The mail server hosting the members-only security mailing list “Vendor-Sec” for open source Linux vendors has been severely damaged, shutting down the list for the time being. Much of the information on the list was under embargo, offering a direct source of exploits for unpatched vulnerabilities in Linux and BSD.

Hackers compromised a private email list used by distributors of open source software to discuss security vulnerabilities, and then forced the list to shut down. The "Vendor Sec" security list was used by Linux and BSD distributors and developers to discuss potential security vulnerabilities in the kernel, libraries, or applications.

An unknown attacker opened up a backdoor to the mail server hosting the list and was able to sniff all email traffic, wrote Marcus Meissner, the moderator of the mailing list, in a message to the OSS Security mailing list on Mar. 3. Even though Meissner closed that particular hole, the attacker managed to re-enter and destroy the server a day later.

As a result, Meissner decided to not resurrect the server or the mailing list.  He wrote on March 4, "So everyone please consider [email protected]….de is dead and gone at this point, successors (or not) will hopefully result out of this discussion."

Meissner detected the original breach in late February, but, he wrote in the first note informing members of the breach, the timestamp on the logs indicates the break-in may have occurred on Jan. 20. However, he acknowledged there was a possibility the breach may have existed before Jan. 20. He also said he didn't know how the attacker had managed to compromise the machine.

The attacker likely used the security backdoor to examine email traffic and capture confidential information about security vulnerabilities found in free and open source products, Meissner said.

Members use the list to coordinate release schedules for security updates and patches resolving bugs. Much of the information on the list was under embargo to give vendors time to close their holes. This is valuable information for criminals, as the list was a direct source of exploits for unpatched vulnerabilities in Linux and BSD.

In his Mar. 3 note, Meissner said the system hosting the mail server was "quite old" and the administrators, including himself, no longer had the time to keep the machine secure. He'd disabled the backdoor, but said he expected it to reappear as he was still unclear as to the actual attack path taken by the attacker.

He suggested moving the list to another server and proposed using Gnu Privacy Guard, an open-source implementation of the PGP (Pretty Good Privacy) encryption standard for email. This would enable all email messages on the list to be signed and encrypted, wrote Meissner. Until the move, he recommended that embargoed issues not be sent to the list.

The attacker re-entered the server shortly after Meissner's email, then "went amok and destroyed the machine installation," Meissner wrote in a follow-up note. With the system out of commission, Meissner decided to not try to repair the machine or move to the new host.

Rethinking Vendor-Sec

Meissner suggested the community discuss whether there should be any changes in how the closed list was set up and managed. Meissner also questioned whether there was any need for this kind of a closed mailing list, considering there are other mailing lists such as OSS Security. He also noted that many projects are beginning to be more active about doing their own management, so the usefulness of the list may have "diminished."

There were about 80 to 100 people from both commercial and non-commercial firms on the mailing list, Meissner said, "making leaks by members always a possibility." Access to the list had beeen provided on request.

Fahmida Rashid is a writer for our sister publication eWEEK.

This article was originally published on LinuxDevices.com and has been donated to the open source community by QuinStreet Inc. Please visit LinuxToday.com for up-to-date news and articles about Linux and open source.