Hackers break into two FreeBSD Project servers using stolen SSH keys

Users who installed third-party software packages distributed by FreeBSD.org are advised to reinstall their machines

Hackers have compromised two servers used by the FreeBSD Project to build third-party software packages. Anyone who has installed such packages since Sept. 19 should completely reinstall their machines, the project's security team warned.

Intrusions on two machines within the FreeBSD.org cluster were detected on Nov. 11, the FreeBSD security team said Saturday. "The affected machines were taken offline for analysis. Additionally, a large portion of the remaining infrastructure machines were also taken offline as a precaution," said a message on the project's public announcements mailing list.

The two compromised servers acted as nodes for the project's legacy third-party package-building infrastructure, the FreeBSD Project said in an advisory posted on its website.

The incident only affected the collection of third-party software packages distributed by the project and not the operating system's "base" components, such as the kernel, system libraries, compiler or core command-line tools.

The FreeBSD security team believes the intruders gained access to the servers using a legitimate SSH authentication key stolen from a developer, and not by exploiting a vulnerability in the operating system.

Even though the team did not find any evidence of the third-party software packages being modified by the hackers, they cannot exclude this possibility.

"We unfortunately cannot guarantee the integrity of any packages available for installation between 19th September 2012 and 11th November 2012, or of any ports compiled from trees obtained via any means other than through svn.freebsd.org or one of its mirrors," the team said. "Although we have no evidence to suggest any tampering took place and believe such interference is unlikely, we have to recommend you consider reinstalling any machine from scratch, using trusted sources."

The package sets currently available for all versions of FreeBSD have been validated and none of them have been altered in any way, the team said.

As a result of the incident, the FreeBSD Project plans to speed its process of deprecating legacy distribution services, like those based on CVSup, in favor of the more robust Subversion system. The advisory includes several recommendations about the tools users and developers should use for updates, source code copying and signed binary distribution.

This is not the first time an open-source software project had to deal with an intrusion because of compromised SSH authentication keys. In August 2009, the Apache Project was forced to shut down its primary Web and mirror servers after discovering that hackers used an SSH key associated with an automated backup account to upload and execute malicious code on some of the servers.

"This is a hearty reminder that a chain is only as strong as its weakest link," said Paul Ducklin, the head of technology for Asia Pacific at antivirus vendor Sophos, in a blog post Sunday. "In particular, never forget that the security of your internal systems may very well be no better than the security of any and all external systems from which you accept remote access -- whether those are servers, laptops or even mobile devices."

Tags sophosintrusionApache Project was forced to shut down its primary Web and mirror serverssecurityAccess control and authentication

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service

Comments

Comments are now closed.

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?