[33355] in RISKS Forum
Re: Linux maintainers were infected for 2 years by SSH-dwelling
daemon@ATHENA.MIT.EDU (Theodore Tso)
Wed Jun 5 15:37:38 2024
Date: Mon, 20 May 2024 01:34:01 -0400
From: "Theodore Tso" <tytso@mit.edu>
To: risks@mit.edu
Cc: Victor Miller <victorsmiller@gmail.com>
In-Reply-To: <CMM.0.90.4.1716180132.risko@chiron.csl.sri.com>
> https://arstechnica.com/security/2024/05/ssh-backdoor-has-infected-400000-linux-servers-over-15-years-and-keeps-on-spreading/
This Ars Technica article has a lot of inaccuracies. It references a
white paper authored by security research company. The bulk of the
white paper is about a particular type of malware, named Ebury that is
still in use today (although it's certainly been changingo over that
time).
A very tiny percentage of that white paper refers to the 2011
kernel.org security breach, and in that breach, there were two claims
made, without any evidence or reasoning to back up those assertions.
The first is that it was "likely" that two of the kernel.org machines
(name servers, web servers, mail servers, et. al) may have been
breached for two years (which was counted by claiming one server may
have been compromised for a year, and one for six months --- and I
guess they then rounded that up to two years). The second was that
there was an /etc/shadow file where 50% (275 users) had cleartext
passwords that were problably obtained by "the Ebury credential
stealer", or "by brute force".
What as not stated was that while back in 2011, one of the servers had
shell acounts (this is no longer the case), these accounts were
generally used to make it more easy for those maintainers to manage
things like /pub/linux/kernel/people/<username> where they could
distribute software and/or ad hoc files (patch stacks, etc.). Most
maintainers rarely logged into those servers, and it certainly wasn't
used for any kind of developmet. Secondly, password authentication
was disabled on those machines; all of the maintainers had ssh keys
which were used to login to the kernel.org ftp server.
My best guess is that the /etc/shadow passwords were not used for
anything, and were probably generated randomly by some user management
script; perhaps the were something that could be easily brute forced,
such as an 8 character all lower-case password which could have been
relatively easy to brute force. But this wouldn't have mattered given
that the attacker (by virtue of successfully attacking a system
administrator account) already had root on the ftp server.
So the claim that Linux maintainers had been infected for "two years"
is very badly misleading. The attackers did not gain access to the
Linux kernel maintainer's personal development servers. And while
they did have root access to the kernel.org ftp server, a very careful
audit showed that there was no supply-chain compromise of the
open-source software which was distributed from the kernel.org
servers, nor of the git trees that were on the kernel.org servers.
This is because kernel.org was just a distribution point, and the
primary copies of the git trees were stored on development machines
that were quite separate from the kernel.org ftp/git/web server.
As is often the case, the true story is much less interesting, and
more nuanced, than the click-baity headlines found in many mainstream
media articles...
- Ted
