Re: Heads Up: Debian OpenSSL RNG Vuln CVE-2008-0166 in All Things Unix

Re: Heads Up: Debian OpenSSL RNG Vuln CVE-2008-0166 in All Things Unix http://www.dslreports.com/forum/r20475861 en Tue, 08 Dec 2009 22:02:35 EDT Tue, 08 Dec 2009 22:02:35 EDT Re: Heads Up: Debian OpenSSL RNG Vuln CVE-2008-0166 http://www.dslreports.com/forum/remark,20491998 evilghost : I walked in this morning and had this printout on my cube wall. Awesome.]]> http://www.dslreports.com/forum/remark,20491998 Fri, 16 May 2008 09:40:26 EDT Re: Heads Up: Debian OpenSSL RNG Vuln CVE-2008-0166 http://www.dslreports.com/forum/remark,20491855 No_Strings : "Ubuntu - Turns out distro is actually just Windows Vista wth a few custom themes."

Something some of us have suspected for a long time.]]> http://www.dslreports.com/forum/remark,20491855 Fri, 16 May 2008 09:08:47 EDT Re: Heads Up: Debian OpenSSL RNG Vuln CVE-2008-0166 http://www.dslreports.com/forum/remark,20491453 anon : I hope the following doesn't lower the otherwise highly admirable tone of this thread too excessively:

»xkcd.com/424/

:)]]> http://www.dslreports.com/forum/remark,20491453 Fri, 16 May 2008 06:33:27 EDT Re: Heads Up: Debian OpenSSL RNG Vuln CVE-2008-0166 http://www.dslreports.com/forum/remark,20484395 evilghost :

said by BeesTea

:

SSH scanning is increased considerably across the Internet.

http://www.securityfocus.com/news/11518?ref=rss

It's important to consider that simply having ssh-key auth enabled is not enough to be compromised. A user would still need to be using a vulnerable key for authentication. In practical experience, public-key is way less common than simple password auth with ssh. This means the more likely attack vector will be session keys. Considering that password auth for ssh is plain taxt pushed through the session tunnel, I'd be more worried about that. Someone sniffing TCP/22 and cracking it at their leisure would result in essentially plain text logins and passwords.

EDIT: Typo

One thing to consider would be password-less keypairs, for example, I use these at home on my trusted computers for sshfs to avoid password prompts. It's my understanding that if someone knew the compromised keypair and username they could successfully authenticate without password. ]]> http://www.dslreports.com/forum/remark,20484395 Wed, 14 May 2008 22:28:39 EDT Re: Heads Up: Debian OpenSSL RNG Vuln CVE-2008-0166 http://www.dslreports.com/forum/remark,20483888 BeesTea : SSH scanning is increased considerably across the Internet.

http://www.securityfocus.com/news/11518?ref=rss

It's important to consider that simply having ssh-key auth enabled is not enough to be compromised. A user would still need to be using a vulnerable key for authentication. In practical experience, public-key is way less common than simple password auth with ssh. This means the more likely attack vector will be session keys. Considering that password auth for ssh is plain taxt pushed through the session tunnel, I'd be more worried about that. Someone sniffing TCP/22 and cracking it at their leisure would result in essentially plain text logins and passwords.

EDIT: Typo]]> http://www.dslreports.com/forum/remark,20483888 Wed, 14 May 2008 21:05:54 EDT Re: Heads Up: Debian OpenSSL RNG Vuln CVE-2008-0166 http://www.dslreports.com/forum/remark,20483856 deblin : Nevermind, standard log messages from the brute force attackers, not necessarily anything significant to this.]]> http://www.dslreports.com/forum/remark,20483856 Wed, 14 May 2008 21:00:24 EDT Re: Heads Up: Debian OpenSSL RNG Vuln CVE-2008-0166 http://www.dslreports.com/forum/remark,20482838 BeesTea : H D Moore, of the Metasploit project etc, has made the following write up.

http://metasploit.com/users/hdm/tools/debian-openssl/

Of note is the FAQ

quote:
Frequently Asked Questions
Q: How long did it take to generate these keys?
A: About two hours for the 1024-bit DSA and 2048-bit RSA keys for x86. I used 31 Xeon cores clocked at 2.33Ghz. I am generating the RSA 4096-bit keys now and the total time should be about 18 hours.

Q: Will you share your code for distributing the key-generation across mulitple processors?
A: Nope. The code is hardcoded for this specific cluster and is too poorly-written to be worth cleaning up.

Q: How long does it take a crack a SSH user account using these keys?
A: This depends on the speed of the network and the configuration of the SSH server. It should be possible to try all 32,767 keys of both DSA-1024 and RSA-2048 within a couple hours, but be careful of anti-brute-force scripts on the target server.

Q: I use 16384-bit RSA keys, can these be broken?
A: Yes, its just a matter of time and processing power. For mere mortals, 4096-bit keys are already a little on the paranoid side. All possible 4096-bit keys should be available within the next day or so. It is possible to generate all combinations of 8192-bit and 16384-bit keys, but I probably have better uses for my processors :-)

Scary.

Folks, if you're not already, pay close attention to excessive connections to your crypto services like ssh, vpn, etc. ~32,000 attempts can go by fast.
--
Overpower, overcome.]]> http://www.dslreports.com/forum/remark,20482838 Wed, 14 May 2008 17:49:06 EDT Re: Heads Up: Debian OpenSSL RNG Vuln CVE-2008-0166 http://www.dslreports.com/forum/remark,20481839 BeesTea : That wiki entry is excellent. I'd recommend everyone read it, specifically the list of likely affected software.

Thanks for sharing!]]> http://www.dslreports.com/forum/remark,20481839 Wed, 14 May 2008 14:47:55 EDT Re: Heads Up: Debian OpenSSL RNG Vuln CVE-2008-0166 http://www.dslreports.com/forum/remark,20481788 evilghost : Good info here:

»wiki.debian.org/SSLkeys]]> http://www.dslreports.com/forum/remark,20481788 Wed, 14 May 2008 14:38:30 EDT Re: Heads Up: Debian OpenSSL RNG Vuln CVE-2008-0166 http://www.dslreports.com/forum/remark,20478228 evilghost : I'm reminded why I don't like Ubuntu when the openssh-server and openssh-client packages are held back requiring the installation of openssh-blacklist as a requirement.

Dear Ubuntu Team, I'm not going to use ssh-vulnkey to see if my system is vulnerable, I'm reissuing keys. Why is this package a requirement for the openssh-server package? Cut me a freaking break.]]> http://www.dslreports.com/forum/remark,20478228 Tue, 13 May 2008 21:40:05 EDT Re: Heads Up: Debian OpenSSL RNG Vuln CVE-2008-0166 http://www.dslreports.com/forum/remark,20478204 evilghost :

said by Eatmeingreek

:

Script seems to work. At least it identifies weak keys and they go away when you run evilghost

's commands.

Speaking of evilghost

Agree, rsa1 not needed, at least on this end. Edited my post, thanks for pointing this out.]]> http://www.dslreports.com/forum/remark,20478204 Tue, 13 May 2008 21:34:54 EDT Re: Heads Up: Debian OpenSSL RNG Vuln CVE-2008-0166 http://www.dslreports.com/forum/remark,20477776 BeesTea : Excellent feedback. Thanks!
--
Overpower, overcome.]]> http://www.dslreports.com/forum/remark,20477776 Tue, 13 May 2008 20:20:59 EDT Re: Heads Up: Debian OpenSSL RNG Vuln CVE-2008-0166 http://www.dslreports.com/forum/remark,20477510 djrobx : Script appears to work. Tried it against a Sarge-generated host keys and it was quiet. Tried it against a recently installed Etch server and it reported the weak keys. After upgrading and regenerating the host keys, it was quiet.]]> http://www.dslreports.com/forum/remark,20477510 Tue, 13 May 2008 19:33:16 EDT Re: Heads Up: Debian OpenSSL RNG Vuln CVE-2008-0166 http://www.dslreports.com/forum/remark,20477091 deblin : I don't think it (by default) supports RSA1 keys, and rightly so. They're quite insecure, relative to DSA and RSA2.
--
»hillaryis404.org/]]> http://www.dslreports.com/forum/remark,20477091 Tue, 13 May 2008 18:07:50 EDT Re: Heads Up: Debian OpenSSL RNG Vuln CVE-2008-0166 http://www.dslreports.com/forum/remark,20476961 Eatmeingreek : Script seems to work. At least it identifies weak keys and they go away when you run evilghost

's commands.

Speaking of evilghost

, the first line, "ssh-keygen -q -f /etc/ssh/ssh_host_key -N '' -t rsa1" creates files called "ssh_host_key" and "ssh_host_key.pub" that didn't already exist on all the Debian boxes I've tried so far. Don't think they're really needed.

Fortunately a lot of my Debian hosts started life as Sarge boxes so a lot have been unaffected so far.
--
"Be safe be suspicious"]]> http://www.dslreports.com/forum/remark,20476961 Tue, 13 May 2008 17:43:39 EDT Re: Heads Up: Debian OpenSSL RNG Vuln CVE-2008-0166 http://www.dslreports.com/forum/remark,20476531 deblin : I haven't tested it myself, but apparently this script can find affected keys:

»security.debian.org/project/extr···kd.pl.gz

It's a huge perl script, namely because it has the key data in the perl script itself. :)

Hope it's useful for some folks.
--
»hillaryis404.org/]]> http://www.dslreports.com/forum/remark,20476531 Tue, 13 May 2008 16:23:10 EDT Re: Heads Up: Debian OpenSSL RNG Vuln CVE-2008-0166 http://www.dslreports.com/forum/remark,20476262 EUS : Ugh, ssh, apache2, postfix, vsftp, I have some cleaning up to do.]]> http://www.dslreports.com/forum/remark,20476262 Tue, 13 May 2008 15:30:24 EDT Re: Heads Up: Debian OpenSSL RNG Vuln CVE-2008-0166 http://www.dslreports.com/forum/remark,20476012 evilghost : Glad I'm running 6.06 LTS so I don't have to deal with re-creating my Apache SSL cert, my Dovecot/Postfix .pem, and my SSH keys...]]> http://www.dslreports.com/forum/remark,20476012 Tue, 13 May 2008 14:46:05 EDT Re: Heads Up: Debian OpenSSL RNG Vuln CVE-2008-0166 http://www.dslreports.com/forum/remark,20476010 anon : Yes. You need to regenerate them, they're required for the security of the session setup.]]> http://www.dslreports.com/forum/remark,20476010 Tue, 13 May 2008 14:45:06 EDT Re: Heads Up: Debian OpenSSL RNG Vuln CVE-2008-0166 http://www.dslreports.com/forum/remark,20475992 deblin : That's going to make SO many ssh clients really, really unhappy :)

Necessary, obviously, but people are going to be seeing a lot of "man in the middle" type errors from ssh in the coming weeks. :D
--
»hillaryis404.org/]]> http://www.dslreports.com/forum/remark,20475992 Tue, 13 May 2008 14:39:36 EDT Re: Heads Up: Debian OpenSSL RNG Vuln CVE-2008-0166 http://www.dslreports.com/forum/remark,20475982 evilghost : I dissected the OpenSSH deb and this is the postinst script that runs to create the keys. Therefor, to recreate the host keys you can:

Dissected from postinst:
]]> http://www.dslreports.com/forum/remark,20475982 Tue, 13 May 2008 14:37:31 EDT Re: Heads Up: Debian OpenSSL RNG Vuln CVE-2008-0166 http://www.dslreports.com/forum/remark,20475861 refused :

quote:
Affected keys include SSH keys, OpenVPN keys, DNSSEC keys, and key
material for use in X.509 certificates and session keys used in SSL/TLS
connections. Keys generated with GnuPG or GNUTLS are not affected,
though.

if generated with 0.9.8c-1 or after, yah they should probably be regenerated with a fixed version. the security bulletin says the old stable version Sarge wasn't affected, so depends where your ssh keys came from and what version they came from. better safe than sorry though.
--
"Ubuntu" - an African word, meaning "Slackware is too hard for me".]]> http://www.dslreports.com/forum/remark,20475861 Tue, 13 May 2008 14:15:08 EDT Re: Heads Up: Debian OpenSSL RNG Vuln CVE-2008-0166 http://www.dslreports.com/forum/remark,20475827 BeesTea : For sure host keys would be vulnerable too. The public/private key exchange to build an ssh session pre-auth is almost identical to the one used for auth.

It's going to be a while before all the impact of this is fully understood I think. Thanks for pointing that out. It might be worth brain dumping all the places where SSL might get used like that.
--
Overpower, overcome.]]> http://www.dslreports.com/forum/remark,20475827 Tue, 13 May 2008 14:10:04 EDT Re: Heads Up: Debian OpenSSL RNG Vuln CVE-2008-0166 http://www.dslreports.com/forum/remark,20475772 evilghost : Is there any reason to regenerate the host-wide keys in /etc/ssh or just those created with ssh-keygen for use in authorized_keys?

]]> http://www.dslreports.com/forum/remark,20475772 Tue, 13 May 2008 14:00:12 EDT Re: Heads Up: Debian OpenSSL RNG Vuln CVE-2008-0166 http://www.dslreports.com/forum/remark,20474980 Steve :

said by Cabal

:

I know people hate to comment their code, but maybe intentionally using uninitialized memory would be a good opportunity for that sort of thing. :D

Funny you should mention that :-)]]> http://www.dslreports.com/forum/remark,20474980 Tue, 13 May 2008 11:37:16 EDT Re: Heads Up: Debian OpenSSL RNG Vuln CVE-2008-0166 http://www.dslreports.com/forum/remark,20474851 Cabal :

quote:
Usually it is bad to have any kind of dependency on uninitialised memory, but OpenSSL happens to include a rare case when its OK, or even a good idea: its randomness pool. Adding uninitialised memory to it can do no harm and might do some good, which is why we do it.

I know people hate to comment their code, but maybe intentionally using uninitialized memory would be a good opportunity for that sort of thing. :D
--
Interested in open source engine management for your Subaru?]]> http://www.dslreports.com/forum/remark,20474851 Tue, 13 May 2008 11:12:03 EDT Re: Heads Up: Debian OpenSSL RNG Vuln CVE-2008-0166 http://www.dslreports.com/forum/remark,20474685 deblin : Thanks for the info.

Just stumbled upon this. Interesting point, not sure I entirely agree with it. But certainly in this case the author makes a good point. :)
--
»hillaryis404.org/]]> http://www.dslreports.com/forum/remark,20474685 Tue, 13 May 2008 10:39:05 EDT Re: Heads Up: Debian OpenSSL RNG Vuln CVE-2008-0166 http://www.dslreports.com/forum/remark,20474568 BeesTea : That's the attack as I understand it exactly. Thanks!]]> http://www.dslreports.com/forum/remark,20474568 Tue, 13 May 2008 10:12:55 EDT Re: Heads Up: Debian OpenSSL RNG Vuln CVE-2008-0166 http://www.dslreports.com/forum/remark,20474503 Steve : Actually, I think this is waffling on the use of the term "predictable", because in the random-number business it normally means that given one number produced by the RNG, one can compute, guess, or derive another number (the previous or the following number in the series).

When this is the case, it means that if I am on the system at the same time you're generating your SSH keys or SSL session, the random number I get will be computationally "close" to the random number you get, so I might be able to figure yours out.

My ability to exploit this vaporizes rapidly with the time difference between when I get my number and you get yours increases - it requires contemporaneous access to the same RNG.

But in the Debian case, it appears to be a much worse kind of predictable: it instead means that the RNG is pulling from a too-small pool of possible numbers, and though I might not be able to determine the next or prior number in the sequence, the pool of available numbers is small enough that I can attempt to brute-force the RNGs that produced it.

I have not studied the particular use of random numbers in SSL or SSH, but this looks yucky: if I know or suspect that your key came from a vulnerable Debian system, I can make a fair run as figuring out the key and can therefore decode your SSL session. And maybe even your SSH private key. I don't need to have access to your server to exploit it.

This really smells like bad news.

Edit - You could understand this problem as similar to taking a good, valid random number and using only the lower 16 bits instead of whatever the normal size is (though I doubt the actual bug is implemented this way).

Steve — who is not an expert on this area, and might be full of baloney]]> http://www.dslreports.com/forum/remark,20474503 Tue, 13 May 2008 09:57:23 EDT Heads Up: Debian OpenSSL RNG Vuln CVE-2008-0166 http://www.dslreports.com/forum/remark,20474302 BeesTea : http://lists.debian.org/debian-security-announce/2008/msg00152.html

quote:
Luciano Bello discovered that the random number generator in Debian's
openssl package is predictable. This is caused by an incorrect
Debian-specific change to the openssl package (CVE-2008-0166). As a
result, cryptographic key material may be guessable.

This is a Debian-specific vulnerability which does not affect other
operating systems which are not based on Debian. However, other systems
can be indirectly affected if weak keys are imported into them.

It is strongly recommended that all cryptographic key material which has
been generated by OpenSSL versions starting with 0.9.8c-1 on Debian
systems is recreated from scratch. Furthermore, all DSA keys ever used
on affected Debian systems for signing or authentication purposes should
be considered compromised; the Digital Signature Algorithm relies on a
secret random value used during signature generation.

This is far reaching and potentially very bad. Key and certificate crypto relies on a good random number being used to work properly. This vulnerability means it's possible to guess all possible keys that have been generated using the affected versions of OpenSSL. Practically, this means crypto on these systems may be completely ineffective. Additionally, note that any key made with the library will carry the problem forward even if the libraries underneath have been corrected. So if you've run ssh-keygen, for example, you need to make new keys or even the updated system will still be vulnerable.

This is also going to affect Debian derived systems.

Edit: Added the bit about derivatives.
--
Overpower, overcome.]]> http://www.dslreports.com/forum/remark,20474302 Tue, 13 May 2008 09:08:11 EDT