Security incident on Fedora infrastructure on 23 Jan 2011
Jose Manimala
josemanimala at gmail.com
Tue Jan 25 00:24:54 UTC 2011
Awesome work and happy that nothing bad has happened.
One question is should a password length and secure password creation
check be enforced on the FAS system. Like regular expression checks
and stuff. I know this is asking a lot, the current implementation
allows me to have a simple password if I remember(need to check) been
long. And password expiry? :)
On Tue, Jan 25, 2011 at 1:14 PM, Jared K. Smith
<jsmith at fedoraproject.org> wrote:
> Summary: Fedora infrastructure intrusion but no impact on product integrity
>
> On January 22, 2011 a Fedora contributor received an email from the Fedora
> Accounts System indicating that his account details had been changed. He
> contacted the Fedora Infrastructure Team indicating that he had received
> the email, but had not made changes to his FAS account. The Infrastructure
> Team immediately began investigating, and confirmed that the account had
> indeed been compromised.
>
> At this time, the Infrastructure Team has evidence that indicates the account
> credentials were compromised externally, and that the Fedora Infrastructure was
> not subject to any code vulnerability or exploit.
>
> The account in question was not a member of any sysadmin or Release Engineering
> groups. The following is a complete list of privileges on the account:
> * SSH to fedorapeople.org (user permissions are very limited on this machine).
> * Push access to packages in the Fedora SCM.
> * Ability to perform builds and make updates to Fedora packages.
>
> The Infrastructure Team took the following actions after being
> notified of the issue:
> 1. Lock down access to the compromised account
> 2. Take filesystem snapshots of all systems the account had access to
> (pkgs.fedoraproject.org, fedorapeople.org)
> 3. Audit SSH, FAS, Git, and Koji logs from the time of compromise to the
> present
> Here, we found that the attacker did:
> * Change the account's SSH key in FAS
> * Login to fedorapeople.org
> The attacker did not:
> * Push any changes to the Fedora SCM or access pkgs.fedoraproject.org in
> any way
> * Generate a koji cert or perform any builds
> * Push any package updates
>
> Based on the results of our investigation so far, we do not believe that any
> Fedora packages or other Fedora contributor accounts were affected by this
> compromise.
>
> While the user in question had the ability to commit to Fedora SCM, the
> Infrastructure Team does not believe that the compromised account was used to
> do this, or cause any builds or updates in the Fedora build system. The
> Infrastructure Team believes that Fedora users are in no way threatened by this
> security breach and we have found no evidence that the compromise extended
> beyond this single account.
>
> As always, Fedora packagers are recommended to regularly review commits to
> their packages and report any suspicious activity that they notice.
>
> Fedora contributors are strongly encouraged to choose a strong FAS password.
> Contributors should *NOT* use their FAS password on any other websites or
> user accounts. If you receive an email from FAS notifying you of changes to
> your account that you did not make, please contact the Fedora Infrastructure
> team immediately via admin at fedoraproject.org.
>
> We are still performing a more in-depth investigation and security audit and we
> will post again if there are any material changes to our understanding.
>
> --
> Jared Smith
> Fedora Project Leader
> --
> announce mailing list
> announce at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/announce
>
--
Cheers
Jose
http://josemanimala.eu.org/blog
Ph: +64221033100
More information about the infrastructure
mailing list