The GNU Project has apparently dodged a major bullet since the FTP server housing its source code was root-compromised...
by a cracker in March.
Bradley M. Kuhn, executive director of the Free Software Foundation, the Boston-based sponsor of the GNU Project, said this week that the attack had no major impact on users downloading code from its site.
"There is evidence the cracker did not touch the source code. In fact, it's looking like the person did not know they had gotten onto the machine hosting all the source code for the GNU Project," Kuhn said.
GNU is a free Unix-like operating system (It's an acronym for GNU's Not Unix). Linux, for example, is a combination of many GNU components, including the compiler, different libraries and the kernel, authored by Linus Torvalds.
The attack on the gnuftp.gnu.org server was discovered in late July, and made public Aug. 2. Project researchers said the initial attack was carried out around March 17 and that the attacker exploited a ptrace vulnerability to gain access and inject a Trojan horse program. A patch for the Linux kernel was not available for the better part of a week, the Free Software Foundation said. Kuhn theorizes that the attacker was interested in stealing passwords and using compromised machines as a launching pad for denial-of-service and other attacks.
Kuhn said the server was immediately taken down and rebuilt and the integrity of all files was double-checked by the kernel maintainers who manage the individual files. The md5sum checksum of each source code file on the FTP server is being compared to a known good checksum, Kuhn said.
"We've been clearing 10 to 15 files a day," Kuhn said. "That list is getting pretty short at this point."
The remaining files that have not been checked have been separated until the GNU maintainers can provide trusted secure checksums for them, Kuhn said.
Kuhn said the cracker likely used a stolen local user account and exploited the ptrace bug to gain root access to the FTP server. A GNU administrator witnessed an attack on another machine in late July and traced it back to the FTP server.
Enterprises that have downloaded code from the GNU Project should examine the integrity of that code. The possibility does exist that the attacker inserted malicious code into the source code, according to the Computer Emergency Response Team (CERT) at Carnegie Mellon University, though Kuhn said no such reports have been made.
Going forward, Kuhn said all checksums will be digitally signed with GPG encryption by the kernel maintainer, assuring the integrity of source code from Aug. 2 on.
The GNU Project is not alone in suffering security breaches among the Linux, open source and free software communities. Recently, Samba, Apache, Snort and other popular software have suffered well-publicized breaches that were quickly addressed.
"We believe in full disclosure. We are letting the public see our process and double-check that every file is good," Kuhn said. "This is what we do in the free software community. We disclose."
FOR MORE INFORMATION:
FEEDBACK: What security shortcomings are present in Linux today?
Send your feedback to the SearchEnterpriseLinux.com news team.