Linux distributor Debian revealed this week that a major security flaw in the Linux kernel enabled the electronic attack that compromised four of its servers in late November. The flaw lets attackers with reduced privileges on a Linux machine escalate their privileges and gain access to the entire system.
According to Debian, attackers compromised at least four of its servers, including the machines responsible for its bug-tracking system, mailing lists, Web sites, and security components. Attackers first compromised a Debian developer's desktop machine and installed a key sniffer application that remotely recorded the developer's keystrokes. That program let the attackers obtain the password to one of Debian's servers when the developer logged on to upload a file. They then used the Linux security vulnerability to escalate the developer's privileges and "own" the system as a root, or administrator-level, account.
Debian once again assured users that the attack didn't affect its Linux code base. "Fortunately, we require developers to sign \[their software\] uploads digitally," Martin Schulze, a member of The Debian Project, said. "These files are stored off-site as well, \[and\] were used as a basis for a recheck." Meanwhile, Debian has locked all developer access to its servers while the company searches for the source of the attack, which is still unknown 2 weeks later.
Most astonishingly, Linux maintainers discovered the flaw that led to the Debian attack way back in September but fixed it only in the most recent Linux kernel version, 2.4.23, which they released last week--8 days after the Debian compromise. The wide gap between the flaw's discovery and its fix casts new doubts on open-source community claims that it can respond to problems more quickly than closed systems such as those Microsoft makes. The episode is also a major embarrassment to Linux advocates, who often passionately defend the open-source software (OSS) development model as the cure for all software ills.
But Linux backers are, naturally, downplaying the seriousness of the vulnerability that led to the attack. Linux creator Linus Torvalds noted that this type of bug isn't as serious as one that can let any user remotely access a system. "It's a local-only compromise that you can't trigger from the outside," he said in an email message that discussed the attack. "To most people, it would thus become serious only after you had some account hacked into--the bug then allows elevation of privileges." But critics warn that the problem has nothing to do with the type of vulnerability that the attackers compromised but rather with the slow nature of the vulnerability's fix. Imagine the outcry from the open-source community if Microsoft ever waited that long between the publication of a security vulnerability and the company's delivery of a fix.