Page 13 of 13 FirstFirst ... 3111213
Results 121 to 130 of 130

Thread: OpenSSL vulnerability

  1. #121
    Join Date
    Nov 2006
    Location
    UK
    Beans
    661
    Distro
    Ubuntu Development Release

    Exclamation This affects non-Debian hosts too

    Something to be aware of if you manage or use a system that doesn't have the affected openssl package installed - all non-Debian based servers may also be affected. It means this potentially impacts not just servers with Debian-based installtions but all Linux distributions and also Windows, Solaris, BSD, Mac, etc.

    If that non-Debian system provides SSH-controlled access or hosts server processes that use SSL/TLS certificates (web servers, mail, etc.) then it is possible users have uploaded to the server certificates and/or keys generated on a system that was a subject of this bug.

    That means that in practice all servers that allow users or administrators to install externally generated certificates and keys need to check those keys no matter what operating system the host has installed.

    For example:
    • User SSH keys generated by the user on another system
    • TLS/SSL certificates for web/mail (if CSR generated on an external system)
    • OpenVPN certificates (if generated on external system)
    • Stunnel aggregated service handler (if CSR generated on external system)
    Last edited by IntuitiveNipple; May 22nd, 2008 at 11:53 AM.

  2. #122
    Join Date
    Feb 2007
    Location
    New York
    Beans
    894
    Distro
    Ubuntu 9.10 Karmic Koala

    Re: OpenSSL vulnerability

    Quote Originally Posted by lucho64 View Post
    well, you always can do sudo su root, but you are right, you shouldn't need to.
    I should be able to do it all with just sudo, right?

    There are two computers, say A and B.
    I have two computers, yes, but I don't think that's relevant. Both are running Ubuntu and both have been upgraded. On one, the vulnkey program says all are fine. On the other computer (let's call it "george"), it says "COMPROMISED: 1024 <key fingerprint> root@george" It refers to itself, not to my other computer.

    I don't think I did anything that imported anything from one computer to another. I use SSH and NX to control one from the other, but that's it.

    the default location, .ssh/id_dsa.
    Default location in my case is /root/.ssh/id_rsa

    Code:
    Your identification has been saved in /root/.ssh/id_rsa.
    Your public key has been saved in /root/.ssh/id_rsa.pub.
    Use anything like a password for your passphrase, the longer and more random looking the better.
    I wish I understood the purpose of all this.

    To be sure do:

    $ sudo ssh-vulnkey /etc/ssh/ssh_host_key.pub

    The reported fingerprint should match the one you're seeing.
    It does not:

    Code:
    sudo ssh-vulnkey ssh_host_rsa_key.pub
    Not blacklisted: 2048 <fingerprint> root@george
    sudo ssh-vulnkey ssh_host_dsa_key.pub
    Not blacklisted: 1024 <fingerprint> root@george
    "Please remember to do things the Ubuntu way. There is always more than one solution to a problem, choose the one you think will be the easiest for the user. ... Try to think as a green user and choose the simplest solution." — Code of Conduct

  3. #123
    Join Date
    Jun 2006
    Location
    Eureka, MO
    Beans
    4
    Distro
    Ubuntu 8.04 Hardy Heron

    Re: OpenSSL vulnerability

    Quote Originally Posted by Endolith View Post
    I don't think I did anything that imported anything from one computer to another. I use SSH and NX to control one from the other, but that's it.
    The NX server process (running as root@george) is the source of the problem. The NX server uses OpenSSL generated keys so it also is affected by this vulnerability ... here are instructions on fixing it:

    http://www.nomachine.com/news-read.php?idnews=237

  4. #124
    Join Date
    Feb 2007
    Location
    New York
    Beans
    894
    Distro
    Ubuntu 9.10 Karmic Koala

    Re: OpenSSL vulnerability

    Quote Originally Posted by Cache22 View Post
    The NX server process (running as root@george) is the source of the problem. The NX server uses OpenSSL generated keys so it also is affected by this vulnerability ... here are instructions on fixing it:

    http://www.nomachine.com/news-read.php?idnews=237
    I followed those directions but root@george still shows up as the old COMPROMISED key.
    "Please remember to do things the Ubuntu way. There is always more than one solution to a problem, choose the one you think will be the easiest for the user. ... Try to think as a green user and choose the simplest solution." — Code of Conduct

  5. #125
    Join Date
    Jul 2007
    Location
    Tāmaki Makau-rau, NZ
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: OpenSSL vulnerability

    Sorry, people, I'm a bit confused by all of this. I've just been installing the updates as they became available. I didn't realise that I had to do anything else.

    I don't run a server, but I do have a couple of POP3/SMTP email accounts with my ISP that connect using SSL. I've run ssl-vulnkey -a and I get absolutely NO output. Does that mean I have no keys on my system? And how would I check that?
    BACKUPS are unsexy — until you discover you should have done one yesterday.
    Spare your nerves and do one before you upgrade or install.

  6. #126
    Join Date
    Feb 2008
    Beans
    606
    Distro
    Ubuntu 11.04 Natty Narwhal

    Re: OpenSSL vulnerability

    Quote Originally Posted by Irihapeti View Post
    I don't run a server, but I do have a couple of POP3/SMTP email accounts with my ISP that connect using SSL. I've run ssl-vulnkey -a and I get absolutely NO output. Does that mean I have no keys on my system? And how would I check that?
    I don't believe there's any problem if you're just connecting to a remote server using SSL, since the remote server has its own SSL key (though if it's a debian/ubuntu system it could still be a weak one) and web browsers should use their own random number generators for session keys.

    The problem is with weak keys that you generate on a debian/ubuntu system, or with keys that other users generated on one and uploaded to your system. If you haven't generated any keys and haven't had any remote users upload them, I believe you should be fine.

  7. #127
    Join Date
    Jul 2007
    Location
    Tāmaki Makau-rau, NZ
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: OpenSSL vulnerability

    Thanks for your clarification. I use Thunderbird for email and there don't appear to be any certificates installed other than the built-in tokens. Ditto for Firefox. As for the ISPs, the servers in question are running FreeBSD and Solaris 8, according to Netcraft; thus there shouldn't be any problems at the ISP end.
    BACKUPS are unsexy — until you discover you should have done one yesterday.
    Spare your nerves and do one before you upgrade or install.

  8. #128
    Join Date
    May 2008
    Location
    the BliZzard of OzZ!
    Beans
    432
    Distro
    Kubuntu 8.04 Hardy Heron

    Re: OpenSSL vulnerability

    The now-patched vulnerability, reported by the Debian Project May 13th, allows a hacker to use brute-force guessing attacks to decipher keys in SSH [Secure Shell], DNS-SEC (Domain Name System Security Extensions), Open VPN and X.509 certificates, as well as session keys used in SSL/TLS (Secure Sockets Layer/Transport Layer Security) connections.

    The vulnerability has existed since September 2006, and officials with the Debian Project recommend that all cryptographic key material generated by OpenSSL versions starting with 0.9.8c-1 on Debian systems be considered compromised and re-created from scratch.

    It is a big deal to patch and then generate keys--that is why they always say look for FIPS [Federal Information Processing Standard] 140-tested crypto, which would test things like the random number generator.

    Since the flaw was announced, CA's have stepped up to offer free replacement of SSL certificates for enterprises affected by the situation. However, officials at VeriSign and Comodo Group say there has not been a groundswell of enterprises taking them up on the offers. There is also the fact that Debian is not the most popular Linux distribution. Still, potentially replacing two years' worth of keys could represent a formidable task for enterprises that are affected.

    In the event that an enterprise did have to replace a large number of certificates, the main difficulty it would face would simply be the logistics of turning over that many certificates and getting all the right parts in all the right places. However, enterprises are capable of flipping their entire certificate base in less than a month if it is worth their while.

    Businesses are still investigating the impact of the vulnerability, and it may take a while for CA's to see an outpouring of requests for replacement certificates. Even those companies who do need the update and are aware of it might not have been able to reissue their certificates yet. They have to install the Debian patch, satisfy themselves that it's working correctly, figure out which [certificates] need replacement, revoke them and replace them with the new certificates. That's a lot of steps, and the part where they touch the CA is not until the end of the list.
    Screwed by the Demon Gates! To never return!
    Kbuntu 8.04 Hardy - Intel D5400XS Mobo - Dual QX9775 Quad core Extremes * 2 x 12mb cache - 8gb DDR2 @ 1600 mhz FSB - Dual NVidia 9600 GT 512mb OverClocked
    SSSSccccrrreeaammmmmmming........!

  9. #129
    Join Date
    Feb 2007
    Location
    New York
    Beans
    894
    Distro
    Ubuntu 9.10 Karmic Koala

    Re: OpenSSL vulnerability

    Quote Originally Posted by Endolith View Post
    I followed those directions but root@george still shows up as the old COMPROMISED key.
    I've completely removed/uninstalled NX, removed /usr/NX/etc/keys, removed /root/.ssh and it still shows this COMPROMISED key.

    Can anyone help?
    Last edited by Endolith; June 29th, 2008 at 12:10 AM.
    "Please remember to do things the Ubuntu way. There is always more than one solution to a problem, choose the one you think will be the easiest for the user. ... Try to think as a green user and choose the simplest solution." — Code of Conduct

  10. #130
    Join Date
    Feb 2005
    Location
    Singapore
    Beans
    138
    Distro
    Ubuntu 6.06 Dapper

    Re: OpenSSL vulnerability in Debian---Ubuntu too?

    Quote Originally Posted by rescdsk View Post
    There's a problem in Debian's version of OpenSSL, with a predictable random number generator. The announcement is here: http://lists.debian.org/debian-secur.../msg00152.html . The problem makes key material, such as OpenVPN keys and SSH public-key authentication keys, vulnerable, and you need to replace the keys generated with old versions.

    Does this problem exist on Ubuntu too?


    EDIT bodhi.zazen: Adding information so that people do not need to read the entire thread for some basic information.

    1. There are a few tools to check your ssh keys, most are affected so be warned.

    ssh-vulnkey is included in the update of openssh-server.

    On a Debian/Ubuntu box with ssh server installed :
    Code:
    sudo apt-get update && sudo apt-get dist-upgrade
    apt-get dist-upgrade will install the packages (apt-get upgrade *may* show the packages are held).

    You can then run :

    Code:
    sudo ssh-vulnkey -a
    If you see "Not Blacklisted: xxx.yyy.zzz /path/to/key" you are ok.

    The update will regenerate your server keys

    2. If you are updating ssh keys on a remote server, be careful. When the ssh keys are regenerated *some* users have lost the ssh connection. If you use keys to ssh into the server, first make sure you have alternate access to the server (temporarily allow logins with password ?) until new keys are in place.

    EDIT 2 bodhi.zazen: for clarification :

    This vulnerability affects more then ssh, ntp, imap, pop, smtp, tls, certificate authorities for pgp, openVPN, web servers with SSL, and more. Basically, anybody that used an SSL key generated.

    More info can be found at http://www.debian.org/security/key-rollover/

    ~ Thanks Conficio for the clarification and link

    bodhi.zazen
    I'm confused, does that mean that I have to regenerate everything? CA, VPN-Server, and keys for server and clients?

    regards,

Page 13 of 13 FirstFirst ... 3111213

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •