The 2009 Pwnie Winner For Epic 0wnage

Red Hat Networks Backdoored OpenSSH Packages (CVE-2008-4250)

Credit: unknown

Shortly after Black Hat and Defcon last year, Red Hat noticed that not only had someone backdoored the OpenSSH packages that some of their mirrors were distributing, but managed to sign the packages with Red Hat’s own private key. Instead of revoking the key and releasing all new packages, they instead just updated the backdoored packages with clean copies, still signed by the same key, and released a shell script to scan for the MD5 checksums of the affected packages. What makes this eligible for the “mass0wnage” award is that nobody is quite sure how many systems were compromised or what other keys and packages the attackers were able to access. With very little public information available, the real casuality was the public’s trust in the integrity of Red Hat’s packages.

(CVE-2008-4250)