Linux flaws aid hack attack

The Debian Project has warned that a flaw in the Linux kernel helped attackers compromise four of the open software project's development servers.

During several intrusions on 19 November, the flaw enabled an attacker who already had access to a server to remove the limitations that protected the system from everyday users. The technique is known as a privilege escalation.

Members of the development team found the flaw in September and fixed the latest version of the core Linux software, or kernel. The fix came a bit late, however. The latest version of the kernel, 2.4.23, was released on Friday, eight days after the Debian breach.

The Debian Project, which uses only truly open-source software in its make-up, stressed that the breaches hadn't affected the project's code base.

Martin Schulze, a developer and member of the project, said: "Fortunately, we require developers to sign the upload [software] digitally. These files are stored off-site as well, which were used as a basis for a recheck."

The development team promised to lock all developer accounts until the flaw has been found and fixed. The team published patches for the flaw on Monday as well but didn't specify when the accounts would be unlocked.

The unknown attacker compromised at least four servers. The systems - known as Master, Murphy, Gluck and Klecker - had maintained the open-source project's bug tracking system, source code database, mailing lists, website and security patches.

The attacker gained access to one of the systems by compromising a developer's computer and installing a program to sniff out the characters typed on the developer's keyboard, according to a postmortem analysis the team published Friday. When the programmer logged into the Klecker system, the attacker recorded his password.

Using the September flaw, the attacker gained owner privileges on Klecker. This is frequently referred to as "owning" the system. The flaw - in a part of the kernel that manages memory - allows only users that already have access to the system to raise their privileges. Such flaws are less critical than vulnerabilities that give an outside attacker access to a server and so are fixed less quickly.

The attacks have been the latest levelled at open source software.

In early November, an attacker attempted to corrupt the Linux kernel with a coding error that would have created a flaw similar to the one that affected the Debian Project. A year ago, malicious attackers placed spyware into a popular open-source tool, Tcpdump. Several other known attacks have also been executed against other open source projects.

Robert Lemos writes for News.com