Difference between revisions of "DBSA:2015-0005"

From Digibase Knowledge Base
Jump to: navigation, search
(Created page with "{{DBSAHEAD | TITLE=Sourceforge Download Tampering (Second Advisory) | KEYWORDS=Sourceforge, sourceforge.net, malware, Copyright, compromise }} '''DBSA ID:''' {{PAGENAME}} ''...")
 
m
 
(One intermediate revision by one other user not shown)
Line 24: Line 24:
 
'''Priority:''' HIGH
 
'''Priority:''' HIGH
  
'''Rationale:''' Users must act to maintain control over what software is installed to their computers, software publishers must act to maintain control over their software.
+
'''Rationale:''' Users must act to maintain control over what software is installed to their systems. Software publishers must act to maintain control over their software.
  
 
'''Severity:''' HIGH
 
'''Severity:''' HIGH
  
'''Rationale:''' The compromised downloads may include malware that may compromise user security.
+
'''Rationale:''' The compromised downloads may include malware which may compromise user and system security.
  
 
'''Spread of Issue:''' MULTI-PLATFORM HIGH
 
'''Spread of Issue:''' MULTI-PLATFORM HIGH
Line 35: Line 35:
  
 
==Description==
 
==Description==
Sourceforge is a software repository mirroring service owned and operated by DHI Group, Inc. (also known as "Dice Holdings") that is used by software vendors to distribute their software on geographically distributed servers. It has been observed that that Sourceforge is engaging in mass-takeovers of hosted repositories without adequate, transparent review, locking software vendors out of said repositories. Once a repository has been taken over and likely compromised, the repository is held by one of the following employee accounts:
+
Sourceforge is a software repository mirroring service, owned and operated by DHI Group, Inc. (also known as "Dice Holdings"), which is used by software vendors to distribute their products on geographically distributed servers. It has been observed that Sourceforge is engaging in mass-takeovers of hosted repositories without adequate, transparent review, locking software vendors out of said repositories. Once a repository has been taken over and likely compromised, the repository is held by one of the following employee accounts:
  
 
* http://sourceforge.net/u/sf-editor/profile/
 
* http://sourceforge.net/u/sf-editor/profile/
Line 43: Line 43:
  
 
To that end, it can be observed that many popular software projects have had their Sourceforge downloads likely compromised in addition to other titles.  
 
To that end, it can be observed that many popular software projects have had their Sourceforge downloads likely compromised in addition to other titles.  
To clarify, these software titles and others listed in the sf-editor profiles are reputable on their own, and many, if not most of them were taken without explicit consent of the software vendor.
+
To clarify, these software titles and others listed in the sf-editor profiles are reputable one their own; and many, if not most of them, were taken without explicit consent from the software vendor.
  
Examples (but not limited to):
+
Examples include (but not limited to):
 
* Firefox
 
* Firefox
 
* Apache OpenOffice
 
* Apache OpenOffice
Line 61: Line 61:
 
The original advisory remains active and its Mitigation/Solution relevant.
 
The original advisory remains active and its Mitigation/Solution relevant.
  
Users are advised to discontinue use of the vendor's website unless experienced with software checksum verification protocols and equipped with a vendor-issued checksum lists provided outside of Sourceforge. It is advised to seek alternate downloads.
+
Users are advised to discontinue use of the Sourceforge website for downloads unless experienced with software checksum verification protocols and equipped with a vendor-issued checksum lists provided outside of Sourceforge. It is advised to seek alternate downloads and to encourage software vendors that haven't changed their hosting arrangements away from Sourceforge to do so.
  
 
==References==
 
==References==

Latest revision as of 13:41, 15 June 2015

Disclaimer: as technology changes, advisories may become out of date or may no longer be relevant, please refer to the "Date" section of the header to be sure the advisory is recent as pertains to your situation.

Digibase Security Advisory - Sourceforge Download Tampering (Second Advisory)

Keywords: Sourceforge, sourceforge.net, malware, Copyright, compromise

DBSA ID: 2015-0005

Original Advisory: DBSA:2015-0002 - Please review for context

Regarding: Sourceforge Download Tampering (Second Advisory)

Writeup: Kradorex Xeron (talk) 14:19, 15 June 2015 (EDT)

Date: 2015 06 15

Last Modified: 20150615134117 by Gung-ho Gun

Who should take note: Everyone

Classification

Classification carries from original advisory

Priority: HIGH

Rationale: Users must act to maintain control over what software is installed to their systems. Software publishers must act to maintain control over their software.

Severity: HIGH

Rationale: The compromised downloads may include malware which may compromise user and system security.

Spread of Issue: MULTI-PLATFORM HIGH

Rationale: Since Sourceforge is a download service, any download provided could have been modified.

Description

Sourceforge is a software repository mirroring service, owned and operated by DHI Group, Inc. (also known as "Dice Holdings"), which is used by software vendors to distribute their products on geographically distributed servers. It has been observed that Sourceforge is engaging in mass-takeovers of hosted repositories without adequate, transparent review, locking software vendors out of said repositories. Once a repository has been taken over and likely compromised, the repository is held by one of the following employee accounts:

To that end, it can be observed that many popular software projects have had their Sourceforge downloads likely compromised in addition to other titles. To clarify, these software titles and others listed in the sf-editor profiles are reputable one their own; and many, if not most of them, were taken without explicit consent from the software vendor.

Examples include (but not limited to):

  • Firefox
  • Apache OpenOffice
  • LibreOffice
  • GIMP Image Editor for Windows (Gimp-Win)
  • Audacious
  • Audacity
  • Apache HTTPD Webserver software
  • MySQL Database Server software
  • PostgreSQL Database Server software
  • Drupal
  • Fedora Linux

Mitigation/Solution

The original advisory remains active and its Mitigation/Solution relevant.

Users are advised to discontinue use of the Sourceforge website for downloads unless experienced with software checksum verification protocols and equipped with a vendor-issued checksum lists provided outside of Sourceforge. It is advised to seek alternate downloads and to encourage software vendors that haven't changed their hosting arrangements away from Sourceforge to do so.

References

(internal research)