RedHat System Compromise Results In Updated Signed OpenSSH packages

RedHat has released updated OpenSSH packages for Red Hat Enterprise Linux 4 i386 and x86_64, and Red Hat Enterprise Linux 5 x86_64 due to a system compromise that resulted in the intruders being able to sign OpenSSH packages for those versions of RHEL. The Fedora infrastructure was also compromised, however investigation there seems to indicate that no changes were made to the distribution.

The Fedora signing key is being updated due to the intrusion, even though Fedora it appears not to have been exposed:

"Based on our review to date, the passphrase was not used during the time of the intrusion on the system and the passphrase is not stored on any of the Fedora servers."

This change to Fedora's signing key may require changes by all Fedora system administrators, and more details are promised if needed.

On the RedHat side, they are careful to note that RedHat Network subscribers would not have received the modified packages via their automatic updates. If you download OpenSSH from any other location, you should carefully verify the MD5 hash against the hashes listed by RedHat.

The question becomes: What are RedHat's signing key management processes, and how did they break down to allow an intruder to sign packages? What level of access did the intruders have to the signing servers?

There are a number of methods to protect systems from this type of compromise, including restricting access at the network level to the signing servers to only allow internally initiated pulls of files to be signed, and then only allowing outbound pushes of signed files.

Today's reminder? Proper key management, particularly for keys that are trusted by customers is crucial!