The infrastructure of the Fedora Project was compromised over the weekend and an account belonging to a Fedora contributor was taken over by an attacker. However, Fedora officials said they don’t believe that the attacker was able to push any changes to the Fedora package system or make any actual changes to the infrastructure.
The attack appears to have targeted one specific user account, which had some high-value privileges. The attacker was able to compromise the account externally, and then had the ability to connect remotely to some Fedora systems. The attacker also changed the account’s SSH key, Fedora officials said.
The compromise could have been far worse, as the account that was hacked had the ability to push access to the Fedora SCM and perform builds and make changes to Fedora packages. But, significantly, the Fedora Infrastructure Team’s investigation didn’t find that the intrusion resulted in any changes to the Fedora software itself.
“Based on the results of our investigation so far, we do not believe that any Fedora packages or other Fedora contributor accounts were affected by this compromise,” Jared Smith, the Fedora project leader, said in an email to the Fedora Project mailing list. “While the user in question had the ability to commit to Fedora SCM, the Infrastructure Team does not believe that the compromised account was used to do this, or cause any builds or updates in the Fedora build system. The Infrastructure Team believes that Fedora users are in no way threatened by this security breach and we have found no evidence that the compromise extended beyond this single account.”
Fedora is a free operating system project sponsored by Red Hat.
The attack came to light over the weekend when one of the Fedora contributors got an email saying that his account details had been modified. The contributor knew that he had not changed his account settings, so he contacted the Fedora Infrastructure Team, which investigated the incident and found that the account had been compromised. Once the investigation began, the team took snapshots of all of the systems that the hacked account had access to, locked down the account itself and then audited the systems the account had privileges on, including SSH and the Fedora Account System.
“We are still performing a more in-depth investigation and security audit and we will post again if there are any material changes to our understanding,” Smith said.