Saturday, May 17, 2008

Security: Debian and Ubuntu OpenSSL Vulnerability

I won't go into all the details since majority of the security mailing lists and blogs are covering the issue -- however, I'm blogging this as a reminder. The recent Debian/Ubuntu OpenSSL random number generator vulnerability is very serious, especially if you had generated any keys on Debian or Ubuntu systems running vulnerable versions of OpenSSL (e.g., ssh keys, OpenVPN keys, etc).

There's an excellent detailed summary regarding this issue on HD Moore's web site hosted on Metasploit (link below). To quote from the website:

"All SSL and SSH keys generated on Debian-based systems (Ubuntu, Kubuntu, etc) between September 2006 and May 13th, 2008 may be affected. In the case of SSL keys, all generated certificates will be need to recreated and sent off to the Certificate Authority to sign. Any Certificate Authority keys generated on a Debian-based system will need be regenerated and revoked. All system administrators that allow users to access their servers with SSH and public key authentication need to audit those keys to see if any of them were created on a vulnerabile system. Any tools that relied on OpenSSL's PRNG to secure the data they transferred may be vulnerable to an offline attack. Any SSH server that uses a host key generated by a flawed system is subject to traffic decryption and a man-in-the-middle attack would be invisible to the users. This flaw is ugly because even systems that do not use the Debian software need to be audited in case any key is being used that was created on a Debian system."
Per the standard recommendation, patch all vulnerable systems as soon as possible. In addition you will need to generate any keys that were created previously using vulnerable versions of OpenSSL.

HD Moore's Website [link]
Official CERT Advisory [link]

No comments: