BeesTea
Network Janitor
Premium,VIP
join:2003-03-08
00000
1 edit | Heads Up: Debian OpenSSL RNG Vuln CVE-2008-0166 http://lists.debian.org/debian-security-announce/2008/msg00152.html
quote:
Luciano Bello discovered that the random number generator in Debian's
openssl package is predictable. This is caused by an incorrect
Debian-specific change to the openssl package (CVE-2008-0166). As a
result, cryptographic key material may be guessable.
This is a Debian-specific vulnerability which does not affect other
operating systems which are not based on Debian. However, other systems
can be indirectly affected if weak keys are imported into them.
It is strongly recommended that all cryptographic key material which has
been generated by OpenSSL versions starting with 0.9.8c-1 on Debian
systems is recreated from scratch. Furthermore, all DSA keys ever used
on affected Debian systems for signing or authentication purposes should
be considered compromised; the Digital Signature Algorithm relies on a
secret random value used during signature generation.
This is far reaching and potentially very bad. Key and certificate crypto relies on a good random number being used to work properly. This vulnerability means it's possible to guess all possible keys that have been generated using the affected versions of OpenSSL. Practically, this means crypto on these systems may be completely ineffective. Additionally, note that any key made with the library will carry the problem forward even if the libraries underneath have been corrected. So if you've run ssh-keygen, for example, you need to make new keys or even the updated system will still be vulnerable.
This is also going to affect Debian derived systems.
Edit: Added the bit about derivatives.
--
Overpower, overcome. | |
|
 
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
2 edits | Re: Heads Up: Debian OpenSSL RNG Vuln CVE-2008-0166 Actually, I think this is waffling on the use of the term "predictable", because in the random-number business it normally means that given one number produced by the RNG, one can compute, guess, or derive another number (the previous or the following number in the series).
When this is the case, it means that if I am on the system at the same time you're generating your SSH keys or SSL session, the random number I get will be computationally "close" to the random number you get, so I might be able to figure yours out.
My ability to exploit this vaporizes rapidly with the time difference between when I get my number and you get yours increases - it requires contemporaneous access to the same RNG.
But in the Debian case, it appears to be a much worse kind of predictable: it instead means that the RNG is pulling from a too-small pool of possible numbers, and though I might not be able to determine the next or prior number in the sequence, the pool of available numbers is small enough that I can attempt to brute-force the RNGs that produced it.
I have not studied the particular use of random numbers in SSL or SSH, but this looks yucky: if I know or suspect that your key came from a vulnerable Debian system, I can make a fair run as figuring out the key and can therefore decode your SSL session. And maybe even your SSH private key. I don't need to have access to your server to exploit it.
This really smells like bad news.
Edit - You could understand this problem as similar to taking a good, valid random number and using only the lower 16 bits instead of whatever the normal size is (though I doubt the actual bug is implemented this way).
Steve — who is not an expert on this area, and might be full of baloney | |
|
 |
BeesTea
Network Janitor
Premium,VIP
join:2003-03-08
00000 | Re: Heads Up: Debian OpenSSL RNG Vuln CVE-2008-0166 That's the attack as I understand it exactly. Thanks! | |
|
| | 
deblin
Dark Side of the Moon
Premium,MVM
join:2001-09-01
Middletown, DE
| Re: Heads Up: Debian OpenSSL RNG Vuln CVE-2008-0166 Thanks for the info.
Just stumbled upon this. Interesting point, not sure I entirely agree with it. But certainly in this case the author makes a good point. 
--
»hillaryis404.org/ | |
|
| | | 
Cabal
Premium
join:2007-01-21
Boston, MA
| Re: Heads Up: Debian OpenSSL RNG Vuln CVE-2008-0166 quote:
Usually it is bad to have any kind of dependency on uninitialised memory, but OpenSSL happens to include a rare case when its OK, or even a good idea: its randomness pool. Adding uninitialised memory to it can do no harm and might do some good, which is why we do it.
I know people hate to comment their code, but maybe intentionally using uninitialized memory would be a good opportunity for that sort of thing. 
--
Interested in open source engine management for your Subaru? | |
|
| | | |
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| Re: Heads Up: Debian OpenSSL RNG Vuln CVE-2008-0166 said by Cabal  :I know people hate to comment their code, but maybe intentionally using uninitialized memory would be a good opportunity for that sort of thing. Funny you should mention that | |
|
evilghost
Premium
join:2003-11-22
Springville, AL
 ·Windstream
| Is there any reason to regenerate the host-wide keys in /etc/ssh or just those created with ssh-keygen for use in authorized_keys?
| |
|
|
BeesTea
Network Janitor
Premium,VIP
join:2003-03-08
00000
| Re: Heads Up: Debian OpenSSL RNG Vuln CVE-2008-0166 For sure host keys would be vulnerable too. The public/private key exchange to build an ssh session pre-auth is almost identical to the one used for auth.
It's going to be a while before all the impact of this is fully understood I think. Thanks for pointing that out. It might be worth brain dumping all the places where SSL might get used like that.
--
Overpower, overcome. | |
|
| 
refused
join:2005-10-10
Redding, CA
| quote:
Affected keys include SSH keys, OpenVPN keys, DNSSEC keys, and key
material for use in X.509 certificates and session keys used in SSL/TLS
connections. Keys generated with GnuPG or GNUTLS are not affected,
though.
if generated with 0.9.8c-1 or after, yah they should probably be regenerated with a fixed version. the security bulletin says the old stable version Sarge wasn't affected, so depends where your ssh keys came from and what version they came from. better safe than sorry though.
--
"Ubuntu" - an African word, meaning "Slackware is too hard for me". | |
|
| 
srgyhryt89yfn
@gov.br | Yes. You need to regenerate them, they're required for the security of the session setup. | |
|
evilghost
Premium
join:2003-11-22
Springville, AL
·Windstream
3 edits | I dissected the OpenSSH deb and this is the postinst script that runs to create the keys. Therefor, to recreate the host keys you can:
Dissected from postinst:
| |
|
|
deblin
Dark Side of the Moon
Premium,MVM
join:2001-09-01
Middletown, DE
| Re: Heads Up: Debian OpenSSL RNG Vuln CVE-2008-0166 That's going to make SO many ssh clients really, really unhappy
Necessary, obviously, but people are going to be seeing a lot of "man in the middle" type errors from ssh in the coming weeks.
--
»hillaryis404.org/ | |
|
evilghost
Premium
join:2003-11-22
Springville, AL | Glad I'm running 6.06 LTS so I don't have to deal with re-creating my Apache SSL cert, my Dovecot/Postfix .pem, and my SSH keys... | |
|
|
|
| 
djrobx
join:2000-05-31
Valencia, CA | Re: Heads Up: Debian OpenSSL RNG Vuln CVE-2008-0166 Script appears to work. Tried it against a Sarge-generated host keys and it was quiet. Tried it against a recently installed Etch server and it reported the weak keys. After upgrading and regenerating the host keys, it was quiet. | |
|
| |
BeesTea
Network Janitor
Premium,VIP
join:2003-03-08
00000 | Re: Heads Up: Debian OpenSSL RNG Vuln CVE-2008-0166 Excellent feedback. Thanks!
--
Overpower, overcome. | |
|
|
|
deblin
Dark Side of the Moon
Premium,MVM
join:2001-09-01
Middletown, DE | Re: Heads Up: Debian OpenSSL RNG Vuln CVE-2008-0166 I don't think it (by default) supports RSA1 keys, and rightly so. They're quite insecure, relative to DSA and RSA2.
--
»hillaryis404.org/ | |
|
|
evilghost
Premium
join:2003-11-22
Springville, AL
·Windstream
| said by Eatmeingreek :Script seems to work. At least it identifies weak keys and they go away when you run evilghost 's commands. Speaking of evilghost , the first line, "ssh-keygen -q -f /etc/ssh/ssh_host_key -N '' -t rsa1" creates files called "ssh_host_key" and "ssh_host_key.pub" that didn't already exist on all the Debian boxes I've tried so far. Don't think they're really needed. Fortunately a lot of my Debian hosts started life as Sarge boxes so a lot have been unaffected so far. Agree, rsa1 not needed, at least on this end. Edited my post, thanks for pointing this out. | |
|
evilghost
Premium
join:2003-11-22
Springville, AL
·Windstream
3 edits | I'm reminded why I don't like Ubuntu when the openssh-server and openssh-client packages are held back requiring the installation of openssh-blacklist as a requirement.
Dear Ubuntu Team, I'm not going to use ssh-vulnkey to see if my system is vulnerable, I'm reissuing keys. Why is this package a requirement for the openssh-server package? Cut me a freaking break. | |
|
|
|
BeesTea
Network Janitor
Premium,VIP
join:2003-03-08
00000 | Re: Heads Up: Debian OpenSSL RNG Vuln CVE-2008-0166 That wiki entry is excellent. I'd recommend everyone read it, specifically the list of likely affected software.
Thanks for sharing! | |
|
BeesTea
Network Janitor
Premium,VIP
join:2003-03-08
00000
| H D Moore, of the Metasploit project etc, has made the following write up.
http://metasploit.com/users/hdm/tools/debian-openssl/
Of note is the FAQ
quote:
Frequently Asked Questions
Q: How long did it take to generate these keys?
A: About two hours for the 1024-bit DSA and 2048-bit RSA keys for x86. I used 31 Xeon cores clocked at 2.33Ghz. I am generating the RSA 4096-bit keys now and the total time should be about 18 hours.
Q: Will you share your code for distributing the key-generation across mulitple processors?
A: Nope. The code is hardcoded for this specific cluster and is too poorly-written to be worth cleaning up.
Q: How long does it take a crack a SSH user account using these keys?
A: This depends on the speed of the network and the configuration of the SSH server. It should be possible to try all 32,767 keys of both DSA-1024 and RSA-2048 within a couple hours, but be careful of anti-brute-force scripts on the target server.
Q: I use 16384-bit RSA keys, can these be broken?
A: Yes, its just a matter of time and processing power. For mere mortals, 4096-bit keys are already a little on the paranoid side. All possible 4096-bit keys should be available within the next day or so. It is possible to generate all combinations of 8192-bit and 16384-bit keys, but I probably have better uses for my processors
Scary.
Folks, if you're not already, pay close attention to excessive connections to your crypto services like ssh, vpn, etc. ~32,000 attempts can go by fast.
--
Overpower, overcome. | |
|
|
deblin
Dark Side of the Moon
Premium,MVM
join:2001-09-01
Middletown, DE
1 edit | Re: Heads Up: Debian OpenSSL RNG Vuln CVE-2008-0166 Nevermind, standard log messages from the brute force attackers, not necessarily anything significant to this. | |
|
| |
BeesTea
Network Janitor
Premium,VIP
join:2003-03-08
00000
1 edit | Re: Heads Up: Debian OpenSSL RNG Vuln CVE-2008-0166 SSH scanning is increased considerably across the Internet.
http://www.securityfocus.com/news/11518?ref=rss
It's important to consider that simply having ssh-key auth enabled is not enough to be compromised. A user would still need to be using a vulnerable key for authentication. In practical experience, public-key is way less common than simple password auth with ssh. This means the more likely attack vector will be session keys. Considering that password auth for ssh is plain taxt pushed through the session tunnel, I'd be more worried about that. Someone sniffing TCP/22 and cracking it at their leisure would result in essentially plain text logins and passwords.
EDIT: Typo | |
|
| | |
evilghost
Premium
join:2003-11-22
Springville, AL
·Windstream
| Re: Heads Up: Debian OpenSSL RNG Vuln CVE-2008-0166 said by BeesTea :SSH scanning is increased considerably across the Internet. http://www.securityfocus.com/news/11518?ref=rssIt's important to consider that simply having ssh-key auth enabled is not enough to be compromised. A user would still need to be using a vulnerable key for authentication. In practical experience, public-key is way less common than simple password auth with ssh. This means the more likely attack vector will be session keys. Considering that password auth for ssh is plain taxt pushed through the session tunnel, I'd be more worried about that. Someone sniffing TCP/22 and cracking it at their leisure would result in essentially plain text logins and passwords. EDIT: Typo One thing to consider would be password-less keypairs, for example, I use these at home on my trusted computers for sshfs to avoid password prompts. It's my understanding that if someone knew the compromised keypair and username they could successfully authenticate without password. | |
|
visitor_
@proxad.net | I hope the following doesn't lower the otherwise highly admirable tone of this thread too excessively:
»xkcd.com/424/
| |
|
| 
No_Strings
Premium,Mod
join:2001-11-22
The OC | Re: Heads Up: Debian OpenSSL RNG Vuln CVE-2008-0166 "Ubuntu - Turns out distro is actually just Windows Vista wth a few custom themes."
Something some of us have suspected for a long time. | |
|
evilghost
Premium
join:2003-11-22
Springville, AL | I walked in this morning and had this printout on my cube wall. Awesome. | |
|
|
|
|
