Date: Sat, 17 Nov 2012 10:02:23 +0000 (UTC) From: Gavin Atkinson <gavin@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r40052 - head/en_US.ISO8859-1/htdocs/news Message-ID: <201211171002.qAHA2N2C076027@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: gavin Date: Sat Nov 17 10:02:22 2012 New Revision: 40052 URL: http://svnweb.freebsd.org/changeset/doc/40052 Log: Add page detailing the FreeBSD infrastructure security compromise, announced November 2012. Approved by: core, so (simon, blanket) Added: head/en_US.ISO8859-1/htdocs/news/2012-compromise.xml (contents, props changed) Modified: head/en_US.ISO8859-1/htdocs/news/Makefile Added: head/en_US.ISO8859-1/htdocs/news/2012-compromise.xml ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/en_US.ISO8859-1/htdocs/news/2012-compromise.xml Sat Nov 17 10:02:22 2012 (r40052) @@ -0,0 +1,217 @@ +<?xml version="1.0" encoding="iso-8859-1"?> +<!DOCTYPE html PUBLIC "-//FreeBSD//DTD XHTML 1.0 Transitional-Based Extension//EN" +"http://www.FreeBSD.org/XML/doc/share/xml/xhtml10-freebsd.dtd" [ +<!ENTITY title "FreeBSD.org intrusion announced November 17th 2012"> +]> + +<html xmlns="http://www.w3.org/1999/xhtml">; + <head> + <title>&title;</title> + + <cvs:keyword xmlns:cvs="http://www.FreeBSD.org/XML/CVS">$FreeBSD$</cvs:keyword>; + </head> + + <body class="navinclude.about"> + + <table class="tblbasic"> + <tbody> + <tr> + <td><h2 align="center"><a name="announce">Security Incident on + FreeBSD Infrastructure</a></h2> + + <b>From:</b> FreeBSD Security Officer <security-officer@FreeBSD.org><br /> + <b>To:</b> FreeBSD Security <FreeBSD-security@FreeBSD.org><br /> + <b>Bcc:</b> freebsd-announce@freebsd.org, freebsd-security-notifications@FreeBSD.org<br /> + <b>Reply-To:</b> secteam@FreeBSD.org<br /> + <b>Subject:</b> Security Incident on FreeBSD Infrastructure<br /> + + <p>On Sunday 11th of November, an intrusion was detected on two + machines within the FreeBSD.org cluster. The affected machines + were taken offline for analysis. Additionally, a large portion + of the remaining infrastructure machines were also taken offline + as a precaution.</p> + + <p>We have found no evidence of any modifications that would put + any end user at risk. However, we do urge all users to read the + report available at + <a href="/news/2012-compromise.html">http://www.freebsd.org/news/2012-compromise.html</a>; + and decide on any required actions themselves. We will continue + to update that page as further information becomes known. We do + not currently believe users have been affected given current + forensic analysis, but we will provide updated information if + this changes.</p> + + <p>As a result of this event, a number of operational security + changes are being made at the FreeBSD Project, in order to + further improve our resilience to potential attacks. We plan, + therefore, to more rapidly deprecate a number of legacy services, + such as cvsup distribution of FreeBSD source, in favour of our + more robust Subversion, freebsd-update, and portsnap models.</p> + + <p>More information is available at + <a href="/news/2012-compromise.html">http://wwww.freebsd.org/news/2012-compromise.html</a></p>; + + <p>Saturday November 17th, 2012</p> + </td> + </tr> + </tbody> + </table> + <br /> + + <h2><a name="toc">Table of Contents</a></h2> + + <ul> + <li><a href="#announce">Announcement</a></li> + <li><a href="#details">Initial Details</a></li> + <li><a href="#impact">What is the Impact?</a></li> + <li><a href="#done">What has FreeBSD.org done about this?</a></li> + <li><a href="#recommend">Recommendations</a></li> + </ul> + + <p>More details will be added here as they become available.</p> + + <h2><a name="details">Initial details</a></h2> + + <p>On Sunday 11th November 2012, two machines within the FreeBSD.org + infrastructure were found to have been compromised. These machines + were head nodes for the legacy third-party package building + infrastructure. It is believed that the compromise may have occurred + as early as the 19th September 2012.</p> + + <p>The compromise is believed to have occurred due to the leak of an + SSH key from a developer who legitimately had access to the machines + in question, and was not due to any vulnerability or code exploit + within FreeBSD.</p> + + <p>To understand the impact of this compromise, you must first + understand that the FreeBSD operating system is divided into two + parts: the "base" maintained by the FreeBSD community, and a large + collection of third-party "packages" distributed by the Project. + The kernel, system libraries, compiler, core command-line tools + (e.g., SSH client), and daemons (e.g., sshd(8)) are all in the + "base". Most information in this advisory refers only to + third-party packages distributed by the Project.</p> + + <p>No part of the base FreeBSD system has been put at risk. At no + point has the intruder modified any part of the FreeBSD base system + software in any way. However, the attacker had access sufficient + to potentially allow the compromise of third-party packages. No + evidence of this has been found during in-depth analysis, however + the FreeBSD Project is taking an extremely conservative view on this + and is working on the assumption that third-party packages generated + and distributed within a specific window could theoretically have + been modified.</p> + + <h2><a name="impact">What is the Impact?</a></h2> + + <p>If you are running a system that has had no third-party packages + installed or updated on it between the 19th September and 11th + November 2012, you have no reason to worry.</p> + + <p>The Source, Ports and Documentation Subversion repositories have been + audited, and we are confident that no changes have been made to them. + Any users relying on them for updates have no reason to worry.</p> + + <p>We have verified the state of FreeBSD packages and releases currently + available on ftp.FreeBSD.org. All package sets for existing versions + of FreeBSD and all available releases have been validated and we can + confirm that the currently available packages and releases have not + been modified in any way.</p> + + <p>A package set for the upcoming FreeBSD 9.1-RELEASE had been uploaded + to the FTP distribution sites in preparation for 9.1-RELEASE. We are + unable to verify the integrity of this package set, and therefore it + has been removed and will be rebuilt. Please note that as these + packages were for a future release, the standard <q>pkg_add -r</q> + tools to install packages could not have downloaded these packages + unless they were requested explicitly.</p> + + <p>We unfortunately cannot guarantee the integrity of any packages + available for installation between 19th September 2012 and 11th + November 2012, or of any ports compiled from trees obtained via any + means other than through svn.freebsd.org or one of its mirrors. + Although we have no evidence to suggest any tampering took place + and believe such interference is unlikely, we have to recommend you + consider reinstalling any machine from scratch, using trusted + sources.</p> + + <p>We can confirm that the freebsd-update(8) binary upgrade mechanism is + unaffected, as it uses an entirely separate infrastructure. We have + also verified that the most recently-available portsnap(8) snapshot + matches the ports Subversion repository, and so can be fully trusted. + Please note that as a precaution, newer portsnap(8) snapshots are + currently not being generated.</p> + + <h2><a name="done">What has FreeBSD.org done about this?</a></h2> + + <p>As soon as the incident came to light, the FreeBSD Cluster + Administration team took the following actions:</p> + + <ul> + <li>Power down the compromised machines.</li> + <li>Power down all machines on which the attacker may have had + access.</li> + <li>Audit the SVN and Perforce repositories to: + <ul> + <li>Verify that there had been no server intrusion.</li> + <li>Verify that no malicious commits had been made to the + repository.</li> + <li>Verify that the SVN repository exactly matched a known-clean + off-site copy.</li> + </ul> + </li> + <li>Verify that all FreeBSD base release media and install files on + the master FTP distribution sites are clean.</li> + <li>Verify all package sets available have checksums that match + known-good copies stored off-site.</li> + <li>The package set built for the upcoming 9.1-RELEASE did not have + an offsite backup to verify against. These have been deleted, and + will be rebuilt before 9.1 is released.</li> + <li>All suspect machines are being either reinstalled, retired, or + thoroughly audited before being brought back online.</li> + </ul> + + <h2><a name="recommend">At this time, we recommend:</a></h2> + + <ul> + <li>If you use the already-deprecated cvsup/csup distribution + mechanisms, you should stop now.</li> + <li>If you were using cvsup/csup for ports, you should switch to + portsnap(8) right away. ports developers should be using + Subversion already. Further information on preferred mechanisms + for obtaining and updating the ports tree can be found at + <a href="/doc/handbook/ports-using.html"> + http://www.freebsd.org/doc/handbook/ports-using.html</a></li>; + <li>If you were using cvs/anoncvs/cvsup/csup for src, you should + consider either freebsd-update(8) for signed binary distribution + or Subversion for source. Please see the chapter on <a + href="/doc/handbook/updating-upgrading.html">updating + FreeBSD from source</a> in the handbook. Further details on + using Subversion and a list of official mirrors can be found + at <a href="/doc/handbook/svn.html"> + http://www.freebsd.org/doc/handbook/svn.html</a></li>; + <li>If you use portsnap(8), you should <tt>portsnap fetch && + portsnap extract</tt> to the most recent snapshot. The most recent + portsnap(8) snapshot has been verified to exactly match the audited + Subversion repository. Please note that as a precaution, portsnap(8) + updates have been suspended temporarily.</li> + <li>Follow best practice security policies to determine how your + organization may be affected.</li> + <li>Conduct an audit of your system that uses FreeBSD.org provided + binary packages. Anything that may have been installed during the + affected period should be considered suspect. Although we have no + evidence of any tampering of any packages, you may wish to consider + rebuilding any affected machine from scratch, or if that is not + possible, rebuild your ports/packages.</li> + </ul> + + <p>If you have any further questions about this announcement, please + contact the <a href="mailto:FreeBSD-security@FreeBSD.org"> + FreeBSD-security@FreeBSD.org</a> mailing list, or for questions + where public mailing list distribution is inappropriate, + please contact the <a href="mailto:secteam@FreeBSD.org">FreeBSD + Security Team</a>.</p> + + <p>This page will be updated as further information is known.</p> + </body> +</html> Modified: head/en_US.ISO8859-1/htdocs/news/Makefile ============================================================================== --- head/en_US.ISO8859-1/htdocs/news/Makefile Sat Nov 17 06:02:41 2012 (r40051) +++ head/en_US.ISO8859-1/htdocs/news/Makefile Sat Nov 17 10:02:22 2012 (r40052) @@ -24,6 +24,9 @@ DOCS+= press-rel-9.xml # The yearly State of the Union address DOCS+= sou1999.xml +# Details of the FreeBSD.org 2012 Infrastructure compromise +DOCS+= 2012-compromise.xml + INDEXLINK= news.html DEPENDSET.DEFAULT= transtable news press
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201211171002.qAHA2N2C076027>