At the core of all Linux based operating systems is the Linux kernel, which is developed by a global community of developers, with the kernel.org website as a key piece of infrastructure.
Kernel.org maintainers admitted on Wednesday that their infrastructure had been hacked via a compromised user credential. According to Kernel.org's disclosure, the attackers were able to modify files as well as add a Trojan startup file. Kernel.org isn't pushing the panic button, however, thanks to the inherent security of the overall Linux kernel development process.
"The Linux community and kernel.org take the security of the kernel.org domain extremely seriously, and are pursuing all avenues to investigate this attack and prevent future ones," Kernel.org stated. "However, it's also useful to note that the potential damage of cracking kernel.org is far less than typical software repositories."
The Linux kernel is developed with the git distributed version control system which includes a SHA-1 cryptographic for each file in the kernel. Since the system is also distributed across the global community of kernel contributors, any changes are supposed to be easily identified.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
"Any tampering with any file in the kernel.org repository would immediately be noticed by each developer as they updated their personal repository, which most do daily," Kernel.org stated.
While the impact of the attack is limited, kernel.org developers did not immediately discover the attack. The attack was uncovered on August 28th by kernel.org maintainers but, in an email sent by kernel.org maintainer John 'Warthog9' Hawley to kernel.org users, he admitted the break-in occurred no later than August 12th. That means that kernel.org community was unaware of the attack for at least 17 days.
Hawley noted that as many as five kernel.org servers including their hera, odin1, demeter2, zeus1 and zeus2 boxes were hit by the exploit.
"At this time we do not know the vector that was used to get into the systems, but the attackers had gained root access level privileges," Hawley wrote.
Kernel.org is now working with their users to issue new SSH keys and credentials. They are also working on auditing the overall system to see how to make kernel.org more secure overall.
The kernel.org breach isn't the first time Linux infrastructure has been attacked. Back in 2008, there was breach in the Fedora Linux infrastructure that delayed the release of Fedora 10. Going back even further, Debian Linux was hacked in 2003.