Return-Path: <sentto-279987-3335-1003882837-fc=all.net@returns.onelist.com> Delivered-To: fc@all.net Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Tue, 23 Oct 2001 17:22:08 -0700 (PDT) Received: (qmail 12087 invoked by uid 510); 24 Oct 2001 00:20:06 -0000 Received: from n8.groups.yahoo.com (216.115.96.58) by 204.181.12.215 with SMTP; 24 Oct 2001 00:20:06 -0000 X-eGroups-Return: sentto-279987-3335-1003882837-fc=all.net@returns.onelist.com Received: from [10.1.1.223] by n8.groups.yahoo.com with NNFMP; 24 Oct 2001 00:20:38 -0000 X-Sender: fc@red.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-8_0_0_1); 24 Oct 2001 00:20:37 -0000 Received: (qmail 8854 invoked from network); 24 Oct 2001 00:20:37 -0000 Received: from unknown (10.1.10.27) by 10.1.1.223 with QMQP; 24 Oct 2001 00:20:37 -0000 Received: from unknown (HELO red.all.net) (65.0.156.78) by mta2 with SMTP; 24 Oct 2001 00:20:37 -0000 Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id f9O0L0j29177 for iwar@onelist.com; Tue, 23 Oct 2001 17:21:00 -0700 Message-Id: <200110240021.f9O0L0j29177@red.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL3] From: Fred Cohen <fc@all.net> X-Yahoo-Profile: fcallnet Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Tue, 23 Oct 2001 17:21:00 -0700 (PDT) Reply-To: iwar@yahoogroups.com Subject: [iwar] [fc:Red.Hat.7.2.GnuPG.signed.RPM.verification.fails.on.distribution.files] Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Kurt Seifried Security Advisory 002 (KSSA-002) <a href="http://www.seifried.org/security/advisories/kssa-002.html">http://www.seifried.org/security/advisories/kssa-002.html> By Kurt Seifried, <a href="mailto:kurt@seifried.org?Subject=Re:%20Red%20Hat%207.2%20GnuPG%20signed%20RPM%20verification%20fails%20on%20distribution%20files%2526In-Reply-To=%2526lt;002601c15ba3$972a1940$6400030a@seifried.org">kurt@seifried.org</a> - ---------------------------------------------------------------------- - ---------- Title: Red Hat 7.2 GnuPG signed RPM verification fails on distribution files Issue date: Oct 23, 2001 History of advisory: Oct 23, 2001 While downloading Red Hat 7.2 Kurt Seifried noticed various packages were not GnuPG signed. Author: Kurt Seifried <a href="mailto:kurt@seifried.org?Subject=Re:%20Red%20Hat%207.2%20GnuPG%20signed%20RPM%20verification%20fails%20on%20distribution%20files%2526In-Reply-To=%2526lt;002601c15ba3$972a1940$6400030a@seifried.org">kurt@seifried.org</a> Credits: N/A Overview: Red Hat 7.2 distribution files on popular ftp sites such as ftp.ibiblio.org and mirrors.hpcf.upr.edu are not signed. It is unlikely that this is an attack as the number of sites involved makes it likely someone would have noticed and notified the community. Either Red Hat did not sign these packages, or someone subverted the distribution process before the files got to various sites. For Red Hat 7.1 please note that all files were correctly signed with the Red Hat GnuPG security key. Vendor Contact: <a href="mailto:security@redhat.com?Subject=Re:%20Red%20Hat%207.2%20GnuPG%20signed%20RPM%20verification%20fails%20on%20distribution%20files%2526In-Reply-To=%2526lt;002601c15ba3$972a1940$6400030a@seifried.org">security@redhat.com</a> Impact: An attacker can create RPM's that will not appear any different from the real ones, as they do not need to be signed. Finding the MD5 sums of the files in trusted locations is very difficult (I cannot find any lists). Details: Red Hat has released Red Hat 7.2, a much anticipated release. Typically all the rpm distribution files are signed, making it very easy to verify their correctness. Since numerous packages are not signed it becomes trivial for an attacker to replace packages on a distribution site with no-one being able to easily verify that they have been subverted. An attacker would not even need to modify or add files to the package, instead they could add a preinstall, postinstall, preuninstall or postuninstall script that would be capable of compromising the system since these scripts run with root privileges. Packages include rpmdb-redhat and redhat-release. Solutions and workarounds: None available. Red Hat needs to sign the packages properly with GnuPG. References: N/A - ---------------------------------------------------------------------- - ---------- Permission is granted for copying and circulating this Bulletin to the Internet community for the purpose of alerting them to problems, if and only if, the bulletin is not edited or changed in any way, is attributed to Kurt Seifried, and provided such reproduction and/or distribution is performed for non-commercial purposes. Any other use of this information is prohibited. Kurt Seifried is not liable for any misuse of this information by any third party. - ---------------------------------------------------------------------- - ---------- Back Last updated 10/23/2001 Copyright Kurt Seifried 2001 Kurt Seifried, <a href="mailto:kurt@seifried.org?Subject=Re:%20Red%20Hat%207.2%20GnuPG%20signed%20RPM%20verification%20fails%20on%20distribution%20files%2526In-Reply-To=%2526lt;002601c15ba3$972a1940$6400030a@seifried.org">kurt@seifried.org</a> A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 <a href="http://www.seifried.org/security/">http://www.seifried.org/security/> ------------------------ Yahoo! Groups Sponsor ---------------------~--> Pinpoint the right security solution for your company- Learn how to add 128- bit encryption and to authenticate your web site with VeriSign's FREE guide! http://us.click.yahoo.com/yQix2C/33_CAA/yigFAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2001-12-31 20:59:56 PST