linux, säkerhet

109602 2003-08-14  01:10  /189 rader/ CERT Advisory <cert-advisory@cert.org>
Importerad: 2003-08-14  01:10  av Brevbäraren
Extern mottagare: cert-advisory@cert.org
Mottagare: Bugtraq (import) <6000>
Ärende: CERT Advisory CA-2003-21 GNU Project FTP Server Compromise
------------------------------------------------------------

-----BEGIN PGP SIGNED MESSAGE-----

CERT Advisory CA-2003-21 GNU Project FTP Server Compromise

   Original issue date: August 13, 2003
   Last revised: --
   Source: CERT/CC

   A complete revision history is at the end of this file.

Overview

   The  CERT/CC has received a report that the system housing the
   primary FTP servers for the GNU software project was compromised.

I. Description

   The GNU Project, principally sponsored by the Free Software
   Foundation (FSF),  produces  a  variety of freely available
   software. The CERT/CC has  learned  that  the system housing the
   primary FTP servers for the GNU  software  project,
   gnuftp.gnu.org,  was  root  compromised by an intruder.  The more
   common host names of ftp.gnu.org and alpha.gnu.org are  aliases
   for  the  same  compromised  system.  The  compromise is reported
   to have occurred in March of 2003.

   The FSF has released an announcement describing the incident.

   Because  this  system  serves  as  a  centralized  archive  of
   popular software,  the  insertion  of  malicious  code  into  the
   distributed software  is  a  serious  threat. As the above
   announcement indicates, however,  no  source  code  distributions
   are  believed  to have been maliciously modified at this time.

II. Impact

   The  potential  exists  for  an  intruder to have inserted back doors,
   Trojan   horses,   or  other  malicious  code  into  the  source  code
   distributions of software housed on the compromised system.

III. Solution

   We   encourage   sites  using  the  GNU  software  obtained  from  the
   compromised system to verify the integrity of their distribution.

   Sites  that  mirror  the  source  code  are  encouraged  to verify
   the integrity of their sources. We also encourage users to inspect
   any and all  other software that may have been downloaded from the
   compromised site.  Note that it is not always sufficient to rely
   on the timestamps or  file  sizes  when trying to determine
   whether or not a copy of the file has been modified.

Verifying checksums

   The  FSF has produced PGP-signed lists of known-good MD5 hashes of
   the software packages housed on the compromised server. These
   lists can be found at

          ftp://ftp.gnu.org/before-2003-08-01.md5sums.asc
          ftp://alpha.gnu.org/before-2003-08-01.md5sums.asc

   Note that both of these files and the announcement above are
   signed by Bradley  Kuhn,  Executive  Director of the FSF, with the
   following PGP key:

pub  1024D/DB41B387 1999-12-09 Bradley M. Kuhn <bkuhn@fsf.org>
     Key fingerprint = 4F40 645E 46BE 0131 48F9  92F6 E775 E324 DB41 B387
uid                            Bradley M. Kuhn (bkuhn99) <bkuhn@ebb.org>
uid                            Bradley M. Kuhn <bkuhn@gnu.org>
sub  2048g/75CA9CB3 1999-12-09

   The CERT/CC believes this key to be valid.

   As a matter of good security practice, the CERT/CC encourages
   users to verify,  whenever  possible, the integrity of downloaded
   software. For more information, see IN-2001-06.

Appendix A. - Vendor Information

   This  appendix  contains  information  provided  by  vendors  for
   this advisory.  As  vendors  report new information to the
   CERT/CC, we will update this section and note the changes in our
   revision history. If a particular  vendor  is  not  listed  below,
   we have not received their comments.

Free Software Foundation


   The current files on alpha.gnu.org and ftp.gnu.org as of
   2003-08-02 have all been verified, and their md5sums and the
   reasons we believe the md5sums can be trusted are in:

       ftp://ftp.gnu.org/before-2003-08-01.md5sums.asc
       ftp://alpha.gnu.org/before-2003-08-01.md5sums.asc

   We are updating that file and the site as we confirm good md5sums
   of additional files.  It is theoretically possible that downloads
   between March 2003 and July 2003 might have been
   source-compromised, so we encourage everyone to re-download
   sources and compare with the current copies for files on the site.

Appendix B. References

     * FSF      announcement      regarding      the      incident      -
       ftp://ftp.gnu.org/MISSING-FILES.README
     * CERT Incident Note IN-2001-06 -
       http://www.cert.org/incident_notes/IN-2001-06.html
     _________________________________________________________________

   The  CERT/CC  thanks Bradley Kuhn and Brett Smith of the Free Software
   Foundation for their timely assistance in this matter.
     _________________________________________________________________

   Feedback can be directed to the author: Chad Dougherty.
   ______________________________________________________________________

   This document is available from:
   http://www.cert.org/advisories/CA-2003-21.html
   ______________________________________________________________________

CERT/CC Contact Information

   Email: cert@cert.org
          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890
          U.S.A.

   CERT/CC   personnel   answer  the  hotline  08:00-17:00  EST(GMT-5)  /
   EDT(GMT-4)  Monday  through  Friday;  they are on call for emergencies
   during other hours, on U.S. holidays, and on weekends.

Using encryption

   We  strongly  urge you to encrypt sensitive information sent by
   email.  Our public PGP key is available from
   http://www.cert.org/CERT_PGP.key

   If  you  prefer  to  use  DES,  please  call the CERT hotline for
   more information.

Getting security information

   CERT  publications  and  other security information are available
   from our web site http://www.cert.org/

   To  subscribe  to  the CERT mailing list for advisories and
   bulletins, send  email  to majordomo@cert.org. Please include in
   the body of your message

   subscribe cert-advisory

   *  "CERT"  and  "CERT  Coordination Center" are registered in the
   U.S.  Patent and Trademark Office.
   ______________________________________________________________________

   NO WARRANTY Any  material furnished by Carnegie Mellon University
   and the Software Engineering  Institute  is  furnished  on  an
   "as is" basis. Carnegie Mellon University makes no warranties of
   any kind, either expressed or implied  as  to  any matter
   including, but not limited to, warranty of fitness  for  a
   particular purpose or merchantability, exclusivity or results
   obtained from use of the material. Carnegie Mellon University does
   not  make  any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.
   ______________________________________________________________________

   Conditions for use, disclaimers, and sponsorship information

   Copyright 2002 Carnegie Mellon University.

   Revision History
August 13, 2003: Initial release

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQCVAwUBPzqwFWjtSoHZUTs5AQGN4AQAvL/u+S+FpkNWtBH/fe9DCLJQM21I/dzt
QPU0prMxTq53ntvTOAth+yFPtbcbeDaWuLHakju0mL4OSU0Fp+VsXbXnF5ypE+0r
S5mHpMxSmvPBPBNTIMQUGybEKK783P9Ty2lhXxawEW9JbdgMOY44clo2VIupgxuZ
OeyQrFbsq54=
=/72G
-----END PGP SIGNATURE-----
(109602) /CERT Advisory <cert-advisory@cert.org>/(Ombruten)