Dario Lesca
2017-Jun-30 15:47 UTC
[CentOS] [Fwd: CIA Outlaw Country attack against CentOS / Rhel (and Fedora?) Is this credible?]
Do you know this? Dario ------- Messaggio inoltrato ------- Da: stan <stanl-fedorauser at vfemail.net> Reply-to: Community support for Fedora users <users at lists.fedoraproject.org> A: users at lists.fedoraproject.org Oggetto: CIA Outlaw Country attack against CentOS / Rhel (and Fedora?) Is this credible? Data: Thu, 29 Jun 2017 15:51:43 -0700 Wikileaks released a document about an attack against CentOS / Rhel. https://wikileaks.org/vault7/#OutlawCountry Here's the text, there are some docs there also. OutlawCountry 29 June, 2017 Today, June 29th 2017, WikiLeaks publishes documents from the OutlawCountry project of the CIA that targets computers running the Linux operating system. OutlawCountry allows for the redirection of all outbound network traffic on the target computer to CIA controlled machines for ex- and infiltration purposes. The malware consists of a kernel module that creates a hidden netfilter table on a Linux target; with knowledge of the table name, an operator can create rules that take precedence over existing netfilter/iptables rules and are concealed from an user or even system administrator. The installation and persistence method of the malware is not described in detail in the document; an operator will have to rely on the available CIA exploits and backdoors to inject the kernel module into a target operating system. OutlawCountry v1.0 contains one kernel module for 64-bit CentOS/RHEL 6.x; this module will only work with default kernels. Also, OutlawCountry v1.0 only supports adding covert DNAT rules to the PREROUTING chain. My first take is that this doesn't represent a very serious threat.??Do you disagree? _______________________________________________ users mailing list -- users at lists.fedoraproject.org To unsubscribe send an email to users-leave at lists.fedoraproject.org -- Dario Lesca (inviato dal mio Linux Fedora 25 Workstation)
Yves Bellefeuille
2017-Jun-30 16:11 UTC
[CentOS] [Fwd: CIA Outlaw Country attack against CentOS / Rhel (and Fedora?) Is this credible?]
> Do you know this?"For operational use, shell access is assumed, and root privileges are required." It's not much of a secret that you can mess with a system if you have root access... Yves Bellefeuille <yan at storm.ca>
Walter H.
2017-Jun-30 17:32 UTC
[CentOS] [Fwd: CIA Outlaw Country attack against CentOS / Rhel (and Fedora?) Is this credible?]
On 30.06.2017 18:11, Yves Bellefeuille wrote:>> Do you know this? > "For operational use, shell access is assumed, and root privileges are > required." > > It's not much of a secret that you can mess with a system if you have > root access... >and in case you restart the box, this hack is gone :-)
Valeri Galtsev
2017-Jun-30 17:47 UTC
[CentOS] ***SPAM*** [Fwd: CIA Outlaw Country attack against CentOS / Rhel (and Fedora?) Is this credible?]
On Fri, June 30, 2017 10:47 am, Dario Lesca wrote:> Do you know this? > Dario > > ------- Messaggio inoltrato ------- > Da: stan <stanl-fedorauser at vfemail.net> > Reply-to: Community support for Fedora users > <users at lists.fedoraproject.org> > A: users at lists.fedoraproject.org > Oggetto: CIA Outlaw Country attack against CentOS / Rhel (and Fedora?) > Is this credible? > Data: Thu, 29 Jun 2017 15:51:43 -0700 > > Wikileaks released a document about an attack against CentOS / Rhel. > > https://wikileaks.org/vault7/#OutlawCountryMy taxpayer's money at work ;-) ...against me that is ;-( Valeri> > Here's the text, there are some docs there also. > > OutlawCountry > 29 June, 2017 > > Today, June 29th 2017, WikiLeaks publishes documents from the > OutlawCountry project of the CIA that targets computers running the > Linux operating system. OutlawCountry allows for the redirection of all > outbound network traffic on the target computer to CIA controlled > machines for ex- and infiltration purposes. The malware consists of a > kernel module that creates a hidden netfilter table on a Linux target; > with knowledge of the table name, an operator can create rules that > take precedence over existing netfilter/iptables rules and are > concealed from an user or even system administrator. > > The installation and persistence method of the malware is not described > in detail in the document; an operator will have to rely on the > available CIA exploits and backdoors to inject the kernel module into a > target operating system. OutlawCountry v1.0 contains one kernel module > for 64-bit CentOS/RHEL 6.x; this module will only work with default > kernels. Also, OutlawCountry v1.0 only supports adding covert DNAT > rules to the PREROUTING chain. > > > My first take is that this doesn't represent a very serious threat.????Do > you disagree? > _______________________________________________ > users mailing list -- users at lists.fedoraproject.org > To unsubscribe send an email to users-leave at lists.fedoraproject.org > -- > Dario Lesca > (inviato dal mio Linux Fedora 25 Workstation) > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos >++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
Gordon Messmer
2017-Jul-01 16:40 UTC
[CentOS] [Fwd: CIA Outlaw Country attack against CentOS / Rhel (and Fedora?) Is this credible?]
On 06/30/2017 08:47 AM, Dario Lesca wrote:> My first take is that this doesn't represent a very serious threat. Do > you disagree?The module doesn't represent an unknown security flaw, so my inclination is to say "no." I'd also note that if your systems aren't extremely old, they probably boot via UEFI, and support Secure Boot. Such a system will not load unsigned modules.