[scripts-announce] Security incident on scripts.mit.edu this afternoon

Geoffrey Thomas geofft at MIT.EDU
Mon Jun 27 19:05:47 EDT 2011 

Hello scripts.mit.edu users,

In the interest of full disclosure we would like to let you know that we 
had a security incident on scripts.mit.edu this afternoon. Around 2:50 PM 
today, a user's WordPress blog with custom extensions was broken into by a 
non-MIT attacker. The attacker uploaded a non-public exploit designed to 
take advantage of a race condition in a "setuid root" utility, and was 
able to use it to gain local root privileges on one of our servers, 
whole-enchilada.mit.edu. Our security monitoring infrastructure alerted us 
to the utility granting root privileges, and a scripts.mit.edu maintainer 
noticed the alert immediately and was able to disconnect the machine from 
the network. We promptly disabled the compromised user account as well as 
the vulnerable utility on all the servers.

Later forensics on the disconnected server indicated that the root shell 
did not run any significant commands before the attacker was disconnected 
and the server taken offline. Given those results and the speed with which 
we were able to respond, we are confident no user data was compromised in 
this attack. The server in question has been taken offline so that we can 
restore it to a clean state.

scripts.mit.edu takes its users' security seriously, and realtime 
notification of unexpected events has long been part of our 
defense-in-depth strategy against unknown or unexpected attacks. We are 
happy that this was able to limit the extent of the damage. Still, in 
response to this, we have already removed the setuid bit from most of the 
setuid binaries on the servers, to prevent this class of attacks, and we 
are working on strategies to eliminate setuid binaries without loss of 
functionality. We will also be redoubling our efforts to follow security 
patches in other operating systems (the particular exploit was fixed in 
RHEL but not Fedora 13, despite being found and fixed by Red Hat well 
within the Fedora 13 support cycle) and apply the patches to our servers.

If you have any questions about this or about scripts.mit.edu security in 
general, please contact us at scripts at mit.edu (our regular support/contact 
address) or scripts-root at mit.edu (maintainers only, for private 
information).

-- 
Geoffrey Thomas
SIPB scripts.mit.edu team
scripts at mit.edu

More information about the scripts-announce mailing list