[UNIX] Red Hat 7.2 GnuPG signed RPM verification fails on distribution files

From: support@securiteam.com
Date: 10/23/01 

From: support@securiteam.com
To: list@securiteam.com
Subject: [UNIX] Red Hat 7.2 GnuPG signed RPM verification fails on distribution files
Message-Id: <20011023183302.E2204138BF@mail.der-keiler.de>
Date: Tue, 23 Oct 2001 20:33:02 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Red Hat 7.2 GnuPG signed RPM verification fails on distribution files
------------------------------------------------------------------------

SUMMARY

Red Hat 7.2 distribution files on popular ftp sites such as
ftp.ibiblio.org and mirrors.hpcf.upr.edu are not signed. It is unlikely
that this is an attack as the number of sites involved makes it likely
someone would have noticed and notified the community. Either Red Hat did
not sign these packages, or someone subverted the distribution process
before the files got to various sites. For Red Hat 7.1 please note that
all files were correctly signed with the Red Hat GnuPG security key.

DETAILS

Vulnerable systems:
Red Hat version 7.2

Immune systems:
Red Hat version 7.1 and prior

Impact:
An attacker can create RPM's that will not appear any different from the
real ones, as they do not need to be signed. Finding the MD5 sums of the
files in trusted locations is very difficult.

Red Hat has released Red Hat 7.2, a much-anticipated release. Typically,
all the rpm distribution files are signed, making it very easy to verify
their correctness. Since numerous packages are not signed, it becomes
trivial for an attacker to replace packages on a distribution site with no
one being able to easily verify that they have been subverted. An attacker
would not even need to modify or add files to the package, instead they
could add a preinstall, postinstall, preuninstall, or postuninstall script
that would be capable of compromising the system since these scripts run
with root privileges. Packages include rpmdb-redhat and redhat-release.

Solutions and workarounds:
None available. Red Hat needs to sign the packages properly with GnuPG.

ADDITIONAL INFORMATION

The information has been provided by <mailto:kurt@seifried.org> Kurt
Seifried.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages