|
|
|
|
| |
| Red Hat 7.2 distribution files on popular ftp sites such as ftp.ibiblio.org and mirrors.hpcf.upr.edu are not signed. It is unlikely that this is an attack as the number of sites involved makes it likely someone would have noticed and notified the community. Either Red Hat did not sign these packages, or someone subverted the distribution process before the files got to various sites. For Red Hat 7.1 please note that all files were correctly signed with the Red Hat GnuPG security key. |
| |
Credit:
The information has been provided by Kurt Seifried.
|
| |
Vulnerable systems:
Red Hat version 7.2
Immune systems:
Red Hat version 7.1 and prior
Impact:
An attacker can create RPM's that will not appear any different from the real ones, as they do not need to be signed. Finding the MD5 sums of the files in trusted locations is very difficult.
Red Hat has released Red Hat 7.2, a much-anticipated release. Typically, all the rpm distribution files are signed, making it very easy to verify their correctness. Since numerous packages are not signed, it becomes trivial for an attacker to replace packages on a distribution site with no one being able to easily verify that they have been subverted. An attacker would not even need to modify or add files to the package, instead they could add a preinstall, postinstall, preuninstall, or postuninstall script that would be capable of compromising the system since these scripts run with root privileges. Packages include rpmdb-redhat and redhat-release.
Solutions and workarounds:
None available. Red Hat needs to sign the packages properly with GnuPG.
|
|
|
|
|
