This is a read-only archive. Find the latest Linux articles, documentation, and answers at the new Linux.com!

Linux.com

Feature: News

Security Alert: Debian OpenSSL flaw affects many systems

By Joe Barr on May 15, 2008 (2:49:18 PM)

Share    Print    Comments   

Well-known security researcher H. D. Moore, creator of the MetaSploit Project, has posted his findings on the recently discovered Debian-packaged OpenSSL bug. Moore documents the cause of the bug and explains how easily attackers can create every possible key the flawed OpenSSL implementation can generate.

According to Moore, "All SSL and SSH keys generated on Debian-based systems (Ubuntu, Kubuntu, etc) between September 2006 and May 13th, 2008 may be affected." He also provides information and links to tools which can be used to regenerate those keys.

Moore explains that the impact of this flaw is huge, and goes beyond the Debian/Ubuntu user communities:

In the case of SSL keys, all generated certificates will be need to recreated and sent off to the Certificate Authority to sign. Any Certificate Authority keys generated on a Debian-based system will need be regenerated and revoked. All system administrators that allow users to access their servers with SSH and public key authentication need to audit those keys to see if any of them were created on a vulnerable system. Any tools that relied on OpenSSL's PRNG to secure the data they transferred may be vulnerable to an offline attack. Any SSH server that uses a host key generated by a flawed system is subject to traffic decryption and a man-in-the-middle attack would be invisible to the users. This flaw is ugly because even systems that do not use the Debian software need to be audited in case any key is being used that was created on a Debian system. The Debian and Ubuntu projects have released a set of tools for identifying vulnerable keys. You can find these listed in the references section below.

Debian and derivative distribution users can use the apt-get upgrade command to replace vulnerable keys on their systems, and Ubuntu users applying the security patches which appeared yesterday will have their weak keys replaced automatically, but as Moore points out, that doesn't solve the problems caused by weak keys being used to sign certificates or copied to other servers.

The bottom line is that if you are a Debian or Ubuntu user, you need to apply the OpenSSH/OpenSSL patches immediately and ensure that your weak keys are replaced. If you are an admin on other platforms, you need to scan for and replace any weak keys which may have arrived on your system from a site generating weak keys.

Share    Print    Comments   

Comments

on Security Alert: Debian OpenSSL flaw affects many systems

Note: Comments are owned by the poster. We are not responsible for their content.

Not all versions of Debian/Ubuntu affected

Posted by: Anonymous [ip: 151.188.247.104] on May 16, 2008 10:05 PM
We have plenty of Ubuntu Dapper boxes, and fortunately, they seem unaffected. So, if you either are upgrading from Dapper to Hardy, (or the Dapper, Edgy, Feisty, Gutsy, Hardy path), then you're fine.

This is also true of any keys made with Debian Sarge. That is, if you had a Sarge box, and you did an in-place upgrade to Etch, then your keys are good, too.

However, if you did a fresh install of either Debian Etch, or Ubuntu Feisty or newer, then yes, you are affected.

#

Security Alert: Debian OpenSSL flaw affects many systems

Posted by: Anonymous [ip: 79.116.95.60] on May 16, 2008 11:23 PM
This was indeed one huge mistake.
Question is how could something like this happen?

I mean I would understand if this was about some package/software that is less known/used but with OpenSSL ?
I would had thought that *any* modifications done to *any* code that is related with cryptography/security would be peer reviewed by many.

I'm very disappointed by this.

#

Re: Security Alert: Debian OpenSSL flaw affects many systems

Posted by: Joe Barr on May 17, 2008 05:43 AM
It appears that Kurt Roeckx asked on the openssl-dev mailing list in 2006 about the consequences of removing the lines of code that were generating warnings, and that he did not receive a clear reply to his question. A very unfortunate event, for sure.

#

Re(1): Security Alert: Debian OpenSSL flaw affects many systems

Posted by: Anonymous [ip: 10.0.0.245] on May 19, 2008 11:57 AM
I reckon that's one of the reasons this particular vulnerability is so interesting: I can't justify placing blame on anyone (or at least, not exclusively).

Kurt tried to get it checked (admittedly, perhaps not to a sufficient standard, but I can't totally blame him).

The OpenSSL guys had a (cursory) look. After all, it was only really run through them on a mailing list, so it's easier to miss things.

Just can't really blame either party enough to be upset at anyone!

#

Re(2): Security Alert: Debian OpenSSL flaw affects many systems

Posted by: Anonymous [ip: 98.240.22.205] on May 21, 2008 01:57 PM
Ah .. yet another "Blameless Society" comment. The bug was and is Kurt's fault. If he simply stands up and says "Yep I screwed the pooch on that one", then all is forgiven and we get on with life. If not, then we can keep scuttling around and whining. Your key point was " ... perhaps not to a sufficient standard ... ". Since Ubuntu is vitally important to the entire computing world --- not just the Linux folks -- we absolutely must keep our standards high and reflective of our skills. Remember, as if you are not already reminded continuously, that Ubuntu has become the new Windows -- not the failed, kludged, hag-ridden, product of Little Billy's duplicitous mind, but a New Standard of Excellence in the Desktop world. I have seen with my own four eyes, Windows users whose experiences with Little Billy's dreck since v.1, actually remove all vestiges of Billy's Coruscation and exclusively use Ubuntu. Let us continue to improve Ubuntu until it crushes Little Billy into a scattered and noisome puddle of blood and brain materials ground into the earth by an iron shod boot heel.

Ah yes, and I am posting Anon because my identity is very well known and by posting under my real name (which I almost always do) would be detrimental to our Community.

#

Re(3): Security Alert: Debian OpenSSL flaw affects many systems

Posted by: Joe Barr on May 21, 2008 05:19 PM
I am posting anonymously because....

Yeah, right.

#

Security Alert: Debian OpenSSL flaw affects many systems

Posted by: Anonymous [ip: 84.235.43.249] on May 21, 2008 08:55 PM
I think there's no need to blame anyone here....most of users like me need solution on this matter...dont u think????

#

This story has been archived. Comments can no longer be posted.



 
Tableless layout Validate XHTML 1.0 Strict Validate CSS Powered by Xaraya