Page 1 of 13 12311 ... LastLast
Results 1 to 10 of 130

Thread: OpenSSL vulnerability

  1. #1
    Join Date
    Nov 2007
    Beans
    11

    OpenSSL vulnerability in Debian---Ubuntu too?

    There's a problem in Debian's version of OpenSSL, with a predictable random number generator. The announcement is here: http://lists.debian.org/debian-secur.../msg00152.html . The problem makes key material, such as OpenVPN keys and SSH public-key authentication keys, vulnerable, and you need to replace the keys generated with old versions.

    Does this problem exist on Ubuntu too?


    EDIT bodhi.zazen: Adding information so that people do not need to read the entire thread for some basic information.

    1. There are a few tools to check your ssh keys, most are affected so be warned.

    ssh-vulnkey is included in the update of openssh-server.

    On a Debian/Ubuntu box with ssh server installed :
    Code:
    sudo apt-get update && sudo apt-get dist-upgrade
    apt-get dist-upgrade will install the packages (apt-get upgrade *may* show the packages are held).

    You can then run :

    Code:
    sudo ssh-vulnkey -a
    If you see "Not Blacklisted: xxx.yyy.zzz /path/to/key" you are ok.

    The update will regenerate your server keys

    2. If you are updating ssh keys on a remote server, be careful. When the ssh keys are regenerated *some* users have lost the ssh connection. If you use keys to ssh into the server, first make sure you have alternate access to the server (temporarily allow logins with password ?) until new keys are in place.

    EDIT 2 bodhi.zazen: for clarification :

    This vulnerability affects more then ssh, ntp, imap, pop, smtp, tls, certificate authorities for pgp, openVPN, web servers with SSL, and more. Basically, anybody that used an SSL key generated.

    More info can be found at http://www.debian.org/security/key-rollover/

    ~ Thanks Conficio for the clarification and link

    bodhi.zazen
    Last edited by bodhi.zazen; May 18th, 2008 at 12:59 AM.

  2. #2
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Beans
    1,393
    Distro
    Ubuntu 10.10 Maverick Meerkat

    Re: OpenSSL vulnerability in Debian---Ubuntu too?

    http://www.ubuntu.com/usn/usn-612-1
    http://www.ubuntu.com/usn/usn-612-2


    Edit: URL modified to reflect change in Ubuntu, which also gives more detail about regenerating keys.
    Last edited by Monicker; May 13th, 2008 at 06:47 PM. Reason: Modified url

  3. #3
    Join Date
    Aug 2006
    Beans
    196

    Re: OpenSSL vulnerability in Debian---Ubuntu too?

    Is there a fast way to tell a computer to regenerate all the keys? How should I start doing it?

  4. #4
    Join Date
    Jul 2005
    Location
    Remote Desert, USA
    Beans
    683

    Re: OpenSSL vulnerability in Debian---Ubuntu too?

    This came in the news today:

    http://lists.debian.org/debian-secur.../msg00152.html

    I hope we see a patch in Ubuntu soon.
    SuperMike
    When in doubt, follow the penguins.
    Evil Kitty is watching you

  5. #5
    Join Date
    Nov 2005
    Location
    South Yorkshire, UK
    Beans
    238
    Distro
    Xubuntu 10.04 Lucid Lynx

    Re: OpenSSL vulnerability in Debian---Ubuntu too?

    Quote Originally Posted by Tuna-Fish View Post
    Is there a fast way to tell a computer to regenerate all the keys? How should I start doing it?
    I'd like to know this too.

    I've upgraded the packages on my server, but do I need to do anything else?

  6. #6
    Join Date
    Mar 2007
    Beans
    19

    Re: OpenSSL vulnerability in Debian---Ubuntu too?

    Just watch for http://www.debian.org/security/key-rollover/

    EDIT: Does dowkd.pl from the Debian advisory find something for you? The program is a bit too quiet for my taste (no output).
    Last edited by jojo4u; May 13th, 2008 at 03:56 PM.

  7. #7
    Join Date
    Nov 2005
    Location
    South Yorkshire, UK
    Beans
    238
    Distro
    Xubuntu 10.04 Lucid Lynx

    Re: OpenSSL vulnerability in Debian---Ubuntu too?

    Quote Originally Posted by Tuna-Fish View Post
    Is there a fast way to tell a computer to regenerate all the keys? How should I start doing it?
    Okay here's how I did it for SSH. Not the most elegant way but it works.

    1. Login as root or use sudo.
    2. Copy your ssh configs so you can put them back later:
    Code:
    cp /etc/ssh/ssh_config ./
    cp /etc/ssh/sshd_config ./
    3. Remove purge openssh-server:
    Code:
    apt-get purge openssh-server
    4. Reinstall openssh-server:
    Code:
    apt-get install openssh-server
    5. While installing watch for the following output. If you see it then all is good:
    Code:
    Creating SSH2 RSA key; this may take some time ...
    Creating SSH2 DSA key; this may take some time ...
    6. Move back your old configs:
    Code:
    mv sshd_config /etc/ssh/
    mv ssh_config /etc/ssh/
    7. Restart sshd
    Code:
    /etc/init.d/ssh restart
    Note this won't work for feisty since it has no "apt-get purge", you will need to manually delete the keys in /etc/ssh/ instead.
    Last edited by yaztromo; May 13th, 2008 at 04:15 PM. Reason: Clarification

  8. #8
    Join Date
    Mar 2007
    Beans
    19

    Re: OpenSSL vulnerability in Debian---Ubuntu too?

    OK, found some old keys (gutsy or older=) and ran

    Code:
    perl dowkd.pl file /media/ACERDATA/LINUX/etc/ssh/*key*
    
    /media/ACERDATA/LINUX/etc/ssh/ssh_host_dsa_key:12: warning: unparsable line
    ...
    /media/ACERDATA/LINUX/etc/ssh/ssh_host_dsa_key.pub:1: weak key
    /media/ACERDATA/LINUX/etc/ssh/ssh_host_rsa_key:1: warning: unparsable line
    ...
    /media/ACERDATA/LINUX/etc/ssh/ssh_host_rsa_key.pub:1: weak key

  9. #9
    Join Date
    Apr 2008
    Location
    Austin, TX
    Beans
    39
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: OpenSSL vulnerability in Debian---Ubuntu too?

    How to use dowkd.pl as a quick sniff test for machines you control or are responsible for:

    Code:
    todb@mazikeen:~/Desktop$ perl dowkd.pl host 10.10.10.54
    # 10.10.10.54 SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1
    # 10.10.10.54 SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1
    10.10.10.54: weak key
    10.10.10.54: weak key
    Code:
    todb@mazikeen:~/Desktop$ perl dowkd.pl host planb-security.net
    # planb-security.net SSH-2.0-OpenSSH_5.0
    # planb-security.net SSH-2.0-OpenSSH_5.0
    (No hits == good)


    ..and for files:
    Code:
    todb@mazikeen:~/Desktop$ perl dowkd.pl file ~/.ssh/*
    /home/todb/.ssh/known_hosts:13: weak key
    /home/todb/.ssh/known_hosts:14: weak key
    /home/todb/.ssh/known_hosts:22: weak key
    ..etc.

    hth. have fun regenerating.

    -tod

  10. #10
    Join Date
    Mar 2007
    Beans
    19

    Re: OpenSSL vulnerability in Debian---Ubuntu too?

    EDIT: The new openssh-server package fixes your keys.

    About scanning your localhost for weak keys some additions to todb's post:

    Code:
    > perl dowkd.pl host localhost
    # localhost SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1
    # localhost SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1
    localhost: weak key
    localhost: weak key
    
    > perl dowkd.pl file /etc/ssh/*key* 
    /etc/ssh/ssh_host_dsa_key:0: open failed: Permission denied
    /etc/ssh/ssh_host_dsa_key.pub:1: weak key
    /etc/ssh/ssh_host_rsa_key:0: open failed: Permission denied
    /etc/ssh/ssh_host_rsa_key.pub:1: weak key
    After upgrade of openssh-server

    Code:
    > perl dowkd.pl host localhost                         
    # localhost SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1.1
    # localhost SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1.1
    
    > perl dowkd.pl file /etc/ssh/*key*
    /etc/ssh/ssh_host_dsa_key:0: open failed: Permission denied
    /etc/ssh/ssh_host_dsa_key.broken:0: open failed: Permission denied
    /etc/ssh/ssh_host_dsa_key.pub.broken:1: weak key
    /etc/ssh/ssh_host_rsa_key:0: open failed: Permission denied
    /etc/ssh/ssh_host_rsa_key.broken:0: open failed: Permission denied
    /etc/ssh/ssh_host_rsa_key.pub.broken:1: weak key
    Last edited by jojo4u; May 13th, 2008 at 04:44 PM.

Page 1 of 13 12311 ... LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •