FreeBSD is warning users of the open source UNIX-like operating system about a compromise of a pair of servers used to build third-party software. The organization said attackers had sufficient access to affect third-party packages distributed by the project and suggests that any software installed between Sept. 19 and Nov. 11 be updated.
“No evidence of this has been found during in-depth analysis, however the FreeBSD Project is taking an extremely conservative view on this and is working on the assumption that third-party packages generated and distributed within a specific window could theoretically have been modified,” the project said in a statement.
FreeBSD said its base code, which includes the kernel, system libraries, compiler, core command-line tools and daemons, are maintained separately from the compromised servers and are not impacted.
The project said it has been auditing its code since discovering the breach on Nov. 11 and is confident no alterations were made. However, organizers said they were not able to verify the integrity of a FreeBSD package for its upcoming 9.1-RELEASE that was available on the project’s FTP site; they have since removed it and it will be rebuilt.
FreeBSD said in its advisory that it will make a number of operational security changes. The most important could be the decision to forgo cvsup as a means of distributing updates in favor of Subversion, a more robust package according to the project.
FreeBSD said the attackers used a stolen SSH key to access the infrastructure. The key was leaked by a developer who has access to the machines in question. The intrusion was discovered on Nov. 11. The affected servers were immediately taken offline and code repositories audited, as well as FreeBSD release media and install files on the FTP site.
“All suspect machines are being either reinstalled, retired, or thoroughly audited before being brought back online,” the advisory said.
FreeBSD recommends organizations using the OS stop using cvsup for code distribution and if using cvsup for ports, to switch to portsnap(8) and to move to Subversion.
“Although we have no evidence of any tampering of any packages, you may wish to consider rebuilding any affected machine from scratch, or if that is not possible, rebuild your ports/packages.” FreeBSD said.
According to W3Techs, 1.1 percent of websites use FreeBSD; 64.3 percent use UNIX.