Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Debian development server (gluck) compromised

Here you can discuss every aspect of Debian. Note: not for support requests!
Post Reply
Message
Author
Lou
Posts: 1739
Joined: 2006-05-08 02:15

Debian development server (gluck) compromised

#1 Post by Lou »

From: James Troup
To: debian-devel-announce@lists.debian.org
Subject: compromise of gluck.debian.org, lock down of other debian.org machines
Date: Wed, 12 Jul 2006 18:47:24 +0100
User-Agent: Gnus/5.110006 (No Gnus v0.6) Emacs/21.4 (gnu/linux)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

Early this morning we discovered that someone had managed to
compromise gluck.debian.org. We've taken the machine offline and are
preparing to reinstall it. This means the following debian.org
services are currently offline:

cvs, ddtp, lintian, people, popcon, planet, ports, release

Based on the results of our initial investigation we've locked down
most other debian.org machines, limiting access to DSA only, until
they can be fixed for what we suspect is the exploit used to
compromise gluck.

We're still investigating exactly what happened and the extent of the
damage. We'll post more info as soon as we reasonably can.

Slashdot discussion on the subjec:
http://it.slashdot.org/it/06/07/13/0047210.shtml
Devuan Jessie - IceWM - vimperator - no DM
KISS - Keep It Simple, Stupid
Top
User avatar
DeanLinkous
Posts: 1570
Joined: 2006-06-04 15:28

#2 Post by DeanLinkous »

old news already :D
not a big deal to me.....glad debian is open about it
Top
Lavene
Site admin
Site admin
Posts: 4958
Joined: 2006-01-04 04:26
Location: Oslo, Norway

#3 Post by Lavene »

Can't beat them slashdoters... 8)

Tina
Top
Lavene
Site admin
Site admin
Posts: 4958
Joined: 2006-01-04 04:26
Location: Oslo, Norway

#4 Post by Lavene »

It was a kernel vulnerability that was exploited.
------------------------------------------------------------------------
The Debian Project http://www.debian.org/
Debian Server restored after Compromise debian-admin@debian.org
July 13th, 2006 http://www.debian.org/News/2005/20060713
------------------------------------------------------------------------

Debian Server restored after Compromise

One core Debian server has been reinstalled after a compromise and
services have been restored. On July 12th the host gluck.debian.org
has been compromised using a local root vulnerability in the Linux
kernel. The intruder had access to the server using a compromised
developer account.

The services affected and temporarily taken down are: cvs, ddtp,
lintian, people, popcon, planet, ports, release.


Details
-------

At least one developer account has been compromised a while ago and
has been used by an attacker to gain access to the Debian server. A
recently discovered local root vulnerability in the Linux kernel has
then been used to gain root access to the machine.

At 02:43 UTC on July 12th suspicious mails were received and alarmed
the Debian admins. The following investigation turned out that a
developer account was compromised and that a local kernel
vulnerability has been exploited to gain root access.

At 04:30 UTC on July 12th gluck has been taken offline and booted off
trusted media. Other Debian servers have been locked down for further
investigation whether they were compromised as well. They will be
upgraded to a corrected kernel before they will be unlocked.

Due to the short window between exploiting the kernel and Debian
admins noticing, the attacker hadn't had time/inclination to cause
much damage. The only obviously compromised binary was /bin/ping.

The compromised account did not have access to any of the restricted
Debian hosts. Hence, neither the regular nor the security archive had
a chance to be compromised.

An investigation of developer passwords revealed a number of weak
passwords whose accounts have been locked in response.

The machine status is here: <http://db.debian.org/machines.cgi>


Kernel vulnerability
--------------------

The kernel vulnerability that has been used for this compromise is
referenced as CVE-2006-2451. It only exists in the Linux kernel
2.6.13 up to versions before 2.6.17.4, and 2.6.16 before 2.6.16.24.
The bug allows a local user to gain root privileges via the
PR_SET_DUMPABLE argument of the prctl function and a program that
causes a core dump file to be created in a directory for which the
user does not have permissions.

The current stable release, Debian GNU/Linux 3.1 alias 'sarge',
contains Linux 2.6.8 and is thus not affected by this problem. The
compromised server ran Linux 2.6.16.18.

If you run Linux 2.6.13 up to versions before 2.6.17.4, or Linux
2.6.16 up to versions before 2.6.16.24, please update your kernel
immediately.
To check your kernel version:

Code: Select all

uname -r

Tina
Top
User avatar
DeanLinkous
Posts: 1570
Joined: 2006-06-04 15:28

#5 Post by DeanLinkous »

d&mn you /. d&mn you....
:lol:
Top
Post Reply

Return to “General Debian”