[SLUG] Debian SSH vulnerability: act now!
Just in case anyone missed it, there's been a major vulnerability for any SSH keys generated on a debian system over the last two years or so ... apparently the random number generator wasn't being seeded right, so only a few distinct keys were actually generated. The AARNET mirror doesn't have the updated packages as of this morning, but the Optusnet mirror does ... I suggest that -- you install the new openssh-client package (version 1:4.7p1-9 on unstable) -- run ssh-vulnkey -a as root to find any vulnerable keys, and get your users to fix them. -- Dr Peter Chubb http://www.gelato.unsw.edu.au peterc AT gelato.unsw.edu.au http://www.ertos.nicta.com.au ERTOS within National ICT Australia -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Debian SSH vulnerability: act now!
> Just in case anyone missed it, there's been a major vulnerability for > any SSH keys generated on a debian system over the last two years or > so ... apparently the random number generator wasn't being seeded > right, so only a few distinct keys were actually generated. > > The AARNET mirror doesn't have the updated packages as of this > morning, but the Optusnet mirror does ... I suggest that > -- you install the new openssh-client package (version 1:4.7p1-9 on unstable) > -- run ssh-vulnkey -a as root to find any vulnerable keys, and get > your users to fix them. ... and anyone running a machine that accepts ssh key authentication, even if it's not running Debian, has to care about this. Check the keys that are being used to authenticate to your hosts, and consider your recovery options carefully given that we can't detect all of the vulnerable keys. - Jeff -- OSCON 2008: Portland OR, USA http://conferences.oreilly.com/oscon/ "GNOME, launched specifically to counter a threat to our freedom, is the free software project par excellence." - Richard Stallman -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Debian SSH vulnerability: act now!
On Fri, May 16, 2008 at 09:24:00AM +1000, Peter Chubb wrote: > > Just in case anyone missed it, there's been a major vulnerability for > any SSH keys generated on a debian system over the last two years or > so ... apparently the random number generator wasn't being seeded > right, so only a few distinct keys were actually generated. > > The AARNET mirror doesn't have the updated packages as of this > morning, but the Optusnet mirror does ... I suggest that > -- you install the new openssh-client package (version 1:4.7p1-9 on unstable) > -- run ssh-vulnkey -a as root to find any vulnerable keys, and get > your users to fix them. This also includes any certificates created by openssl (apache, exim, postfix). its a pain but this is a link to the ubunto ssl checker https://launchpad.net/ubuntu/+source/openssl-blacklist/ > > > -- > Dr Peter Chubb http://www.gelato.unsw.edu.au peterc AT gelato.unsw.edu.au > http://www.ertos.nicta.com.au ERTOS within National ICT Australia > -- > SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ > Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html > -- Better dead than mellow. signature.asc Description: Digital signature -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Debian SSH vulnerability: act now!
For people not using debian, the ssh-vulnkey logic has been repackaged with dependencies as a CPAN distribution and should be installable anywhere that has a Perl installation, including on Windows using Strawberry Perl (http://strawberryperl.com). http://search.cpan.org/dist/Dowse-BadSSH/ The package is going through a couple of releases a day as it gets tweaked and cross-platform bugs are excised, so if you have any difficulties with it, wait 24 hours or so and try again. Adam K Peter Chubb wrote: Just in case anyone missed it, there's been a major vulnerability for any SSH keys generated on a debian system over the last two years or so ... apparently the random number generator wasn't being seeded right, so only a few distinct keys were actually generated. The AARNET mirror doesn't have the updated packages as of this morning, but the Optusnet mirror does ... I suggest that -- you install the new openssh-client package (version 1:4.7p1-9 on unstable) -- run ssh-vulnkey -a as root to find any vulnerable keys, and get your users to fix them. -- Dr Peter Chubb http://www.gelato.unsw.edu.au peterc AT gelato.unsw.edu.au http://www.ertos.nicta.com.au ERTOS within National ICT Australia -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Debian SSH vulnerability: act now!
Peter Chubb wrote: Just in case anyone missed it, there's been a major vulnerability for any SSH keys generated on a debian system over the last two years or so ... apparently the random number generator wasn't being seeded right, so only a few distinct keys were actually generated. For ubuntu systems, dapper is not affected, so aside from compromised keys being introduced there, if you are on LTS, you should be mostly OK. But check anyway. What a pain in the arse eh dave -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Debian SSH vulnerability: act now!
And what has barely rated a mention is that anything you may have transmitted using SSH or SSL encryption using aforesaid weak keys may also be vulnerable to easy decryption. While a long shot, if someone has managed to capture whole packet traces of such a conversation, it might be a relatively easy (compared to using non-weak keys) brute force exercise to decode the traffic simply by trying all of the 32767 possible weak keys (this applies to SSH - not sure about SSL - though for self-signed certificates it could well be the same level of risk). Of course, capturing traffic between client and server across the internet is not easy unless the bad guys are located in a carrier and an ISP, so the risk here is probably quite small. Regards, Martin On Fri, May 16, 2008 at 9:30 AM, Jeff Waugh <[EMAIL PROTECTED]> wrote: > > >> Just in case anyone missed it, there's been a major vulnerability for >> any SSH keys generated on a debian system over the last two years or >> so ... apparently the random number generator wasn't being seeded >> right, so only a few distinct keys were actually generated. >> >> The AARNET mirror doesn't have the updated packages as of this >> morning, but the Optusnet mirror does ... I suggest that >> -- you install the new openssh-client package (version 1:4.7p1-9 on >> unstable) >> -- run ssh-vulnkey -a as root to find any vulnerable keys, and get >> your users to fix them. > > ... and anyone running a machine that accepts ssh key authentication, even > if it's not running Debian, has to care about this. Check the keys that are > being used to authenticate to your hosts, and consider your recovery options > carefully given that we can't detect all of the vulnerable keys. > > - Jeff > > -- > OSCON 2008: Portland OR, USA http://conferences.oreilly.com/oscon/ > >"GNOME, launched specifically to counter a threat to our freedom, is > the free software project par excellence." - Richard Stallman > -- > SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ > Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html > -- Regards, Martin Martin Visser -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Debian SSH vulnerability: act now!
On Fri, 2008-05-16 at 09:24 +1000, Peter Chubb wrote: > Just in case anyone missed it, there's been a major vulnerability for > any SSH keys generated on a debian system over the last two years or > so ... apparently the random number generator wasn't being seeded > right, so only a few distinct keys were actually generated. Today's XKCD sums up my feelings on the matter quite nicely. http://xkcd.com/424/ -- Pete -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Debian SSH vulnerability: act now!
Martin Visser wrote: Of course, capturing traffic between client and server across the internet is not easy unless the bad guys are located in a carrier and an ISP, so the risk here is probably quite small. I'm not too worried about carriers or ISPs. It's in our interest to keep software up to date and to prevent vulnerabilities and intrusions. But there's a lot of ADSL modems out there which are never updated. -- Glen Turner -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
