You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Jan 31, 2019. It is now read-only.
If you ever had a user account with the Kanso package repository, it is
possible that an attacker has gained access to the following details about
your account:
Username
A salted, non-iterated SHA1 password hash
If you reused your Kanso password elsewhere you should change your
password on other services immediately.
Detail
In Feb 2015, hosting of the Kanso repository was transferred from a self-hosted
site (kan.so) to a donated third-party mirror. This server is now being retired.
Based upon our preliminary analysis, we believe that a remote attacker created
a Kanso account via an HTTP PUT request, then used their CouchDB credentials
to exploit CVE-2017-12635 (Apache CouchDB Remote Privilege Escalation) and CVE-2017-12636 (Remote Code Execution) in combination. These two exploits
provided the attacker with arbitrary code execution as the non-root couchdb user.
Failure to apply a critical security update is the root cause. Contributing factors
include (i) human error in credential management leading to a lack of automated
monitoring and patching for the machine in question; and (ii) diffusion of responsibility
and gaps in communication between the donor organization and the project.
Approximately 52 users are potentially affected by this breach.
The attack appears to have been untargeted and relatively unsophisticated, and
employed a well-known malware payload that consumes CPU cycles to mine for
cryptocurrency.
It doesn't appear the attacker achieved root access; however, we should assume
they had access to the CouchDB databases out of an abundance of caution.
Risks
Package integrity
We compared known-good pre-exploit backups of the package database with the
latest data and found no differences. There is no sign of tampering with packages,
documentation or the Kanso homepage.
User Data
We required minimal information during sign up, namely just a username
and password. Unfortunately, the user database pre-dated CouchDB 1.3.0
(when PBKDF2 became the default) and passwords for registrations prior to
the release of CouchDB v1.3.0 were stored as salted SHA1 hashes.
Mitigation
The machine was been retired and no futher access is possible.
If you re-used your Kanso password elsewhere you should change your
password on other services immediately. While we have no direct evidence
that password hashes were captured by any malware payload, we should
assume they were.
Help with Disclosure
As we did not require email addresses for registration, we are unable to contact
past Kanso users reliably. If you know of anyone who previously used the
Kanso package repository we would appreciate you sharing this
announcement with them.
The text was updated successfully, but these errors were encountered:
Summary
If you ever had a user account with the Kanso package repository, it is
possible that an attacker has gained access to the following details about
your account:
If you reused your Kanso password elsewhere you should change your
password on other services immediately.
Detail
In Feb 2015, hosting of the Kanso repository was transferred from a self-hosted
site (kan.so) to a donated third-party mirror. This server is now being retired.
Based upon our preliminary analysis, we believe that a remote attacker created
a Kanso account via an HTTP PUT request, then used their CouchDB credentials
to exploit CVE-2017-12635 (Apache CouchDB Remote Privilege Escalation) and
CVE-2017-12636 (Remote Code Execution) in combination. These two exploits
provided the attacker with arbitrary code execution as the non-root couchdb user.
Failure to apply a critical security update is the root cause. Contributing factors
include (i) human error in credential management leading to a lack of automated
monitoring and patching for the machine in question; and (ii) diffusion of responsibility
and gaps in communication between the donor organization and the project.
Approximately 52 users are potentially affected by this breach.
The attack appears to have been untargeted and relatively unsophisticated, and
employed a well-known malware payload that consumes CPU cycles to mine for
cryptocurrency.
It doesn't appear the attacker achieved root access; however, we should assume
they had access to the CouchDB databases out of an abundance of caution.
Risks
Package integrity
We compared known-good pre-exploit backups of the package database with the
latest data and found no differences. There is no sign of tampering with packages,
documentation or the Kanso homepage.
User Data
We required minimal information during sign up, namely just a username
and password. Unfortunately, the user database pre-dated CouchDB 1.3.0
(when PBKDF2 became the default) and passwords for registrations prior to
the release of CouchDB v1.3.0 were stored as salted SHA1 hashes.
Mitigation
The machine was been retired and no futher access is possible.
If you re-used your Kanso password elsewhere you should change your
password on other services immediately. While we have no direct evidence
that password hashes were captured by any malware payload, we should
assume they were.
Help with Disclosure
As we did not require email addresses for registration, we are unable to contact
past Kanso users reliably. If you know of anyone who previously used the
Kanso package repository we would appreciate you sharing this
announcement with them.
The text was updated successfully, but these errors were encountered: