Debian locks out developers after server hack

The Debian GNU/Linux project has locked a number of its developers out of their system accounts, following the hack of a key internal server.

A compromised developer account was used to take control of the server, according to an e-mail sent Thursday to the community by Debian developer Martin Schulze. List members were told of the intrusion in an announcement the day before.

"At least one developer account has been compromised a while ago and has been used by an attacker to gain access to the Debian server," Schulze wrote.

The developer said the attacker then used a recently discovered vulnerability in the Linux kernel to gain root--or admin--access on the server.

"An investigation of developer passwords revealed a number of weak passwords whose accounts have been locked in response," Schulze wrote.

Debian is a noncommercial version of Linux, though some companies, such as Canonical and Progeny, have based products on it.

While the compromised server, known as "gluck," has had its software reinstalled and is now back online with all services intact, other parts of Debian's infrastructure remain closed off from casual access.

"Other Debian servers have been locked down for further investigation (into) whether they were compromised as well," wrote Schulze. "They will be upgraded to a corrected kernel before they will be unlocked."

Flaw in the kernel
Schulze said the particular Linux vulnerability only exists in kernel versions:

2.6.13 up to versions before 2.6.17.4
2.6.16 up to versions before 2.6.16.24

Schulze advised administrators to upgrade their software if they were using these versions but said the current stable version of Debian was not affected, as it runs kernel 2.6.8.

Wider damage to Debian's infrastructure may have been avoided. "Due to the short window between exploiting the kernel and Debian admins noticing, the attacker hadn't time/inclination to cause much damage," Schulze wrote.

"The only obviously compromised binary was /bin/ping. The compromised account did not have access to any of the restricted Debian hosts. Hence, neither the regular nor the security archive had a chance to be compromised."

The security breach is not the first for the Debian project. In November 2003, several of Debian's servers were similarly compromised and pulled offline.

Renai LeMay of ZDNet Australia reported from Sydney.

[catch23]

The silence is deafening

If an old WinNT4 server in the back room of some collage computer center is hacked, these forms are full of people pointing out how insecure Windows is and that no one should use it.

Where is everyone? Are the double standards to be that obvious?

[rstinnett]

Gee, I thought Linux was all-secure?

Come on, where are all the Windows bashers at? Could it be that Linux has its flaws as well? Surely not!

[FutureGuy]

A hole in linux!!!

that too at kernel level, how on earth could that happen !!! isn't this OS low on features and usability high in Security or is that a myth?

[Stupendoussteve]

Not quite the same...

Being that Linux is just a kernel, and most of those "versions" are distributions, and most of those distributions have standard ways of updating and patching... your argument isn't quite up to par. Why is there less outcry? Because it happens a lot less.

[Johnny Mnemonic]

Some clarification

When we get security alerts for Linux it is a
completely different animal. I understand that this
is a consumer-based forum that is not as techincally
sophisticated as apposed to the kernel mailing
lists, but, I will try to explain the differences.

There are two primary levels of exploits. External
and local exploits. Local exploits are when an idiot
makes an easily guess-able login name and password
or an application can elevate it's priviledges
from a local account. Global or external exploits
are the majority of Windows flaws. These are the
kind that allow an external user access to the
system with "root level priviledges" or
"administation level priviledges" in the Windows
world.

There is an extremely important differnce. Most
if not all Linux and Unix exploits are at the
local level. We still consider this important
since Unix has always been a mulit-user operating
system and there may be a malixious local user.
This in essence brings us to the major difference
between Unix and Windows. Windows started it's life
as a single user MS only isolated system. When
MS was dragged into the modern Unix world of
highly inter-networked computers they had to
quickly retrofit their systems with a tcp/ip stack.
This stack (BSD) worked, but, all the other
priviledges (file, user, etc.) where missing.
Hence all exploits were immediatelty global or
local which could easily be elevated to global.

Ehat this all means is, Linux exploits are not
nearly as critical unless you have local malicious
users on your system. A potential problem that
might be exploited by a local user group versus
a global problem that could be exploited by the
world. Apples and Oranges.

I hope this was a helpful summary.

[Johnny Mnemonic]

If anyone is interested...

You can get all the Linux and Open Source news
and alerts at:

http://lwn.net

It's not the Linux kernel mailing list, but, it is
more approachable and you can use more critical
thinking to filter out the non-sense. Many kernel
folks actually subscribe to it and may answer your
questions. I recommend it to the CNET editors as
well. It will help you to filter out the sensational
reports of Linux flaws. Please refer to this site
before you write any more of these stories.
Thank you.