Jump to content

Debian (and Ubuntu) OpenSSL serious security issue


Recommended Posts

Just thought I'd share this mail I got from my vps provider for any Debian and Ubuntu users out there. It'd be a shame if your root account got brute forced.  ;)

 

Dear customer,

 

This week an issue came up in the Debian community related to a communications problem between the developers of the OpenSSL security software and the maintainer of this same software within the Debian team. Due to an error, in 2006 a serious security issue has crept into the Debian (and Ubuntu) version of OpenSSL that has only now been detected. The error reduced the possible key space for SSH host keys and SSL certificates to 32,768 possibilities. This has a serious impact on their cryptographic security, opening the door to credible eavesdropping and identity theft attacks.

 

For security purposes we will perform software updates for our Debian and Ubuntu customers in the next few days. For customers that have a root password on their VPS that is unknown to us we advise a prompt round of apt-get update / apt-get upgrade.

 

The update may lead to programs like Putty complaining about a changed SSH host key. This is expected.

 

It's been solved (or so the mail says - in Dutch so I wont bother you with it) though, so an update should fix it.

 

It'd be a shame if your root account got brute forced.

 

You shouldn't be allowing root access via ssh in the first place but yeah, this is the first I have heard of this issue, and I'm subscribed to a few of the debian lists. Thanks for the heads up.

 

Edit by Daniel: Fixed bbcodes.

It's been solved (or so the mail says - in Dutch so I wont bother you with it) though, so an update should fix it.

 

While openssl and sshd are fixed in recent debian and ubuntu updates (apt-get upgrade), it is *not* this simple!

 

All ssh and ssl keys which were created on debian or ubuntu servers between September 2006 and last week, need to be recreated.

If you use ssh keys on debian/ubuntu, these need to be deleted, and new ones created.

 

After a couple of apt-get upgrades in debian etch, a new tool called "ssh-vulnkey" is installed. Simple run "ssh-vulnkey -a" as root to detect if ssh keys are at risk.

 

Its quite a tale and there has been a lot of noise about it.

See: http://wiki.debian.org/SSLkeys#head-5450db0076b3d85650f72117a9884f89d2349032

http://mail.linux.ie/pipermail/ilug/2008-May/097975.html

 

-steve

It's been solved (or so the mail says - in Dutch so I wont bother you with it) though, so an update should fix it.

 

While openssl and sshd are fixed in recent debian and ubuntu updates (apt-get upgrade), it is *not* this simple!

 

All ssh and ssl keys which were created on debian or ubuntu servers between September 2006 and last week, need to be recreated.

If you use ssh keys on debian/ubuntu, these need to be deleted, and new ones created.

 

After a couple of apt-get upgrades in debian etch, a new tool called "ssh-vulnkey" is installed. Simple run "ssh-vulnkey -a" as root to detect if ssh keys are at risk.

 

Its quite a tale and there has been a lot of noise about it.

See: http://wiki.debian.org/SSLkeys#head-5450db0076b3d85650f72117a9884f89d2349032

http://mail.linux.ie/pipermail/ilug/2008-May/097975.html

 

-steve

 

I have run apt-get update and upgrade without any results (maybe my isp did it though I don't see how since I changed the root pswd) and ssh-vulnkey is not installed...Any pointers?

448191:/etc/apache2/conf.d# aptitude update

Get:1 http://ftp.nl.debian.org etch Release.gpg [378B]

Hit http://ftp.nl.debian.org etch Release

Ign http://ftp.nl.debian.org etch/main Packages/DiffIndex

Hit http://ftp.nl.debian.org etch/main Packages

Fetched 378B in 0s (2206B/s)

Reading package lists... Done

448191:/etc/apache2/conf.d#

 

448191:/etc/apache2/conf.d# aptitude upgrade

Reading package lists... Done

Building dependency tree... Done

Initializing package states... Done

Reading task descriptions... Done

Building tag database... Done

No packages will be installed, upgraded, or removed.

0 packages upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

Need to get 0B of archives. After unpacking 0B will be used.

448191:/etc/apache2/conf.d#

 

btw, it doesn't recognize safe-upgrade, but --help includes this line:

 

upgrade      - Perform a safe upgrade

 

So I assume just 'upgrade' works.

 

Just to be sure:

 

448191:/etc/apache2/conf.d# whereis ssh-vulnkey

ssh-vulnkey:

448191:/etc/apache2/conf.d#

 

:(

 

Edit: Yes, I'm working as root, not using sudo... No lectures please :P

 

 

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.