Linux users who frequent the Ubuntu forums may want to change their passwords following news that an attacker was able to breach the service and its two million users.
Jane Silber, Chief Executive Officer at Canonical,the company that maintains the service, acknowledged on Friday that a known SQL injection vulnerability in Forumrunner, an add-on in the Ubuntu forums that hadn’t been patched, led to the attack.
While Silber claims that no active passwords were accessed in the breach, changing a password after incidents like this is generally viewed as a de rigueur practice.
Once in, the attacker had the ability to inject formatted SQL to the Forums database and read from any table in the database. Silber claims it appears the attacker only focused on one table in particular however: the ‘user’ table, which contains the usernames, passwords, and IP addresses of two million users. The attacker downloaded portions of the table, Silber claimed, but cautioned that in addition to being old, the passwords were also hashed and salted ‘random strings,’ something that could make decoding them more difficult.
Silber claims Ubuntu is certain the attacker wasn’t able to access any code belonging to the operating system, its update mechanism, or access any valid user passwords.
Silber is less certain – but believes the attacker was not able to escalate past remote SQL read access, gain remote SQL write access, gain shell access to the Forums database, gain shell access to the Forums servers, or gain access to any other Canonical or Ubuntu services.
Canonical began looking into the incident last Thursday, when a member of the Ubuntu Forums Council informed the company’s information security team that someone claimed they had a copy of the Forums database. The team took the site down for a period of time after the company was able to confirm there was a leak.
Silber claims Ubuntu has backed up all servers running vBulletin, the forum software package it runs, and “wiped them clean and rebuilt them from the ground up.” The also brought the platform to the latest patch level and reportedly improved their monitoring of the software, to ensure that patches are applied promptly.
It also reset all system and database passwords and installed ModSecurity, an open source web application firewall.
It’s the second major breach to hit Ubuntu’s Forums in the last couple of years. Nearly three years ago to the day, attackers exploited a cross-site scripting vulnerability to make off with the usernames, passwords, and email addresses of 1.8 million members. Like last week’s breach, the company claimed the information was encrypted with a MD5 hashing algorithm and per-user cryptographic salt.
vBulletin, a popular forum software, has been a target for hackers over the years. Attackers leveraged a zero day in several versions of the platform several years ago to compromise the forums of both MacRumors.com and vBulletin. The scope of the MacRumors attack was much smaller than the Ubuntu breaches; only 860,000 encrypted passwords were leaked.
Attackers also hit VerticalScope, which develops and operates online communities and forums, last month and made off with 40 million credentials after exploiting outdated vBulletin software.