[tripleo][core] gerrit breach and auditing all tripleo commits since Oct 01
Marios Andreou
marios at redhat.com
Wed Oct 21 14:52:10 UTC 2020
On Wednesday, October 21, 2020, Jeremy Stanley <fungi at yuggoth.org> wrote:
> On 2020-10-21 15:02:54 +0300 (+0300), Marios Andreou wrote:
> [...]
> > I don't think we need to worry that it was 'one of our accounts'
> > that was compromised, at least I expect we would have known by now
> > if there was any indication that this is the case.
> >
> > The main concern is if the compromised admin account made any
> > commits at all. So the immediate check is to make sure that all
> > those commits were in fact merged by 'one of us' and not by any
> > unknown account.
> [...]
>
> Not quite. The main concern is that the attacker had access (via an
> account in Gerrit's Administrators group) to add their own SSH key
> or view/add/change the REST API key for any user of the service, so
> could in theory have proposed a change masquerading as a regular
> member of your team, +2'd it as another member of your team, and
> approved it as yet a third member of your team, without necessarily
> raising suspicion. While we consider this unlikely, it was entirely
> possible for the first few weeks of this month.
>
> Per my other reply on this thread, we already checked that every
> commit corresponds to a change in Gerrit, so it should be sufficient
> to just skim the last few week's changes and make sure you remember
> reviewing/approving them.
I see.... hm potentially much more malicious than I thought then. Thanks
for the clarification - I've mainly been checking that the merges were from
known tripleo cores.
Rather it should be that each core should check the reviews merged by their
account ID and make sure it corresponds to a valid +A that they (possibly)
recall doing.
I think we should be mostly done for tripleo ... my original list at
https://gist.github.com/marios/d1b774c827769373b67d3988105140dd contains
duplicates as i found so far and I know a number of folks have jumped in
and started checking today. Thanks to everyone for doing that
thanks again Jeremy for clarifying what we should focus on
--
> Jeremy Stanley
>
--
_sent from my mobile - sorry for spacing spelling etc_
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20201021/398a0513/attachment-0001.html>
More information about the openstack-discuss
mailing list