A dangerous vulnerability in the Linux kernel is at the heart of a recent attack on the Debian Project's development
The flaw, an integer overflow in the "brk" system call, enabled an attacker to compromise four Debian servers, sniff several passwords and install a root kit used to hit other servers.
Debian said that the servers housing its code base were not attacked.
The hole was discovered in September by 2.6 kernel maintainer Andrew Morton but was not fixed in time for the release of the 2.4.22 kernel. Version 2.4.23, which was released late Friday night, as well as the 2.6.0 test kernel, have been patched, according to an advisory from service provider TruSecure Corp.
Enterprises running a version of the Linux kernel older than 2.4.23 are urged to update immediately.
"Users are at risk. The exploit is running around in the wild already," said Debian developer Martin "Joey" Schulze. "We consider it very dangerous."
Exploiting the flaw enables an attacker to overwrite kernel memory, Schulze said, giving the outsider full control of kernel memory space and allowing him to alter any value.
As of 11 a.m. EST, Debian, Red Hat, Mandrake and Trustix had issued patches for their distributions.
In addition, accounts to the Debian development servers have been deactivated, and Debian is urging users to create new passwords.
The Debian attack began Nov. 19. On that day, administrators noticed suspicious activity on the project's Klecker and Master servers, which house its bug-tracking and search systems. It was quickly determined that the SucKIT root kit, which includes a keystroke-logging program used to steal passwords and other sensitive data, was installed on the servers.
The attacker also installed the TESO group's Burneye, a program that alters executable programs so that they hide their true intentions from firewalls, intrusion-detection systems and other security probes, including forensic investigations.
The attacker used a sniffed password to access three of the four servers, install the root kit and elevate his privileges on each machine.
Debian also said developers should remove any SSH keys generated or stored by one of the servers and used to log in to other machines. In addition, Debian has also deactivated the GnuPG/PGP keys.
Despite claims from open source devotees that their software is more secure than that of proprietary companies, the Debian incident represents the second attack on the Linux kernel since the start of November. Last month, an attacker tried to inject a Trojan horse program into the 2.6 kernel. The attack was detected and never reached the development tree, which is stored in a secure but publicly accessible database.