IgnorantGuru's Blog

Linux software, news, and tips

Kernel.org Rooted

In case anyone is living under a rock and missed it (like me), sometime in August multiple kernel.org servers were rooted, and linux.com was also compromised in a related breach. Both sites are still offline. Not only does kernel.org host the Linux kernel source code (which has now been temporarily moved), but it also hosts mirrors for many Linux distros. It is claimed that “the attackers did not really understand the significance of the servers they’d breached and were unable to capitalize on the attack”, and that no tampering has been found in the kernel source code or distro mirrors. If true, call this very lucky, yet this is another example showing that Linux developers need to take file authentication protocols more seriously.

[ UPDATE: A Frugalware server was also recently rooted using the same rootkit used on kernel.org – there is currently a message about this on the Frugalware homepage and additional details. ]

Earlier this year, I spent considerable time exposing and discussing Arch Linux’s long-term negligence in their distro’s security practices, which prompted me to discontinue my use of Arch Linux. It turns out that kernel.org hosts a primary Arch mirror, and were those files compromised, anyone using that mirror to update their system has been silently infected. (Note that the breach was not discovered by kernel.org for two weeks.) There are ongoing discussions of this on:
Reddit: Kernel.org (Arch’s main mirror) compromised
and on:
Arch Forum: kernel.org – Security Breach.

Additional info on the kernel.org breach:

The Hacker News: Kernel.org Server Rooted and 448 users credentials compromised

Slashdot: Kernel.org Compromised

eWeek: Linux Foundation, Linux.com Hacked in Kernel.com Breach

Previous related articles:
Arch’s Dirty Little Not-So-Secret
Mirror Mirror

September 15, 2011 - Posted by | Tips

10 Comments

  1. Looks like we were right…

    Comment by pipy | September 15, 2011

  2. The linux kernel developers DO take file authentication seriously. Even if the attackers did know what they were going after, the git revision control system would have kept the main linux kernels near impossible to tamper with. I can’t speak for Arch, or for the Arch mirror(s) on kernel.org, but rest assured that the linux kernel itself would have been damn near impossible to tamper with, without someone finding out almost immediately. As a matter of fact, if someone did attempt to tamper with the kernel itself, the intrusion almost definitely would have been detected faster than it actually was.

    You should be happy that the linux kernel developers do take file authentication so seriously, instead of lumping them in with the negligence of Arch’s development team.

    From http://www.linuxfordevices.com/c/a/News/Kernelorg-hacked/ :
    Git calculates a cryptographically secure SHA-1 hash for each of the nearly 40,000 files that make up the Linux kernel. The name of each version of the kernel depends on the complete development history leading up to that version, and once it is published, it’s not possible to change the old versions without someone noticing. Any changes to the source code would be noticed by anyone updating their personal copy of the code, according to the site’s security notification.

    Kernel.org is “just a distribution point” and no actual development happens on the server, according to Corbet. “When we say that we know the kernel source has not been compromised on kernel.org, we really know it,” Corbet wrote.

    Comment by Anonymous | September 15, 2011

    • This is true – the kernel developers do appear to use authentication well, and I didn’t mean to lump them in there. But there are other core Linux components, such as Xorg, whose developers are very careless about signing source code. I discussed this with some links here if you’re interested. Thanks for the clarification.

      Comment by IgnorantGuru | September 15, 2011

  3. Scratch the majority of that last comment I made… I just read your article on Arch’s lack of package signing… I see your point now.

    Still though, thank god for the kernel itself remaining intact.

    Comment by Anonymous | September 15, 2011

  4. Important server in the Frugalware infrastructure was compromised: http://frugalware.org/
    and: http://article.gmane.org/gmane.linux.frugalware.devel/9899

    Maybe Arch too? I use since july, and after reading all posts regarding package signing (and your blog too), I agree with you.
    I came from FreeBSD, but for my special needs I need Linux kernel, so Arch seems the best choice, but after this….

    Comment by Anonymous | September 17, 2011

    • Thanks for the info! It sounds like use of the hack which affected kernel.org has spread elsewhere – yet another wake-up call to distros whose package managers have no authentication mechanism.

      I’ve had good results replacing Arch with Aptosid.

      Comment by IgnorantGuru | September 17, 2011

  5. Thing is, one has to wonder about the entire Linuxsphere in general. If the attacker was smart enough to compromise these sites, wouldn’t he/she/it know about the entire authentication process used by kernel developers and whatnot? I’m no security expert (nor computing expert, tbh), but common sense tells me that the level of “head in the sand” syndrome shown by many “devs” on various forums (Debian, Aptosid and Liquorix included) is a bit worrying. Nothing is foolproof in this world. Only sure things are death, taxes and incompetent OEMs.

    Comment by Nymphtus | September 25, 2011

    • The more I see the security practices and lack thereof in Linux, the more I believe that Linux security is a myth. I think they rely on “security through obscurity” more than is acknowledged. I’ve been meaning to put together an article on just this.

      That said, simply knowing about the kernel devs’ authentication process shouldn’t be an issue – knowing how it works should not mean one is able to compromise it, if it’s designed well. From what I’ve heard, git does handle this well (in theory at least). How hardened and real-world-tested it is, I don’t know.

      Comment by IgnorantGuru | September 25, 2011

  6. And if it was a false developer (read ‘cracker’) injected by a $$$$$$$$$ company ??

    Comment by Anonymous | September 30, 2011

    • Well we only know what they’re telling us, which isn’t much. I’m surprised that kernel.org is still completely down as of today (over a month since they discovered the breech) – a larger breech than their initial account described?

      Comment by IgnorantGuru | September 30, 2011


Sorry, the comment form is closed at this time.