> lintian, people, popcon, planet, ports, release.
> 
> 
> Details
> -------
> 
> At least one developer account has been compromised a while ago and
> has been used by an attacker to gain access to the Debian server.  A
> recently discovered local root vulnerability in the Linux kernel has
> then been used to gain root access to the machine.
> 
> At 02:43 UTC on July 12th suspicious mails were received and alarmed
> the Debian admins.   The following investigation turned out that a
> developer account was compromised and that a local kernel
> vulnerability has been exploited to gain root access.
> 
> At 04:30 UTC on July 12th gluck has been taken offline and booted off
> trusted media.  Other Debian servers have been locked down for further
> investigation whether they were compromised as well.  They will be
> upgraded to a corrected kernel before they will be unlocked.
> 
> Due to the short window between exploiting the kernel and Debian
> admins noticing, the attacker hadn't had time/inclination to cause
> much damage.  The only obviously compromised binary was /bin/ping.
> 
> The compromised account did not have access to any of the restricted
> Debian hosts.  Hence, neither the regular nor the security archive had
> a chance to be compromised.
> 
> An investigation of developer passwords revealed a number of weak
> passwords whose accounts have been locked in response.
> 
> The machine status is here: <http://db.debian.org/machines.cgi>
> 
> 
> Kernel vulnerability
> --------------------
> 
> The kernel vulnerability that has been used for this compromise is
> referenced as CVE-2006-2451.  It only exists in the Linux kernel
> 2.6.13 up to versions before 2.6.17.4, and 2.6.16 before 2.6.16.24.


> The bug allows a local user to gain root privileges via the
> PR_SET_DUMPABLE argument of the prctl function and a program that
> causes a core dump file to be created in a directory for which the
> user does not have permissions.
> 
> The current stable release, Debian GNU/Linux 3.1 alias 'sarge',
> contains Linux 2.6.8 and is thus not affected by this problem.  The
> compromised server ran Linux 2.6.16.18.
> 
> If you run Linux 2.6.13 up to versions before 2.6.17.4, or Linux
> 2.6.16 up to versions before 2.6.16.24, please update your kernel
> immediately.
> 
> 
> About Debian
> ------------
> 
> Debian GNU/Linux is a free operating system, developed by more than
> thousand volunteers from all over the world who collaborate via the
> Internet.  Debian's dedication to Free Software, its non-profit nature,
> and its open development model make it unique among GNU/Linux
> distributions.
> 
> The Debian project's key strengths are its volunteer base, its dedication
> to the Debian Social Contract, and its commitment to provide the best
> operating system possible.
> 
> 
> --
> To UNSUBSCRIBE, email to debian-news-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> 
> -------------------------------------------------------
>

Reply to:

Follow-Ups:
- Re: Debian Server restored after Compromise. Which kernels???
  - From: "Török Edvin" <edwintorok@gmail.com>

References:
- Fwd: Debian Server restored after Compromise
  - From: Leopold Palomo-Avellaneda <lepalom@wol.es>

Prev by Date: Re: Broken applications: Could we be honest?
Next by Date: Re: Debian Server restored after Compromise. Which kernels???
Previous by thread: Re: Debian Server restored after Compromise
Next by thread: Re: Debian Server restored after Compromise. Which kernels???
Index(es):
- Date
- Thread