bit-tech.net

OpenSSL flaw in Debian Linux discovered

OpenSSL flaw in Debian Linux discovered

Floating gnus will be the least of your worries if you don't patch your Debian-based OpenSSL install before the crackers find you.

If you're a Linux user sitting content in the knowledge that your open-source operating system is free from the security issues that plague other operating systems then you might want to double-check your system before breaking out the smug grin, as the Debian team has highlighted a rather embarrassing flaw in their Linux distribution.

The Debian distribution – upon which popular desktop Linux distributions including Ubuntu, Kubuntu, and Damn Small Linux are built – has been distributing a version of the OpenSSL encryption package with a random number generator that turns out not be quite as random as you might like.

Computer encryption relies on the generation of pseudo-random numbers. While a truly random number generator isn't possible without recourse to an external source of entropy, by salting the RNG with user-provided input such as a recent keystrokes, mouse usage and network traffic data it's possible to get darn close. If the random number generator produces a predictable output, an attacker can decrypt supposedly secure data by simply working out what numbers were fed to the encryption algorithm.

The issue stems from a bug fix to the OpenSSL package, which was first introduced back in 2006 in version 0.9.8c-1. This version, and all subsequent versions, rely on a random number generator which produces guessable results – a big no-no for cryptography purposes. Debian-based systems that use the Secure SHell (SSH), OpenVPN, DNSSEC, and users of X.509 certificates that have been generated on such systems are compromised by the flaw, as are DSA signing keys as used by the GNU Privacy Guard package.

The flaw in the OpenSSL package is specific to the version distributed with Debian and Debian-based Linux distributions – other versions including Fedora, Slackware, and Gentoo and their variants are not affected.

The issue, along with a few other flaws, is resolved in the latest version of the Debian OpenSSL implementation, 0.9.8c-4etch3. If you're running a vulnerable version – and I know I am – then it would be a very good idea to upgrade now, and regenerate cryptographic keys once you've got it installed.

Any Windows users want to point and laugh now the shoe is on the other foot, or perhaps you're an AIX user shaking your head at the antics of these Johnny-come-latelys? Share your thoughts over in the forums.

24 Comments

Discuss in the forums Reply
Tomm 14th May 2008, 13:18 Quote
You mean Linux isn't a perfect OS sent from God?
samkiller42 14th May 2008, 13:23 Quote
Quote:
Originally Posted by Tomm
You mean Linux isn't a perfect OS sent from God?

hahaha. My dreams have come true, the day something wrong comes to linux, no matter how small it was.... Sorry, all childish now.

At least in the light of this, its been sorted out relativley quickly, which is a good sign for any OS.

Sam
steveo_mcg 14th May 2008, 13:25 Quote
Seen this yesterday, meant to redo my keys last night (forgot) if any one is bored my system is wide open...
Kode 14th May 2008, 13:26 Quote
johnny come latelys? Debian has been running longer than redhat, redhat was initially released in 95, debian in 93, also the good thing about open source is these problems get picked up and fixed, rather than microsofts approach that seems to be pretend they arent there
Tomm 14th May 2008, 13:27 Quote
Clearly it's not perfect, nothing in this world is. It's therefore not a surprise that there's a small bug in one small part of Linux. It was, after all, created by humans. My point was the opposite really - we shouldn't be surprised by this news and I'm certainly not pointing and laughing.

Maybe I was too sarcastic (is there such a thing as too sarcastic?).
Gareth Halfacree 14th May 2008, 13:46 Quote
Quote:
Originally Posted by Kode
johnny come latelys? Debian has been running longer than redhat, redhat was initially released in 95, debian in 93,
I sit corrected. Article updated.
sotu1 14th May 2008, 14:06 Quote
you know in the simpsons when that bully dude goes 'haaha'. that's what i think! however, having said that, well done linux teams for getting onto it quickly. that is commendable
proxess 14th May 2008, 14:46 Quote
for 1 bug in linux article on bit-tech we have 500 windows bugs articles
C-Sniper 14th May 2008, 14:58 Quote
Nothing is perfect but atleast linux is more perfect than windows.


btw, slackware strawberry Cheesecake :D
DXR_13KE 14th May 2008, 15:10 Quote
at least it is patched faster than in windows.....
Glider 14th May 2008, 16:32 Quote
And the flaw isn't that big... Just a random number that could be predictable... And I could win the lottery...

This bug is also already fixed, so it' a non-issue. I don't have the time to redo my keys right now, so al hackers, go ahead ;)
pendragon 14th May 2008, 19:23 Quote
as much as I dislike the typical "smug linux user", no reason for me to point and laugh.. Linux has its own problems and quirks just like any OS out there... no big deal.. The good thing from this story is that they plugged the hole.. Kind of stinks that it's Debian..as Ubuntu is hugely popular.
Glider 14th May 2008, 19:50 Quote
Well, it doesn't stink at all... If you read the various Linux mailing lists, you will see security notices popping up often. But the good thing about this is that those flaws are usually fixed within days.
IanW 14th May 2008, 21:02 Quote
Exactly. This bug was squished almost immediately.
If it was a Windows bug, it wouldn't have been patched until the first Tuesday of NEXT month at the earliest!
WhiskeyAlpha 15th May 2008, 02:14 Quote
Being the stinking linux noob that I am, what do I need to do to "rebuild my keys"?

I just updated my ubuntu fileserver (ala Glider's superb server guide) to 8.04LTS and it fired up a warning message telling me about the security hole. Not sure if it sorts it automatically or whether I need to flex my typing skills on the command line :)
cebla 15th May 2008, 02:47 Quote
If the article is correct then this bug was introduced in 2006. That means its been there for two years. I am not sure why some of you think this was fixed so much more quickly than bugs in Windows.
Glider 15th May 2008, 05:55 Quote
Quote:
Originally Posted by WhiskeyAlpha
Being the stinking linux noob that I am, what do I need to do to "rebuild my keys"?

I just updated my ubuntu fileserver (ala Glider's superb server guide) to 8.04LTS and it fired up a warning message telling me about the security hole. Not sure if it sorts it automatically or whether I need to flex my typing skills on the command line :)
If you are using a key based authentication (like in passwordless SSH) then you need to update the keys generated by a Debian machine manually.
steveo_mcg 15th May 2008, 10:03 Quote
Quote:
Originally Posted by cebla
If the article is correct then this bug was introduced in 2006. That means its been there for two years. I am not sure why some of you think this was fixed so much more quickly than bugs in Windows.

Because as soon as it was caught it was fixed, wouldn't be the first time a large whole has been found in windows after a few years and it still takes at least a month for the fix.
pendragon 15th May 2008, 19:23 Quote
Quote:
Originally Posted by Glider
Well, it doesn't stink at all... If you read the various Linux mailing lists, you will see security notices popping up often. But the good thing about this is that those flaws are usually fixed within days.

uh... perhaps I missed your point.. but my point was that, as Ubuntu is massively popular (especially with newbies like myself), you'll get a larger amount of people with this flaw unpatched in their system (as opposed to say people that run a distro that isn't as popular).. which is too bad.
Glider 15th May 2008, 23:53 Quote
But the chances are very slim that a utter newbie would use public/private keys ;)
TheEclypse 16th May 2008, 11:33 Quote
What do all you people have that your encrypting :o
steveo_mcg 16th May 2008, 11:34 Quote
Remote connections, its either that or telnet...
Glider 16th May 2008, 14:45 Quote
Quote:
Originally Posted by TheEclypse
What do all you people have that your encrypting :o

Well, since public/private key pairs can be used for passwordless SSH, well... passwords :D
Glider 16th May 2008, 19:26 Quote
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums