jdong
Eat A Beaver, Save A Tree.
Premium
join:2002-07-09
Rochester, MI
clubs:  
| (SERIOUS) Debian/Ubuntu OpenSSL/OpenSSH weak keys
»www.ubuntu.com/usn/usn-612-1
quote:
A weakness has been discovered in the random number generator used by OpenSSL on Debian and Ubuntu systems. As a result of this weakness, certain encryption keys are much more common than they should be, such that an attacker could guess the key through a brute-force attack given minimal knowledge of the system. This particularly affects the use of encryption keys in OpenSSH, OpenVPN and SSL certificates.
...
An update has been released for both Debian and Ubuntu. It's recommended for you to apply it IMMEDIATELY.
--
Ubuntu MOTU Developer and Forums Council |
|
jdong
Eat A Beaver, Save A Tree.
Premium
join:2002-07-09
Rochester, MI
clubs:
| Sorry, posted this in a hurry. So, in plain english:
(1) All SSH servers installed on Debian/Ubuntu systems since the described date should have their host keys regenerated after the update.
(2) Any SSH private keys (RSA) you generated on affected systems must also be regenerated.
(3) If you've communicated with affected systems, you must assume that those communications could've been eavesdropped/MITMed.
This is really a nasty vulnerability.
--
Ubuntu MOTU Developer and Forums Council |
|
Pjr
join:2005-12-11
UK | reply to jdong
Thanks for the warning. |
|
BeesTea
Network Janitor
Premium,VIP
join:2003-03-08
00000 | reply to jdong
Agreed. Very nasty.
This is going to be any SSL cert made as well. The scope of this is probably massive. |
|
jdong
Eat A Beaver, Save A Tree.
Premium
join:2002-07-09
Rochester, MI
clubs:
edit:
May 13th, @11:40AM
| reply to jdong
»www.ubuntu.com/usn/usn-612-2
An updated Ubuntu advisory has been posted, with full information on what the admin needs to do to check for and regenerate affected keys.
quote:
Once the update is applied, weak user keys will be automatically rejected where possible (though they cannot be detected in all cases). If you are using such keys for user authentication, they will immediately stop working and will need to be replaced (see step 3).
That's also a nice touch. Weak authentication keys are automatically rejected.
--
Ubuntu MOTU Developer and Forums Council |
|
EGeezer
Summer is passing
Premium
join:2002-08-04
Country!
 ·RoadRunner Cable
 ·AT&T CallVantage
|  reply to jdong
Debian advisory and fix information
Debian advisory, levels affected, patch information, fixes etc here.
--
Mayors of New York come from nowhere and go nowhere.
Wallace Sayre (apparently, so do governors... ) |
|
Cudni
La Merma - Los De Aca
Premium,MVM
join:2003-12-20
Someshire
 ·BTOpenworld
| reply to jdong
Re: (SERIOUS) Debian/Ubuntu OpenSSL/OpenSSH weak keys
another article on the subject
»www.securityfocus.com/blogs/798
"..
If you want a summary, this problem comes about because the OpenSSL random number generator does some things that are unconventional, but not wrong. The unconventional coding was flagged by a code-analysis tool, and a Debian person removed it. That change made all randomness vanish from the random number generator.
Plenty of people have debated the whole thing. For example, there's the debate that says the Debian developer was an idiot, adn the people who say that the folks who did unconventional things were idiots.
I think that this is the sort of expected failure that happens in complex systems.
.."
Cudni
--
"Mercifully, he hit him with the soft end of the pistol."
Help yourself so God can help you.
Microsoft MVP, 2006 - 2008 |
|
EUS
Kill cancer
Premium
join:2002-09-10
Montreal, QC
clubs: | I'm no programmer, but to me deleting lines of code, and then finding out what that code does is ass-backwards. Debian dropped the ball. |
|
Steve
Security is inefficient
Consultant
join:2001-03-10
Tustin, CA
| reply to Cudni
said by Cudni  : For example, there's the debate that says the Debian developer was an idiot, adn the people who say that the folks who did unconventional things were idiots. And then there are those who appreciate the cleverness of using the unconventional technique but nevertheless hold the OpenSSL people responsible for being smart crypto guys but lousy developers for not leaving a comment in the code that they were doing something odd. This would have forestalled the whole thing.
The Debian people did run then change by the OpenSSL people, who didn't object (and certainly didn't "laugh" as the cocky OpenSSL guys now suggest they would have), though it appears that openssl-dev is not a list for openssl developers ("they asked on the wrong list").
This is indeed what happens with complex systems, and I don't think anybody was an idiot or negligent, but I think the OpenSSL people are trying just a bit too hard to absolve themselves from being crappy coders.
Steve
--
Stephen J. Friedl | Unix Wizard | Microsoft Security MVP | Tustin, California USA | my web site |
|
jdong
Eat A Beaver, Save A Tree.
Premium
join:2002-07-09
Rochester, MI
clubs:
| reply to EUS
said by EUS :I'm no programmer, but to me deleting lines of code, and then finding out what that code does is ass-backwards. Debian dropped the ball. On the other hand, as pointed out, the use of uninitialized memory is a common bug found in a LOT of stuff Debian packages, and in virtually EVERY case indicates a bug.
I don't like pointing the blame finger in this game because there really isn't a clear blame trail... I think the situation overall was handled well in the disclosure and resolution process and that's just about everything we can do at this point.
--
Ubuntu MOTU Developer and Forums Council |
|
EUS
Kill cancer
Premium
join:2002-09-10
Montreal, QC
clubs: | I too believe that the fallout/resolution was handled well.
At present count, SSH (Etch) has been updated 4 times in the past week, with one more update that requires dist-upgrade for some reason. I have not done this last one yet. |
|
