the secure:channel

Click here to read more about SpamStopsHere, the e-mail security company that brings you this blog.

Red Hat sent out a warning that last week there was an intrusion on their systems. The intruder was able to sign some OpenSSH packages relating to Red Hat Enterprise Linux 4 (RHEL 4) and Red Hat Enterprise Linux 5 (RHEL 5).

It’s difficult to guess, because Red Hat doesn’t say, whether they just found out about this, or have been investigating for awhile and just realized what occured and therefore decided to send out a warning.

Red Hat has the MD5 signatures for the tampered packages. Whether they have these because the packages were signed by Red Hat, or because they have copies of the tampered packages is unclear. It would have been nice if Red Hat actually had the tampered packages and would have said what was in the payload.

Red Hat has released a shell script that can be used to determine whether you have one of the tampered packages installed. Red Hat has also released a new OpenSSH package that one can update to that could potentially take care of the problem.

Red Hat is also assuring everyone who updated their systems using Red Hat Network that they are not at risk. Unfortunately, there are many who use a data center’s RHN proxy, and not the official Red Hat Network, when updating their packages. In fact, if I had a tampered OpenSSH package that I needed distributed as widely as possible, I’d probably target the RHN proxy of a large data center if I was unable to get the packages onto the official Red Hat Network. Doing this could potentially affect tens of thousands of servers per data center.

I recommend that if you’re running RHEL 4 or RHEL 5 and have updated your OpenSSH packages recently, that you check whether you have the tampered packages on your system, and then take any necessary steps from there.

If you manage a Red Hat system and this is the first that you’ve heard of this, I also recommend subscribing to Red Hat’s security mailing list.