Debian (and Ubuntu) OpenSSL serious security issue

[448191]

Just thought I'd share this mail I got from my vps provider for any Debian and Ubuntu users out there. It'd be a shame if your root account got brute forced. 

 

Dear customer,

 

This week an issue came up in the Debian community related to a communications problem between the developers of the OpenSSL security software and the maintainer of this same software within the Debian team. Due to an error, in 2006 a serious security issue has crept into the Debian (and Ubuntu) version of OpenSSL that has only now been detected. The error reduced the possible key space for SSH host keys and SSL certificates to 32,768 possibilities. This has a serious impact on their cryptographic security, opening the door to credible eavesdropping and identity theft attacks.

 

For security purposes we will perform software updates for our Debian and Ubuntu customers in the next few days. For customers that have a root password on their VPS that is unknown to us we advise a prompt round of apt-get update / apt-get upgrade.

 

The update may lead to programs like Putty complaining about a changed SSH host key. This is expected.

 

It's been solved (or so the mail says - in Dutch so I wont bother you with it) though, so an update should fix it.

 

[trq]

It'd be a shame if your root account got brute forced.

 

You shouldn't be allowing root access via ssh in the first place but yeah, this is the first I have heard of this issue, and I'm subscribed to a few of the debian lists. Thanks for the heads up.

 

Edit by Daniel: Fixed bbcodes.

[zq29]

All of my Ubuntu machines picked this up the day before yesterday, and again today - Must have been more than one issue.

[steviewdr]

It's been solved (or so the mail says - in Dutch so I wont bother you with it) though, so an update should fix it.

 

While openssl and sshd are fixed in recent debian and ubuntu updates (apt-get upgrade), it is *not* this simple!

 

All ssh and ssl keys which were created on debian or ubuntu servers between September 2006 and last week, need to be recreated.

If you use ssh keys on debian/ubuntu, these need to be deleted, and new ones created.

 

After a couple of apt-get upgrades in debian etch, a new tool called "ssh-vulnkey" is installed. Simple run "ssh-vulnkey -a" as root to detect if ssh keys are at risk.

 

Its quite a tale and there has been a lot of noise about it.

See: http://wiki.debian.org/SSLkeys#head-5450db0076b3d85650f72117a9884f89d2349032

http://mail.linux.ie/pipermail/ilug/2008-May/097975.html

 

-steve

[448191]

It's been solved (or so the mail says - in Dutch so I wont bother you with it) though, so an update should fix it.

 

While openssl and sshd are fixed in recent debian and ubuntu updates (apt-get upgrade), it is *not* this simple!

 

All ssh and ssl keys which were created on debian or ubuntu servers between September 2006 and last week, need to be recreated.

If you use ssh keys on debian/ubuntu, these need to be deleted, and new ones created.

 

After a couple of apt-get upgrades in debian etch, a new tool called "ssh-vulnkey" is installed. Simple run "ssh-vulnkey -a" as root to detect if ssh keys are at risk.

 

Its quite a tale and there has been a lot of noise about it.

See: http://wiki.debian.org/SSLkeys#head-5450db0076b3d85650f72117a9884f89d2349032

http://mail.linux.ie/pipermail/ilug/2008-May/097975.html

 

-steve

 

I have run apt-get update and upgrade without any results (maybe my isp did it though I don't see how since I changed the root pswd) and ssh-vulnkey is not installed...Any pointers?

[trq]

Use aptitude, does it say it is holding any packages back?

 

sudo aptitude update
sudo aptitude safe-upgrade

[448191]

448191:/etc/apache2/conf.d# aptitude update

Get:1 http://ftp.nl.debian.org etch Release.gpg [378B]

Hit http://ftp.nl.debian.org etch Release

Ign http://ftp.nl.debian.org etch/main Packages/DiffIndex

Hit http://ftp.nl.debian.org etch/main Packages

Fetched 378B in 0s (2206B/s)

Reading package lists... Done

448191:/etc/apache2/conf.d#

 

448191:/etc/apache2/conf.d# aptitude upgrade

Reading package lists... Done

Building dependency tree... Done

Initializing package states... Done

Reading task descriptions... Done

Building tag database... Done

No packages will be installed, upgraded, or removed.

0 packages upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

Need to get 0B of archives. After unpacking 0B will be used.

448191:/etc/apache2/conf.d#

 

btw, it doesn't recognize safe-upgrade, but --help includes this line:

 

upgrade      - Perform a safe upgrade

 

So I assume just 'upgrade' works.

 

Just to be sure:

 

448191:/etc/apache2/conf.d# whereis ssh-vulnkey

ssh-vulnkey:

448191:/etc/apache2/conf.d#

 

 

Edit: Yes, I'm working as root, not using sudo... No lectures please

 

 

[trq]

Hmm, it should be picking it up. Oh and sorry, the safe-upgrade is only available in sid at the moment.

 

Id try forcing a reinstall.

 

sudo apt-get install --reinstall openssh

[448191]

No dice either. I also don't quite understand why there's an ssh package when there's also a ssh-server AND ssh-client package. Anyway, none of my forced reinstalls had the desired effect.

 

I'll contact my host.

[tomfmason]

This ended up working for me

apt-get install openssh-server openssh-client