Disclaimer: as technology changes, advisories may become out of date or may no longer be relevant, please refer to the "Date" section of the header to be sure the advisory is recent as pertains to your situation.

Digibase Security Advisory - Sourceforge Download Tampering (Second Advisory)

Keywords: Sourceforge, sourceforge.net, malware, Copyright, compromise

DBSA ID: 2015-0005

Original Advisory: DBSA:2015-0002 - Please review for context

Regarding: Sourceforge Download Tampering (Second Advisory)

Writeup: Kradorex Xeron (talk) 14:19, 15 June 2015 (EDT)

Date: 2015 06 15

Last Modified: 20150615142354 by Kradorex Xeron

Who should take note: Everyone

Classification

Classification carries from original advisory

Priority: HIGH

Rationale: Users must act to maintain control over what software is installed to their computers, software publishers must act to maintain control over their software.

Severity: HIGH

Rationale: The compromised downloads may include malware that may compromise user security.

Spread of Issue: MULTI-PLATFORM HIGH

Rationale: Since Sourceforge is a download service, any download provided could have been modified.

Description

Sourceforge is a software repository mirroring service owned and operated by DHI Group, Inc. (also known as "Dice Holdings") that is used by software vendors to distribute their software on geographically distributed servers. It has been observed that that Sourceforge is engaging in mass-takeovers of hosted repositories without adequate, transparent review, locking software vendors out of said repositories. Once a repository has been taken over and likely compromised, the repository is held by one of the following employee accounts:

• http://sourceforge.net/u/sf-editor/profile/
• http://sourceforge.net/u/sf-editor1/profile/
• http://sourceforge.net/u/sf-editor2/profile/
• http://sourceforge.net/u/sf-editor3/profile/

To that end, it can be observed that many popular software projects have had their Sourceforge downloads likely compromised in addition to other titles. To clarify, these software titles and others listed in the sf-editor profiles are reputable on their own, and many, if not most of them were taken without explicit consent of the software vendor.

Examples (but not limited to):

• Firefox
• Apache OpenOffice
• LibreOffice
• GIMP Image Editor for Windows (Gimp-Win)
• Audacious
• Audacity
• Apache HTTPD Webserver software
• MySQL Database Server software
• PostgreSQL Database Server software
• Drupal
• Fedora Linux

Mitigation/Solution

The original advisory remains active and its Mitigation/Solution relevant.

Users are advised to discontinue use of the Sourceforge website for downloads unless experienced with software checksum verification protocols and equipped with a vendor-issued checksum lists provided outside of Sourceforge. It is advised to seek alternate downloads and to encourage software vendors that haven't changed their hosting arrangements away from Sourceforge to do so.

References

(internal research)