5/15/08 - Debian and Debian-based Distribution Security Notice

[DanL@VPSLink]

This notice covers a bug in the Debian OpenSSL implementation which was published on May 13th, 2008. The bug affects entropy for OpenSSL's cryptographic seed - leaving a greatly-reduced number of possible entropy values.

As this bug may affect many VPSLink users, we are issuing a security notice and providing instructions for those who have not already taken action. To ensure that your VPS is not adversely affected, please observe the instructions below and review the Security Best Practices guide on the VPSLink Wiki for additional recommendations.


Security issue scope:

Attackers using keys in the affected key range could gain root access to your VPS (via SSH key brute force attack on user accounts or a man in the middle on an SSH session) or the ability to eavesdrop on SSL-encrypted communications (via SSL key man in the middle attack).


Who is affected:

All Debian 4.0 and Debian 4.0-based Linux distribution users who are using SSL or SSH keys - particularly those users whose firewalls and sshd configurations allow unrestricted login attempts on port 22.

Affected distributions in use at VPSLink include:

• Debian 4.0
• Ubuntu 6.06 LTS
• Ubuntu 6.10 *
• Ubuntu 7.04
• Ubuntu 7.10
• Ubuntu 8.04 LTS

* Operating system is no longer supported by distribution's developer community


To address this problem:

Updates and support for Ubuntu 6.10 ended on April 25th, 2008 - Ubuntu 6.10 users should either upgrade to a later Ubuntu release or downgrade to Ubuntu 6.06 LTS (supported to June 1st, 2011).

All other Debian and Ubuntu users should follow the instructions provided below to ensure that this vulnerability is addressed:

1) Issue the aptitude update && aptitude upgrade command (prefixed by sudo as needed) to upgrade installed packages

2) See the SSL Keys entry on the Debian Wiki for further information to identify weak keys on your system, address application issues, and mitigate the effect of brute-force attacks on your VPS in the near future (this issue will likely increase the volume of brute force attempts which hit your VPS).

3) Review the Security Best Practices guide on the VPSLink Wiki for preventative security recommendations and links to security resources.

[SomeoneE1se]

Remember Best Security Practices,

If your sshd is still using port 22 now would be a GREAT time to change it!

Also if you don't use key pairs and instead use a User/Pass combo this does not affect you and after you update you system you should still be secure.

at the very least after changing the port you can,

su
to become root or prefix sudo as needed

Code:

aptitude update && aptitude upgrade && aptitude dist-upgrade

And follow the on screen prompts.
then

Code:

rm /etc/ssh/ssh_host_*

then

Code:

dpkg-reconfigure openssh-server

keep in mind this will change you host key and you ssh client SHOULD prompt you about this change. And this only fixes the ssh vulnerability (but it will be the most attacked.)

If you can log in again and don't have key pairs to regenerate you're "done"

If you're serving other users who login via SSH it would be best to tell them of this update and that their client will warn them, ONCE! Be wary of attacks on the clients as well with people expecting key changes it would be simple to successfully complete a MITM attack on a user

[Defenestrator]

When you update, it actually automatically checks to see if your host key is in the vulnerable set and regenerates it if so. From the prompts, it also checks your login key pairs.

Also beware of other apps that use keys generated by the library, like OpenVPN. In my case updating Ubuntu also installed an OpenVPN checker, but didn't check it automatically.

It's just one data point, but of my 2 boxes one had a vulnerable host key and my OpenVPN key was not vulnerable.

[stew]

note that DSA keys used with the bad openssl should be considered compromised even if they were strong keys not generated by a weak openssl. This is due to weakness in DSA compared to RSA.

Mike O'Connor
stew@debian.org