Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
From: Kurt Seifried (kurtseifried.org)
Date: Tue Oct 23 2001 - 04:23:43 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hash: SHA1

    Kurt Seifried Security Advisory 002 (KSSA-002)

    By Kurt Seifried, kurtseifried.org
    - ----------------------------------------------------------------------
    - ----------

    Red Hat 7.2 GnuPG signed RPM verification fails on distribution files

    Issue date:
    Oct 23, 2001

    History of advisory:
    Oct 23, 2001 While downloading Red Hat 7.2 Kurt Seifried noticed
    various packages were not GnuPG signed.

    Kurt Seifried kurtseifried.org


    Red Hat 7.2 distribution files on popular ftp sites such as
    ftp.ibiblio.org and mirrors.hpcf.upr.edu are not signed. It is
    unlikely that this is an attack as the number of sites involved makes
    it likely someone would have noticed and notified the community.
    Either Red Hat did not sign these packages, or someone subverted the
    distribution process before the files got to various sites. For Red
    Hat 7.1 please note that all files were correctly signed with the Red
    Hat GnuPG security key.

    Vendor Contact:

    An attacker can create RPM's that will not appear any different from
    the real ones, as they do not need to be signed. Finding the MD5 sums
    of the files in trusted locations is very difficult (I cannot find
    any lists).

    Red Hat has released Red Hat 7.2, a much anticipated release.
    Typically all the rpm distribution files are signed, making it very
    easy to verify their correctness. Since numerous packages are not
    signed it becomes trivial for an attacker to replace packages on a
    distribution site with no-one being able to easily verify that they
    have been subverted. An attacker would not even need to modify or add
    files to the package, instead they could add a preinstall,
    postinstall, preuninstall or postuninstall script that would be
    capable of compromising the system since these scripts run with root
    privileges. Packages include rpmdb-redhat and redhat-release.

    Solutions and workarounds:
    None available. Red Hat needs to sign the packages properly with


    - ----------------------------------------------------------------------
    - ----------

    Permission is granted for copying and circulating this Bulletin to
    the Internet community for the purpose of alerting them to problems,
    if and only if, the bulletin is not edited or changed in any way, is
    attributed to Kurt Seifried, and provided such reproduction and/or
    distribution is performed for non-commercial purposes.

    Any other use of this information is prohibited. Kurt Seifried is not
    liable for any misuse of this information by any third party.

    - ----------------------------------------------------------------------
    - ----------


    Last updated 10/23/2001

    Copyright Kurt Seifried 2001

    Kurt Seifried, kurtseifried.org
    A15B BEE5 B391 B9AD B0EF
    AEB0 AD63 0B4E AD56 E574

    Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

    -----END PGP SIGNATURE-----