OpenSSL flaw in Debian Linux discovered

Author: Gareth Halfacree
Published: 14th May 2008
Comments (24) Stumble
OpenSSL flaw in Debian Linux discovered

Floating gnus will be the least of your worries if you don't patch your Debian-based OpenSSL install before the crackers find you.

If you're a Linux user sitting content in the knowledge that your open-source operating system is free from the security issues that plague other operating systems then you might want to double-check your system before breaking out the smug grin, as the Debian team has highlighted a rather embarrassing flaw in their Linux distribution.

The Debian distribution – upon which popular desktop Linux distributions including Ubuntu, Kubuntu, and Damn Small Linux are built – has been distributing a version of the OpenSSL encryption package with a random number generator that turns out not be quite as random as you might like.

Computer encryption relies on the generation of pseudo-random numbers. While a truly random number generator isn't possible without recourse to an external source of entropy, by salting the RNG with user-provided input such as a recent keystrokes, mouse usage and network traffic data it's possible to get darn close. If the random number generator produces a predictable output, an attacker can decrypt supposedly secure data by simply working out what numbers were fed to the encryption algorithm.

The issue stems from a bug fix to the OpenSSL package, which was first introduced back in 2006 in version 0.9.8c-1. This version, and all subsequent versions, rely on a random number generator which produces guessable results – a big no-no for cryptography purposes. Debian-based systems that use the Secure SHell (SSH), OpenVPN, DNSSEC, and users of X.509 certificates that have been generated on such systems are compromised by the flaw, as are DSA signing keys as used by the GNU Privacy Guard package.

The flaw in the OpenSSL package is specific to the version distributed with Debian and Debian-based Linux distributions – other versions including Fedora, Slackware, and Gentoo and their variants are not affected.

The issue, along with a few other flaws, is resolved in the latest version of the Debian OpenSSL implementation, 0.9.8c-4etch3. If you're running a vulnerable version – and I know I am – then it would be a very good idea to upgrade now, and regenerate cryptographic keys once you've got it installed.

Any Windows users want to point and laugh now the shoe is on the other foot, or perhaps you're an AIX user shaking your head at the antics of these Johnny-come-latelys? Share your thoughts over in the forums.
Quote Tomm 14th May 2008, 12:18
You mean Linux isn't a perfect OS sent from God?
Quote samkiller42 14th May 2008, 12:23
Quote:
Originally Posted by Tomm
You mean Linux isn't a perfect OS sent from God?

hahaha. My dreams have come true, the day something wrong comes to linux, no matter how small it was.... Sorry, all childish now.

At least in the light of this, its been sorted out relativley quickly, which is a good sign for any OS.

Sam
Quote steveo_mcg 14th May 2008, 12:25
Seen this yesterday, meant to redo my keys last night (forgot) if any one is bored my system is wide open...
Quote Kode 14th May 2008, 12:26
johnny come latelys? Debian has been running longer than redhat, redhat was initially released in 95, debian in 93, also the good thing about open source is these problems get picked up and fixed, rather than microsofts approach that seems to be pretend they arent there
Quote Tomm 14th May 2008, 12:27
Clearly it's not perfect, nothing in this world is. It's therefore not a surprise that there's a small bug in one small part of Linux. It was, after all, created by humans. My point was the opposite really - we shouldn't be surprised by this news and I'm certainly not pointing and laughing.

Maybe I was too sarcastic (is there such a thing as too sarcastic?).
Quote Gareth Halfacree 14th May 2008, 12:46
Quote:
Originally Posted by Kode
johnny come latelys? Debian has been running longer than redhat, redhat was initially released in 95, debian in 93,
I sit corrected. Article updated.
Quote sotu1 14th May 2008, 13:06
you know in the simpsons when that bully dude goes 'haaha'. that's what i think! however, having said that, well done linux teams for getting onto it quickly. that is commendable
Quote proxess 14th May 2008, 13:46
for 1 bug in linux article on bit-tech we have 500 windows bugs articles
Quote C-Sniper 14th May 2008, 13:58
Nothing is perfect but atleast linux is more perfect than windows.


btw, slackware strawberry Cheesecake :D
Quote DXR_13KE 14th May 2008, 14:10
at least it is patched faster than in windows.....
Quote Glider 14th May 2008, 15:32
And the flaw isn't that big... Just a random number that could be predictable... And I could win the lottery...

This bug is also already fixed, so it' a non-issue. I don't have the time to redo my keys right now, so al hackers, go ahead ;)
Quote pendragon 14th May 2008, 18:23
as much as I dislike the typical "smug linux user", no reason for me to point and laugh.. Linux has its own problems and quirks just like any OS out there... no big deal.. The good thing from this story is that they plugged the hole.. Kind of stinks that it's Debian..as Ubuntu is hugely popular.
Quote Glider 14th May 2008, 18:50
Well, it doesn't stink at all... If you read the various Linux mailing lists, you will see security notices popping up often. But the good thing about this is that those flaws are usually fixed within days.
Quote IanW 14th May 2008, 20:02
Exactly. This bug was squished almost immediately.
If it was a Windows bug, it wouldn't have been patched until the first Tuesday of NEXT month at the earliest!
Quote WhiskeyAlpha 15th May 2008, 01:14
Being the stinking linux noob that I am, what do I need to do to "rebuild my keys"?

I just updated my ubuntu fileserver (ala Glider's superb server guide) to 8.04LTS and it fired up a warning message telling me about the security hole. Not sure if it sorts it automatically or whether I need to flex my typing skills on the command line :)
Quote cebla 15th May 2008, 01:47
If the article is correct then this bug was introduced in 2006. That means its been there for two years. I am not sure why some of you think this was fixed so much more quickly than bugs in Windows.
Quote Glider 15th May 2008, 04:55
Quote:
Originally Posted by WhiskeyAlpha
Being the stinking linux noob that I am, what do I need to do to "rebuild my keys"?

I just updated my ubuntu fileserver (ala Glider's superb server guide) to 8.04LTS and it fired up a warning message telling me about the security hole. Not sure if it sorts it automatically or whether I need to flex my typing skills on the command line :)
If you are using a key based authentication (like in passwordless SSH) then you need to update the keys generated by a Debian machine manually.
Quote steveo_mcg 15th May 2008, 09:03
Quote:
Originally Posted by cebla
If the article is correct then this bug was introduced in 2006. That means its been there for two years. I am not sure why some of you think this was fixed so much more quickly than bugs in Windows.

Because as soon as it was caught it was fixed, wouldn't be the first time a large whole has been found in windows after a few years and it still takes at least a month for the fix.
Quote pendragon 15th May 2008, 18:23
Quote:
Originally Posted by Glider
Well, it doesn't stink at all... If you read the various Linux mailing lists, you will see security notices popping up often. But the good thing about this is that those flaws are usually fixed within days.

uh... perhaps I missed your point.. but my point was that, as Ubuntu is massively popular (especially with newbies like myself), you'll get a larger amount of people with this flaw unpatched in their system (as opposed to say people that run a distro that isn't as popular).. which is too bad.
Quote Glider 15th May 2008, 22:53
But the chances are very slim that a utter newbie would use public/private keys ;)
Quote TheEclypse 16th May 2008, 10:33
What do all you people have that your encrypting :o
Quote steveo_mcg 16th May 2008, 10:34
Remote connections, its either that or telnet...
Quote Glider 16th May 2008, 13:45
Quote:
Originally Posted by TheEclypse
What do all you people have that your encrypting :o

Well, since public/private key pairs can be used for passwordless SSH, well... passwords :D
Quote Glider 16th May 2008, 18:26
http://xkcd.com/424/
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.