Early last week FreeBSD users began to notice problems with accessing some servers and services from FreeBSD. The organization’s explanation was initially evasive. On November 13, it responded, “We are currently working on issues in the cluster. Please stay tuned.” Next day it appeared to blame what could only have been planned maintenance gone wrong: “The cluster machines were recently physically moved, upgraded, and generally discombobulated. We are working to fix this as fast as possible.”
Finally, on Saturday 17 November, FreeBSD announced the real problem: “On Sunday 11th November 2012, two machines within the FreeBSD.org infrastructure were found to have been compromised.” It would seem that the compromise occurred on September 19. As soon as it came to light, the admins powered down the two affected servers and all other machines that could have been affected via them.
The following day, further details were given. FreeBSD pointed out that the operating system is divided into two parts: the base operating system proper maintained by the community, and a large collection of third party applications distributed by the project. The two parts are kept on physically separate servers, and only the applications servers were affected. “No part of the base FreeBSD system has been put at risk. At no point has the intruder modified any part of the FreeBSD base system software in any way,” announced the Project.
In fact, FreeBSD has found no evidence of tampering with any of the applications either. However, it is taking what it considers a ‘conservative’ view: “We unfortunately cannot guarantee the integrity of any packages available for installation between 19th September 2012 and 11th November 2012.”
The breach is believed to have occurred via the leak of an SSH key used by a legitimate application developer. “SSH, or secure shell, is the predominant remote-access protocol for non-Windows systems,” explained Paul Ducklin in the Sophos NakedSecurity blog. It allows access via public/private key pairs, with the private key hopefully password protected by the user. “In this case,” says Ducklin, “it sounds as though the attacker did manage to steal both authentication factors - key file and password - from the developer.”
ITnews (Australia) comments that, “At this stage, it isn't known who the attacker was, or the motive behind the breach, which may have been fully automated.” However, with access continuing for almost two months, and no apparent damage done, it is quite possible that this was a targeted attack with the attacker waiting for the ‘right’ application to compromise. According to ITnews, FreeBSD is used by “the Juniper Networks Junos router, switch and security device operating system, Citrix Netscalers, Sandvine policy control applications, Sony Playstation 3, Panasonic TVs, Apple OS X and OS X Server, and more.”