RSSDebian/Ubuntu users: update your SSL keys and certs
It was announced yesterday that sometime back in September 2006 a line of code was removed from the Debian distributed OpenSSL package. That one line of code was responsible for causing an uninitialized data warning in Valgrind. It also seeded the random number generator used by OpenSSL. Without it, the error went away, but the keyspace used by affected systems went from 2^1024 to about 2^15. Oh noes!
A large majority of Debian and Ubuntu systems are affected. To correct the problem, you'll need to not only update OpenSSL, but also revoke and replace any cryptographic keys and certificates that were generated on the affected systems. From the Debian security advisory:
Affected keys include SSH keys, OpenVPN keys, DNSSEC keys, and key material for use in X.509 certificates and session keys used in SSL/TLS connections. Keys generated with GnuPG or GNUTLS are not affected, though.
For most people, this boils down to your ssh server's host key and any public key pairs used for remote ssh authentication. Any keys or certificates generated on the affected machines for SSL/https use also need to be revoked and regenerated. It's pretty ugly, really.
As far as teachable moments go, there's probably a lot to think about here. Software developers have this weird natural tendency to want to fix and reengineer things that aren't even broken. I'd go so far as to say that the desire to reengineer is inversely proportional to a programmer's familiarity and understanding of the code. I think it comes from our intense desire to make sense of things. It's the guru who's able to channel that hacker urge into solving new problems instead of creating new bugs out of old solutions.
DSA-1571-1 openssl -- predictable random number generator
OpenSSL PRNG Debian Toys (more discussion of the problem here)
Posted by Jason Striegel |
May 14, 2008 07:57 PM
Cryptography, Linux, Linux Desktop, Linux Server, Ubuntu |
Permalink
| Comments (1)
Recent Entries
- Gmail notification cube
- Debian/Ubuntu users: update your SSL keys and certs
- drop.io - simple anonymous file sharing
- Cross browser session data with Javascript
- A VAX in your Linux box
- Reading EXIF data from images in Javascript
- Processing.js - visualization library for Javascript
- DIY multi-touch on OS X
- Radio controlled lawn mower
- Using the Canon Hacker's Development Kit
Comments
Newest comments listed first.
| Posted by: on May 15, 2008 at 9:57 AM |
Any Linux/Unix/*BSD system is vulnerable that grants access to a key that was generated on an affected Debian or Ubuntu system.
1) there are only about 32767 different keys generated by the SSH versions shipped with Debian for 2 years.
2) Hackers have already generated all these 32767 different keys.
3) If you give any kind of SSH access, your users have all ready installed weak keys.
The solution is to black list the affected keys.
http://security.debian.org/pool/updates/main/o/openssh-blacklist/
Bloggers
Welcome to the Hacks Blog!
Brian Jepson
Jason Striegel
Phillip Torrone
Categories
- Ajax
- Amazon
- AppleTV
- Astronomy
- BlackBerry
- Blogging
- Body
- Cars
- Cryptography
- Data
- Design
- Education
- Electronics
- Energy
- Events
- Excel
- Excerpts
- Firefox
- Flash
- Flickr
- Flying Things
- Food
- Gaming
- Gmail
- Google Earth
- Google Maps
- Government
- Greasemonkey
- Hacks Series
- Hackszine Podcast
- Halo
- Hardware
- Home
- Home Theater
- iPhone
- iPod
- IRC
- iTunes
- Java
- Kindle
- Knoppix
- Language
- LEGO
- Life
- Lifehacker
- Linux
- Linux Desktop
- Linux Multimedia
- Linux Server
- Mac
- Mapping
- Math
- Microsoft Office
- Mind
- Mind Performance
- Mobile Phones
- Music
- MySpace
- MySQL
- NetFlix
- Network Security
- olpc
- OpenOffice
- Outdoor
- Parenting
- PCs
- PDAs
- Perl
- Philosophy
- Photography
- PHP
- Pleo
- Podcast
- Podcasting
- Productivity
- PSP
- Retro Computing
- Retro Gaming
- Science
- Screencasts
- Shopping
- Skype
- Smart Home
- Software Engineering
- Sports
- SQL
- Statistics
- Survival
- TiVo
- Transportation
- Travel
- Ubuntu
- Video
- Virtualization
- Visual Studio
- VoIP
- Web
- Web Site Measurement
- Windows
- Windows Server
- Wireless
- Word
- World
- Xbox
- Yahoo!
- YouTube
Archives
Recent Posts
- Debian/Ubuntu users: update your SSL keys and certs
- drop.io - simple anonymous file sharing
- Cross browser session data with Javascript
- A VAX in your Linux box
- Reading EXIF data from images in Javascript
- Processing.js - visualization library for Javascript
- DIY multi-touch on OS X
- Radio controlled lawn mower
- Using the Canon Hacker's Development Kit
- Cornell University's student microcontroller projects - Spring08
www.flickr.com
|
Leave a comment