Difference between revisions of "DBSA:2015-0005"
(Created page with "{{DBSAHEAD | TITLE=Sourceforge Download Tampering (Second Advisory) | KEYWORDS=Sourceforge, sourceforge.net, malware, Copyright, compromise }} '''DBSA ID:''' {{PAGENAME}} ''...") |
Gung-ho Gun (talk | contribs) m |
||
(One intermediate revision by one other user not shown) | |||
Line 24: | Line 24: | ||
'''Priority:''' HIGH | '''Priority:''' HIGH | ||
− | '''Rationale:''' Users must act to maintain control over what software is installed to their | + | '''Rationale:''' Users must act to maintain control over what software is installed to their systems. Software publishers must act to maintain control over their software. |
'''Severity:''' HIGH | '''Severity:''' HIGH | ||
− | '''Rationale:''' The compromised downloads may include malware | + | '''Rationale:''' The compromised downloads may include malware which may compromise user and system security. |
'''Spread of Issue:''' MULTI-PLATFORM HIGH | '''Spread of Issue:''' MULTI-PLATFORM HIGH | ||
Line 35: | Line 35: | ||
==Description== | ==Description== | ||
− | Sourceforge is a software repository mirroring service owned and operated by DHI Group, Inc. (also known as "Dice Holdings") | + | Sourceforge is a software repository mirroring service, owned and operated by DHI Group, Inc. (also known as "Dice Holdings"), which is used by software vendors to distribute their products on geographically distributed servers. It has been observed that Sourceforge is engaging in mass-takeovers of hosted repositories without adequate, transparent review, locking software vendors out of said repositories. Once a repository has been taken over and likely compromised, the repository is held by one of the following employee accounts: |
* http://sourceforge.net/u/sf-editor/profile/ | * http://sourceforge.net/u/sf-editor/profile/ | ||
Line 43: | Line 43: | ||
To that end, it can be observed that many popular software projects have had their Sourceforge downloads likely compromised in addition to other titles. | To that end, it can be observed that many popular software projects have had their Sourceforge downloads likely compromised in addition to other titles. | ||
− | To clarify, these software titles and others listed in the sf-editor profiles are reputable | + | To clarify, these software titles and others listed in the sf-editor profiles are reputable one their own; and many, if not most of them, were taken without explicit consent from the software vendor. |
− | Examples (but not limited to): | + | Examples include (but not limited to): |
* Firefox | * Firefox | ||
* Apache OpenOffice | * Apache OpenOffice | ||
Line 61: | Line 61: | ||
The original advisory remains active and its Mitigation/Solution relevant. | The original advisory remains active and its Mitigation/Solution relevant. | ||
− | Users are advised to discontinue use of the | + | Users are advised to discontinue use of the Sourceforge website for downloads unless experienced with software checksum verification protocols and equipped with a vendor-issued checksum lists provided outside of Sourceforge. It is advised to seek alternate downloads and to encourage software vendors that haven't changed their hosting arrangements away from Sourceforge to do so. |
==References== | ==References== |
Latest revision as of 13:41, 15 June 2015
Disclaimer: as technology changes, advisories may become out of date or may no longer be relevant, please refer to the "Date" section of the header to be sure the advisory is recent as pertains to your situation.
Contents
Digibase Security Advisory - Sourceforge Download Tampering (Second Advisory)
Keywords: Sourceforge, sourceforge.net, malware, Copyright, compromise
DBSA ID: 2015-0005
Original Advisory: DBSA:2015-0002 - Please review for context
Regarding: Sourceforge Download Tampering (Second Advisory)
Writeup: Kradorex Xeron (talk) 14:19, 15 June 2015 (EDT)
Date: 2015 06 15
Last Modified: 20150615134117 by Gung-ho Gun
Who should take note: Everyone
Classification
Classification carries from original advisory
Priority: HIGH
Rationale: Users must act to maintain control over what software is installed to their systems. Software publishers must act to maintain control over their software.
Severity: HIGH
Rationale: The compromised downloads may include malware which may compromise user and system security.
Spread of Issue: MULTI-PLATFORM HIGH
Rationale: Since Sourceforge is a download service, any download provided could have been modified.
Description
Sourceforge is a software repository mirroring service, owned and operated by DHI Group, Inc. (also known as "Dice Holdings"), which is used by software vendors to distribute their products on geographically distributed servers. It has been observed that Sourceforge is engaging in mass-takeovers of hosted repositories without adequate, transparent review, locking software vendors out of said repositories. Once a repository has been taken over and likely compromised, the repository is held by one of the following employee accounts:
- http://sourceforge.net/u/sf-editor/profile/
- http://sourceforge.net/u/sf-editor1/profile/
- http://sourceforge.net/u/sf-editor2/profile/
- http://sourceforge.net/u/sf-editor3/profile/
To that end, it can be observed that many popular software projects have had their Sourceforge downloads likely compromised in addition to other titles. To clarify, these software titles and others listed in the sf-editor profiles are reputable one their own; and many, if not most of them, were taken without explicit consent from the software vendor.
Examples include (but not limited to):
- Firefox
- Apache OpenOffice
- LibreOffice
- GIMP Image Editor for Windows (Gimp-Win)
- Audacious
- Audacity
- Apache HTTPD Webserver software
- MySQL Database Server software
- PostgreSQL Database Server software
- Drupal
- Fedora Linux
Mitigation/Solution
The original advisory remains active and its Mitigation/Solution relevant.
Users are advised to discontinue use of the Sourceforge website for downloads unless experienced with software checksum verification protocols and equipped with a vendor-issued checksum lists provided outside of Sourceforge. It is advised to seek alternate downloads and to encourage software vendors that haven't changed their hosting arrangements away from Sourceforge to do so.
References
(internal research)