Hackers have compromised two servers used by the FreeBSD Project to build third-party software packages. Anyone who has installed such packages since Sept. 19 should completely reinstall their machines, the project's security team warned.
Intrusions on two machines within the FreeBSD.org cluster were detected on Nov. 11, the FreeBSD security team said Saturday. "The affected machines were taken offline for analysis. Additionally, a large portion of the remaining infrastructure machines were also taken offline as a precaution," said a message on the project's public announcements mailing list.
The two compromised servers acted as nodes for the project's legacy third-party package-building infrastructure, the FreeBSD Project said in an advisory posted on its website.
The incident only affected the collection of third-party software packages distributed by the project and not the operating system's "base" components, such as the kernel, system libraries, compiler or core command-line tools.
The FreeBSD security team believes the intruders gained access to the servers using a legitimate SSH authentication key stolen from a developer, and not by exploiting a vulnerability in the operating system.
Even though the team did not find any evidence of the third-party software packages being modified by the hackers, they cannot exclude this possibility.
"We unfortunately cannot guarantee the integrity of any packages available for installation between 19th September 2012 and 11th November 2012, or of any ports compiled from trees obtained via any means other than through svn.freebsd.org or one of its mirrors," the team said. "Although we have no evidence to suggest any tampering took place and believe such interference is unlikely, we have to recommend you consider reinstalling any machine from scratch, using trusted sources."
The package sets currently available for all versions of FreeBSD have been validated and none of them have been altered in any way, the team said.
As a result of the incident, the FreeBSD Project plans to speed its process of deprecating legacy distribution services, like those based on CVSup, in favor of the more robust Subversion system. The advisory includes several recommendations about the tools users and developers should use for updates, source code copying and signed binary distribution.
This is not the first time an open-source software project had to deal with an intrusion because of compromised SSH authentication keys. In August 2009, the Apache Project was forced to shut down its primary Web and mirror servers after discovering that hackers used an SSH key associated with an automated backup account to upload and execute malicious code on some of the servers.
"This is a hearty reminder that a chain is only as strong as its weakest link," said Paul Ducklin, the head of technology for Asia Pacific at antivirus vendor Sophos, in a blog post Sunday. "In particular, never forget that the security of your internal systems may very well be no better than the security of any and all external systems from which you accept remote access -- whether those are servers, laptops or even mobile devices."