PDA

View Full Version : USN-612-2: OpenSSH vulnerability



rss-bot
May 13th, 2008, 09:20 PM
Referenced CVEs:
CVE-2008-0166


Description:
================================================== ========= Ubuntu Security Notice USN-612-2 May 13, 2008 openssh vulnerability CVE-2008-0166, http://www.ubuntu.com/usn/usn-612-1 ================================================== ========= A weakness has been discovered in the random number generator used by OpenSSL on Debian and Ubuntu systems. As a result of this weakness, certain encryption keys are much more common than they should be, such that an attacker could guess the key through a brute-force attack given minimal knowledge of the system. This particularly affects the use of encryption keys in OpenSSH. This vulnerability only affects operating systems which (like Ubuntu) are based on Debian. However, other systems can be indirectly affected if weak keys are imported into them. We consider this an extremely serious vulnerability, and urge all users to act immediately to secure their systems. The following Ubuntu releases are affected: Ubuntu 7.04 Ubuntu 7.10 Ubuntu 8.04 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. Updating your system: 1. Install the security updates Ubuntu 7.04: openssh-client 1:4.3p2-8ubuntu1.3 openssh-server 1:4.3p2-8ubuntu1.3 Ubuntu 7.10: openssh-client 1:4.6p1-5ubuntu0.3 openssh-server 1:4.6p1-5ubuntu0.3 Ubuntu 8.04 LTS: openssh-client 1:4.7p1-8ubuntu1.1 openssh-server 1:4.7p1-8ubuntu1.1 Once the update is applied, weak user keys will be automatically rejected where possible (though they cannot be detected in all cases). If you are using such keys for user authentication, they will immediately stop working and will need to be replaced (see step 3). OpenSSH host keys can be automatically regenerated when the OpenSSH security update is applied. The update will prompt for confirmation before taking this step. 2. Update OpenSSH known_hosts files The regeneration of host keys will cause a warning to be displayed when connecting to the system using SSH until the host key is updated in the known_hosts file. The warning will look like this: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. In this case, the host key has simply been changed, and you should update the relevant known_hosts file as indicated in the error message. 3. Check all OpenSSH user keys The safest course of action is to regenerate all OpenSSH user keys, except where it can be established to a high degree of certainty that the key was generated on an unaffected system. Check whether your key is affected by running the ssh-vulnkey tool, included in the security update. By default, ssh-vulnkey will check the standard location for user keys (~/.ssh/id_rsa, ~/.ssh/id_dsa and ~/.ssh/identity), your authorized_keys file (~/.ssh/authorized_keys and ~/.ssh/authorized_keys2), and the system's host keys (/etc/ssh/ssh_host_dsa_key and /etc/ssh/ssh_host_rsa_key). To check all your own keys, assuming they are in the standard locations (~/.ssh/id_rsa, ~/.ssh/id_dsa, or ~/.ssh/identity): $ ssh-vulnkey To check all keys on your system: $ sudo ssh-vulnkey -a To check a key in a non-standard location: $ ssh-vulnkey /path/to/key If ssh-vulnkey says "Unknown (no blacklist information)", then it has no information about whether that key is affected. If in doubt, destroy the key and generate a new one. 4. Regenerate any affected user keys OpenSSH keys used for user authentication must be manually regenerated, including those which may have since been transferred to a different system after being generated. New keys can be generated using ssh-keygen, e.g.: $ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/user/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/user/.ssh/id_rsa. Your public key has been saved in /home/user/.ssh/id_rsa.pub. The key fingerprint is: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 user@host 5. Update authorized_keys files (if necessary) Once the user keys have been regenerated, the relevant public keys must be propagated to any authorized_keys files on remote systems. Be sure to delete the affected key. Updated packages for Ubuntu 7.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_4.3p2-8ubuntu1.3.diff.gz Size/MD5: 275518 a8b32463625d995f31710932955f155e http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_4.3p2-8ubuntu1.3.dsc Size/MD5: 1074 2ba8f9d6823e429a87a16d1069b8bcb0 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_4.3p2.orig.tar.gz Size/MD5: 920186 239fc801443acaffd4c1f111948ee69c Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh_4.3p2-8ubuntu1.3_all.deb Size/MD5: 1086 ec4e33a5b72165a213aba1dc5c6e1e48 http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/ssh-krb5_4.3p2-8ubuntu1.3_all.deb Size/MD5: 93414 1273931c48c521f82a32c83d3c2c7f30 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_4.3p2-8ubuntu1.3_amd64.udeb Size/MD5: 173116 a63a1aad1a6d703701353b1a2f3aa3f1 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_4.3p2-8ubuntu1.3_amd64.deb Size/MD5: 739306 6ebf534da00e63d36ff8d25d133c5f87 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server-udeb_4.3p2-8ubuntu1.3_amd64.udeb Size/MD5: 185954 165979d39473eed093bd332294611892 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_4.3p2-8ubuntu1.3_amd64.deb Size/MD5: 255690 5f273f1e6da9f6f572da970e7ba1680a http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_4.3p2-8ubuntu1.3_amd64.deb Size/MD5: 101788 18268a8507e35a673ba0b88d7c8f905b i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_4.3p2-8ubuntu1.3_i386.udeb Size/MD5: 156814 338d87e0ed113fabb31bf8985c41044d http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_4.3p2-8ubuntu1.3_i386.deb Size/MD5: 701434 47f4f9e32772a27f390b7bf598ca692c http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server-udeb_4.3p2-8ubuntu1.3_i386.udeb Size/MD5: 165480 bb943025f0bfb39c0f080aa0c6a90507 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_4.3p2-8ubuntu1.3_i386.deb Size/MD5: 238154 cc0df0b6336c02dda018dd381e096150 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_4.3p2-8ubuntu1.3_i386.deb Size/MD5: 101494 d84b4274b86d65878b41e33db957cbec powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_4.3p2-8ubuntu1.3_powerpc.udeb Size/MD5: 178908 fb39252bf076dca363b34058f6c6280a http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_4.3p2-8ubuntu1.3_powerpc.deb Size/MD5: 767364 cbe597ba0193d39d115a432404471939 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server-udeb_4.3p2-8ubuntu1.3_powerpc.udeb Size/MD5: 184132 ebc03fba90aa40ba7e86c2bd90b4b43b http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_4.3p2-8ubuntu1.3_powerpc.deb Size/MD5: 259734 1feeb20163fb303b41a85bbd9775abe5 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_4.3p2-8ubuntu1.3_powerpc.deb Size/MD5: 104262 f781bfd69b35508129c0ce71eb0cf395 sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_4.3p2-8ubuntu1.3_sparc.udeb Size/MD5: 164240 2796884a4e9c6a0c4d228e3a2d829df4 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_4.3p2-8ubuntu1.3_sparc.deb Size/MD5: 751366 43659331cc6f294e7657d96311db221a http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server-udeb_4.3p2-8ubuntu1.3_sparc.udeb Size/MD5: 172576 f3bebc7681083a2a7dd4a91fd1ee5237 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_4.3p2-8ubuntu1.3_sparc.deb Size/MD5: 263460 913bae4437faf91b7c4b95257ca9fe46 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_4.3p2-8ubuntu1.3_sparc.deb Size/MD5: 101742 cf3e2aa66bfe30c2981a28063d7fa639 Updated packages for Ubuntu 7.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_4.6p1-5ubuntu0.3.diff.gz Size/MD5: 195240 fe9c399991e5e754a0837760ff9d4100 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_4.6p1-5ubuntu0.3.dsc Size/MD5: 1169 fc9b6d0a04345973f1b88ca9aa8e6a32 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_4.6p1.orig.tar.gz Size/MD5: 946439 cee58cd226138191561fa2d484e18f49 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh_4.6p1-5ubuntu0.3_all.deb Size/MD5: 1092 56a70a7d56d8d7722f33d60b6cd17a71 http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/ssh-krb5_4.6p1-5ubuntu0.3_all.deb Size/MD5: 80578 9d3e66bfbbac576c23ee4bf9827ed545 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_4.6p1-5ubuntu0.3_amd64.udeb Size/MD5: 176410 3167e74074387dc17c98c38e1b98fd3c http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_4.6p1-5ubuntu0.3_amd64.deb Size/MD5: 746302 cc544fd8322a83dab8eb5f342eaca137 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server-udeb_4.6p1-5ubuntu0.3_amd64.udeb Size/MD5: 193380 7defa55f2553fd71e391d33f392acd0e http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_4.6p1-5ubuntu0.3_amd64.deb Size/MD5: 268750 6d5c5179be8f291956b30cc36d4ee091 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_4.6p1-5ubuntu0.3_amd64.deb Size/MD5: 88726 97c9adfa3a82f9ed54286f68b41ef966 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_4.6p1-5ubuntu0.3_i386.udeb Size/MD5: 158796 e4d1cc24210b4a3327cafd41a559cd6b http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_4.6p1-5ubuntu0.3_i386.deb Size/MD5: 705630 c18488f740b38d1a57aef8806924de8a http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server-udeb_4.6p1-5ubuntu0.3_i386.udeb Size/MD5: 171690 af3ba10602d74429b54e256fbc982187 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_4.6p1-5ubuntu0.3_i386.deb Size/MD5: 249760 ab084428f73b76c5b4db1e648a222aa4 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_4.6p1-5ubuntu0.3_i386.deb Size/MD5: 88384 b051562fb7973c1dd92e6a8bb6b22854 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/o/openssh/openssh-client-udeb_4.6p1-5ubuntu0.3_lpia.udeb Size/MD5: 158876 1bffbee3eed3146e3feaa2c802537699 http://ports.ubuntu.com/pool/main/o/openssh/openssh-client_4.6p1-5ubuntu0.3_lpia.deb Size/MD5: 676546 d22322abdfa831ea95bf42540aafecd6 http://ports.ubuntu.com/pool/main/o/openssh/openssh-server-udeb_4.6p1-5ubuntu0.3_lpia.udeb Size/MD5: 171284 e59f9929f2fcc857d44131d76500c210 http://ports.ubuntu.com/pool/main/o/openssh/openssh-server_4.6p1-5ubuntu0.3_lpia.deb Size/MD5: 243102 8b5d5ff193b90fff85cec8aee1b8cfbc http://ports.ubuntu.com/pool/main/o/openssh/ssh-askpass-gnome_4.6p1-5ubuntu0.3_lpia.deb Size/MD5: 88414 52ed9be1d8933742c15c14f7cfee11dd powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_4.6p1-5ubuntu0.3_powerpc.udeb Size/MD5: 180856 20b436d113f09e07b9c53301f87a551a http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_4.6p1-5ubuntu0.3_powerpc.deb Size/MD5: 773758 b7c0f8ac855ea770bbdf58284f25546e http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server-udeb_4.6p1-5ubuntu0.3_powerpc.udeb Size/MD5: 190236 23961af7588d4a886d818248c8c7fa15 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_4.6p1-5ubuntu0.3_powerpc.deb Size/MD5: 271988 e8bdf4fa9838997c0bd62446c59b38dd http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_4.6p1-5ubuntu0.3_powerpc.deb Size/MD5: 91094 b8756a6901f7a0337c36c7cc76d4991c sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_4.6p1-5ubuntu0.3_sparc.udeb Size/MD5: 166884 139dc1f86d43517a46ec3915b61125e1 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_4.6p1-5ubuntu0.3_sparc.deb Size/MD5: 758584 5b8cba657c6e53342e119d26dc9b7c61 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server-udeb_4.6p1-5ubuntu0.3_sparc.udeb Size/MD5: 179096 0bccc7c29ed50a559b02e52087ae4ed2 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_4.6p1-5ubuntu0.3_sparc.deb Size/MD5: 276534 4a4ce6ed933a3c03f632e1b3a7f34e18 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_4.6p1-5ubuntu0.3_sparc.deb Size/MD5: 88696 a0158a6b98ff0531c1893caf4b01ebdf Updated packages for Ubuntu 8.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_4.7p1-8ubuntu1.1.diff.gz Size/MD5: 208492 b33a4acef918d79a2d0450011fd9db88 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_4.7p1-8ubuntu1.1.dsc Size/MD5: 1135 19ea91251f9de2f6dfa6d936a8e4025b http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_4.7p1.orig.tar.gz Size/MD5: 1009361 bea83d2e0f9ac7b3d4393d693e68b5c1 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh_4.7p1-8ubuntu1.1_all.deb Size/MD5: 1084 ec75a470768ccd89eb6c107244d25843 http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/ssh-krb5_4.7p1-8ubuntu1.1_all.deb Size/MD5: 88740 16ff461b87a6baa09ececbc9697af6ed amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_4.7p1-8ubuntu1.1_amd64.udeb Size/MD5: 179266 1e32b7dbecf022791c6ab251a8d86117 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_4.7p1-8ubuntu1.1_amd64.deb Size/MD5: 760430 1e6d3bdf27d9657c9eefeee0b5b6dd6f http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server-udeb_4.7p1-8ubuntu1.1_amd64.udeb Size/MD5: 195488 267a48a1b35ab7855894e7785224dc57 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_4.7p1-8ubuntu1.1_amd64.deb Size/MD5: 272820 81b2527ce22794c0281484fdc1de86c1 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_4.7p1-8ubuntu1.1_amd64.deb Size/MD5: 96646 14c612c40c4c414eccf11db95e404a67 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_4.7p1-8ubuntu1.1_i386.udeb Size/MD5: 161826 a1081ddbc0d082133770cd8412774b01 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_4.7p1-8ubuntu1.1_i386.deb Size/MD5: 720024 3bcf4ba3a85f4464e13bb7d0b1574548 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server-udeb_4.7p1-8ubuntu1.1_i386.udeb Size/MD5: 174336 77153868defe66100d1ab2d4949aed80 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_4.7p1-8ubuntu1.1_i386.deb Size/MD5: 254010 3ad390fe06cf32b5aced76ce944839ce http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_4.7p1-8ubuntu1.1_i386.deb Size/MD5: 96282 505e7cd7b1b5e8f9e8c2401e61b84f78 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/o/openssh/openssh-client-udeb_4.7p1-8ubuntu1.1_lpia.udeb Size/MD5: 161638 f14258648dc6485d895621c360caf87a http://ports.ubuntu.com/pool/main/o/openssh/openssh-client_4.7p1-8ubuntu1.1_lpia.deb Size/MD5: 713374 176cceb970938c3d4e664c9ecdcafe8f http://ports.ubuntu.com/pool/main/o/openssh/openssh-server-udeb_4.7p1-8ubuntu1.1_lpia.udeb Size/MD5: 174208 12e49f067940cc99cdd91037e415d57f http://ports.ubuntu.com/pool/main/o/openssh/openssh-server_4.7p1-8ubuntu1.1_lpia.deb Size/MD5: 252862 4ff6983dfc76b1d9893c3eeac0da19b9 http://ports.ubuntu.com/pool/main/o/openssh/ssh-askpass-gnome_4.7p1-8ubuntu1.1_lpia.deb Size/MD5: 96290 19ba2f10620c2565b41306d5392d86b9 powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/o/openssh/openssh-client-udeb_4.7p1-8ubuntu1.1_powerpc.udeb Size/MD5: 185708 46e102bc1076e9b1efe01430e0424a14 http://ports.ubuntu.com/pool/main/o/openssh/openssh-client_4.7p1-8ubuntu1.1_powerpc.deb Size/MD5: 797090 4dc43223deedb0d4115a09d06cf352c3 http://ports.ubuntu.com/pool/main/o/openssh/openssh-server-udeb_4.7p1-8ubuntu1.1_powerpc.udeb Size/MD5: 194522 d7384655c312fcba85cd31efe4b4e0de http://ports.ubuntu.com/pool/main/o/openssh/openssh-server_4.7p1-8ubuntu1.1_powerpc.deb Size/MD5: 279012 afc9f70d7df19d39ce61b7ee18e7040a http://ports.ubuntu.com/pool/main/o/openssh/ssh-askpass-gnome_4.7p1-8ubuntu1.1_powerpc.deb Size/MD5: 99064 f593634bf8755c8ef348457cd9478be9 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/o/openssh/openssh-client-udeb_4.7p1-8ubuntu1.1_sparc.udeb Size/MD5: 169976 450612c9a43ddf84d2dd97e2422a3b22 http://ports.ubuntu.com/pool/main/o/openssh/openssh-client_4.7p1-8ubuntu1.1_sparc.deb Size/MD5: 723070 f51ac3477b3a6554277ebb26ef6c2496 http://ports.ubuntu.com/pool/main/o/openssh/openssh-server-udeb_4.7p1-8ubuntu1.1_sparc.udeb Size/MD5: 181564 55312d8015761b003ca8abf6c6c0e6b5 http://ports.ubuntu.com/pool/main/o/openssh/openssh-server_4.7p1-8ubuntu1.1_sparc.deb Size/MD5: 258334 c67396a961ca1baf4adb3dc60974fe8e http://ports.ubuntu.com/pool/main/o/openssh/ssh-askpass-gnome_4.7p1-8ubuntu1.1_sparc.deb Size/MD5: 96500 2ee312a10a8ff807ce94f8ecf0587588





More... (http://www.ubuntu.com/usn/usn-612-2)