Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Linux Source Code Repository Kernel.Org Gets Hacked

A number of servers belonging to kernel.org were compromised last month in an attack that may have started with a stolen user credential.

According to a statement on kernel.org, which hosts the source code for the Linux kernel, the attack is not believed to have affected the source code repositories. While the situation remains under investigation, it is believed the attackers gained access to a server known as ‘Hera.’

A number of servers belonging to kernel.org were compromised last month in an attack that may have started with a stolen user credential.

According to a statement on kernel.org, which hosts the source code for the Linux kernel, the attack is not believed to have affected the source code repositories. While the situation remains under investigation, it is believed the attackers gained access to a server known as ‘Hera.’

“We believe they may have gained this access via a compromised user credential; how they managed to exploit that to root access is currently unknown and is being investigated,” according to kernel.org.

The attackers then modified SSH files that were running live, logged user interactions and added a Trojan startup file to the system start up scripts, the statement explains.

The attack was discovered Aug. 28 when an Xnest error message was found in the system logs on a server that did not have Xnest installed. Officials with the site have responded by taking the affected systems offline and doing backups and reinstalls, and have also notified authorities in the United States and Europe.

In an email to users, chief site administrator John ‘Warthog9’ Hawley stated that the break-in is believed to have occurred no later than Aug. 12, and that the Trojan infected a developer’s personal colocated machine as well as other systems.

“Upon some investigation there are a couple of kernel.org boxes, specifically hera and odin1, with potential pre-cursors on demeter2, zeus1 and zeus2, that have been hit by this,” he wrote.

The statement on kernel.org sought to assuage fears about the attack, noting that “the potential damage of cracking kernel.org is far less than typical software repositories.” “That’s because kernel development takes place using the git distributed revision control system, designed by Linus Torvalds,” according to the statement. “For each of the nearly 40,000 files in the Linux kernel, a cryptographically secure SHA-1 hash is calculated to uniquely define the exact contents of that file. Git is designed so that the name of each version of the kernel depends upon the complete development history leading up to that version.”

“Once it is published, it is not possible to change the old versions without it being noticed,” the statement continues. “Those files and the corresponding hashes exist not just on the kernel.org machine and its mirrors, but on the hard drives of each several thousand kernel developers, distribution maintainers, and other users of kernel.org. Any tampering with any file in the kernel.org repository would immediately be noticed by each developer as they updated their personal repository, which most do daily.”

The site is working with the 448 users of kernel.org to change their credentials and change their SSH keys.

Written By

Click to comment

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.