Linux kernel repository compromised

Darren Pauli | Sep 5, 2011 1:59 PM
Damage limited by git.

The secure shell (SSH) servers of the Linux kernel repository have been compromised and a trojan injected into the rc3.d startup file following a hack earlier this month.

The attack was undetected for at least 16 days and has sent members of the Linux kernel community scrambling to check for compromises.

Attackers gained root access on the Hera server, possibly through compromised user credentials, but it remains unknown how the root exploit was launched.

SSH files including openssh, openssh-server and openssh-clients were compromised and ran live.

All 448 users of kernel.org have been asked to change credentials and SSH keys.

A statement from kernel.org said alterations to Linux kernel files would be detected by version control modifications to SHA-1 hashes under the git distributed revision control system.

"The potential damage of cracking kernel.org is far less than typical software repositories," the statement said.

"For each of the nearly 40,000 files in the Linux kernel, a cryptographically secure SHA-1 hash is calculated to uniquely define the exact contents of that file.

"Git is designed so that the name of each version of the kernel depends upon the complete development history leading up to that version. Once it is published, it is not possible to change the old versions without it being noticed."

Administrators said they "believe that the source code repositories were unaffected" and had taken "steps to enhance security across the kernel.org infrastructure".

Chief kernel.org administrator John Hawley said in an email to developers that the hack may have caused recent instabilities in the kernel development.

"We are looking into everything," Hawley said. "I've not had what many would consider a 'good' day."

He called on developers to report suspicious findings that may be evidence of the intrusion.

"Verify your git trees and make sure things are correct."

Kernel contributor Jonathan Corbet said the hack was "disturbing and embassing".

"But I can also say that there is no need to worry about the integrity of the kernel source or of any other software hosted on the kernel.org systems," Corbet said.

"On the face of it, that would make kernel.org a tempting target for an attack. What self-respecting cracker wouldn’t want an opportunity to place some special code into the Linux kernel? Such code would, over time, find its way into millions of machines worldwide."

He said the Linux kernel was "well protected against that sort of attack.

"When we say that we know the kernel source has not been compromised on kernel.org, we really know it."

Telsyte senior analyst and Linux boffin Rodney Gedda said the attack was a reminder to keep systems up to date.

"This proves that how no matter how technical you are - and these guys know their stuff - everyone is vulnerable."