LUG: [CSM-CERT] US-CERT Technical Cyber Security Alert TA08-137A -- Debian/Ubuntu OpenSSL Random Number Generator Vulnerability (fwd)

Robert Hicks rhicks at Mines.EDU
Fri May 16 15:20:00 MDT 2008



Must Ubuntu and Debian users already know about this.  What you might not 
know is that there is a potential that any public keys created by openssl 
may be weak also.  If any of you use public keys, it is best to generate
new ones and replace the old, possibly weak, keys stored on whatever 
machines you access AFTER patching the machine the keys are generated on. 
:)




--
Robert Hicks
CTLM East Wing Room 256
1650 Arapahoe Street
Academic Computing & Networking
Colorado School of Mines
Golden, CO  80401

For Academic Computing Support, please open a request at:
http://helpdesk.Mines.EDU


---------- Forwarded message ----------
Date: Fri, 16 May 2008 14:18:16 -0400
From: CERT Advisory <cert-advisory at cert.org>
To: cert-advisory at cert.org
Subject: [CSM-CERT] US-CERT Technical Cyber Security Alert TA08-137A --
     Debian/Ubuntu OpenSSL Random Number Generator Vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 	   National Cyber Alert System

    Technical Cyber Security Alert TA08-137A


Debian/Ubuntu OpenSSL Random Number Generator Vulnerability

    Original release date: May 16, 2008
    Last revised: --
    Source: US-CERT

Systems Affected

      * Debian, Ubuntu, and Debian-based distributions

Overview

    A  vulnerability  in  the  OpenSSL  package  included  with the Debian
    GNU/Linux   operating  system  and  its  derivatives  may  cause  weak
    cryptographic keys to be generated. Any package that uses the affected
    version of SSL could be vulnerable.

I. Description

    A  vulnerabiliity  exists  in  the random number generator used by the
    OpenSSL  package included with the Debian GNU/Linux, Ubuntu, and other
    Debian-based   operating   systems.   This  vulnerability  causes  the
    generated numbers to be predictable.

    The result of this error is that certain encryption keys are much more
    common  than  they should be. This vulnerability affects cryptographic
    applications  that  use  keys  generated by the flawed versions of the
    OpenSSL package. Affected keys include, but may not be limited to, SSH
    keys,  OpenVPN  keys,  DNSSEC  keys, and key material for use in X.509
    certificates  and  session  keys  used  in SSL/TLS connections. Any of
    these keys generated using the affected systems on or after 2006-09-17
    may be vulnerable. Keys generated with GnuPG, GNUTLS, ccrypt, or other
    encryption  utilities  that  do  not  use  OpenSSL  are not vulnerable
    because these applications use their own random number generators.

II. Impact

    A  remote,  unauthenticated  attacker  may be able to guess secret key
    material.  The  attacker may also be able to gain authenticated access
    to    the   system   through   the   affected   service   or   perform
    man-in-the-middle attacks.

III. Solution

Upgrade

    Debian  and  Ubuntu have released fixed versions of OpenSSL to address
    this  issue. System administrators can use the ssh-vulnkey application
    to  check  for  compromised  or weak SSH keys. After applying updates,
    clients using weak keys may be refused by servers.

Workaround

    Until  updates can be applied, administrators and users are encouraged
    to  restrict  access  to  vulnerable servers. Debian- and Ubuntu-based
    systems   can   use   iptables,   iptables   configuration  tools,  or
    tcp-wrappers to limit access.


IV. References

  * DSA-1571-1 openssl - predictable random number generator  -
    <http://www.debian.org/security/2008/dsa-1571>

  * Debian wiki - SSL keys - <http://wiki.debian.org/SSLkeys>

  * Ubuntu OpenSSL vulnerability -
    <http://www.ubuntu.com/usn/usn-612-1>

  * Ubuntu OpenSSH vulnerability -
    <http://www.ubuntu.com/usn/usn-612-2>

  * Ubuntu OpenVPN vulnerability -
    <http://www.ubuntu.com/usn/usn-612-3>Ubuntu SSL-cert vulnerability

  * Ubuntu OpenSSH update - <http://www.ubuntu.com/usn/usn-612-5>

  * Ubuntu OpenVPN regression - <http://www.ubuntu.com/usn/usn-612-6>

  * OpenVPN regression - <http://www.ubuntu.com/usn/usn-612-6>


  _________________________________________________________________

   The most recent version of this document can be found at:

     <http://www.us-cert.gov/cas/techalerts/TA08-137A.html>
  _________________________________________________________________

   Feedback can be directed to US-CERT Technical Staff. Please send
   email to <cert at cert.org> with "TA08-137A Feedback VU#925211" in the
   subject.
  _________________________________________________________________

   For instructions on subscribing to or unsubscribing from this
   mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
  _________________________________________________________________

   Produced 2008 by US-CERT, a government organization.

   Terms of use:

     <http://www.us-cert.gov/legal.html>
  ____________________________________________________________________

   Revision History

   May 16, 2008: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBSC3OLvRFkHkM87XOAQIY6Qf/RywAJKkMBte71mgV+XKHOFH9yLy+vOGs
HlC35oyfpijFSPI1TyYpN9vvpvfhL8DDDG6/dNBt+u1uVskcurb5Rh1UMmpEEFg0
kVGos6JDD18T6JpfgvEY9k+4iVAGApNirEYRDsKFVRho/3CaJQ6Tdp/jf3NEzmNE
DPgsEA0n825kBd0dr/v3yT5S9wYsn5x9n6OfyHShXVwYPK/V3jEXbU0uZo0Nt7HX
L0FIVTz5tMWIm1LoTsh+GeE0dsnsg/0+qf1jRRq66GQ+3eMGO/wepTbUmqGCXF0s
I+O756V/mDxrPePJRNcpCjtGZCEjtMNJ4fZPQhosxbNVPpvDV5rGlQ==
=93LZ
-----END PGP SIGNATURE-----
_______________________________________________
csm-cert mailing list
csm-cert at mailman.mines.edu
https://mailman.mines.edu/mailman/listinfo/csm-cert
Unsubscribe: csm-cert-unsubscribe at mailman.mines.edu


More information about the lug mailing list