[nzlug] todays SSH/SSL/OpenVPN key fun

Nick 'Zaf' Clifford zaf at nrc.co.nz
Wed May 14 20:12:53 NZST 2008 

Quick questions to those who run Linux servers with multiple users
affected by this:

How many of your users actually contacted you when they noticed the SSH
host key changed, and how many just ignored the warnings? And of those
who contacted you, how many actually then took the steps to reverify
verbally the new SSH server key?

Did you actually contact the users before/after the change with an
message explaining the revocation/change of the host key, and the
disabling of their user keys (assuming they had them)?

How many of you are now checking your system logs very very carefully,
looking for any inconsistencies indicating someone may have rootkit'd
the box?

How many of you are doing a bare metal restore, with binaries from
original CD, because you are that paranoid?

Is anyone aware of any exploits, in the wild, of this vulnerability?

Oh, and one more question, <joke>how many are getting their LART[1] out,
and looking up that Debian maintainers address?</joke>

Nick

[1] http://catb.org/jargon/html/L/LART.html


Robert Coup wrote:
> If you're running Debian, Ubuntu, or any other Debian-derived distro,
> OR if you have generated any SSH/SSL keys/certificates on a
> Debian-derived machine since 2006...
>
>   
>> A weakness has been discovered in the random number generator used by OpenSSL on Debian and Ubuntu systems.  As a result of this weakness, certain encryption keys are much more common than they should be, such that an attacker could guess the key through a brute-force attack given minimal knowledge of the system.  This particularly affects the use of encryption keys in OpenSSH, OpenVPN and SSL certificates.
>>     
>
> Normally I wouldn't bother posting this to NZLUG but it turns out
> there are only ~262,000 keys generated, which is a very very quick
> bruteforce. It only affects Debian since it was a distro-specific
> patch that broke it. The first vulnerable version, openssl 0.9.8c-1,
> was uploaded to the Debian unstable distribution on 2006-09-17, and
> has since propagated to the testing and current stable (etch)
> distributions. The old stable distribution (sarge) is not affected.
> For Ubuntu, everything from Feisty onwards is affected.
>
> Note doing an apt-get upgrade won't fix this - you need to regenerate
> all your SSH keys (user & host) & SSL certificates that have been
> created using this library as well. Be a little careful of just
> hitting "apt-get dist-upgrade" or you may be locked out of your boxes
> (openssh-blacklist gets installed and will block insecure keys).
>
> Security Advisories:
>
> Debian: http://lists.debian.org/debian-security-announce/2008/msg00152.html
> Ubuntu: http://www.ubuntu.com/usn/usn-612-1 ,
> http://www.ubuntu.com/usn/usn-612-2 ,
> http://www.ubuntu.com/usn/usn-612-3
>
> Rob :)
>
> _______________________________________________
> NZLUG mailing list NZLUG at linux.net.nz
> http://www.linux.net.nz/cgi-bin/mailman/listinfo/nzlug
>

More information about the NZLUG mailing list