Approximately a week ago, the Gentoo Linux GitHub repository was broken into by a cracker who was then able to take control an account and insert malicious code into the distros. This code was designed to delete user data. Gentoo’s developers were able to retake control quite quickly, but it was concerning because it could have done a great deal of damage to end-user installs. Moreover, it’s quite rare that an entire operating system’s mirror code repository gets taken over.
Fortunately, the attackers were unable to cause much grief for users since they only took over a mirror for files that are usually stored on Gentoo’s own servers. Users download code from the official servers, so things didn’t get really hairy for an overwhelming majority of Gentoo users.
The distro has now revealed that the reason the account came under the control of an unauthorized user was because an organizational administrator’s password was poor and easy to guess. Sophisticated attack vectors were not used, and it wasn’t the result of an inside job. Rather, it was simply easy to guess the user’s password.
An entry on the Gentoo Linux wiki that was then reported by a number of tech news sites suggests that the person had a password scheme that made it easy to guess login credentials for other sites that this particular user held accounts for.
While some commentators have mentioned that a two-factor authorization system might have helped to prevent this kind of attack from occurring, setting a basic password is often an invitation for attack. Gentoo is being very forthcoming with details and they’ve put a series of new security measures that should reduce the risk of this happening in the future.
End-users, however, didn’t really have a way to verify that their tree had clean copies of software. Gentoo is also admitting that in the future they need to set out clearer guidance and explain how they can prevent compromised systems from executing code added in malicious commits.
Things could have been far worse for end-users, but Gentoo’s developers and project managers have stated that they fully understand a quieter attack would have potentially lead to a longer opportunity window for crackers.