0 Replies Latest reply on May 16, 2008 3:06 PM by HarryWaldron

    Linux OpenSSL Issues - Update your Debian generated keys/certs ASAP

      As recommended, these keys should be regenerated for better protection after applying the latest release. The links below can help explain some of the key issues:

      INFOCon yellow: update your Debian generated keys/certs ASAP
      http://isc.sans.org/diary.html?storyid=4421

      QUOTE: Scripts that allow brute forcing of vulnerable keys (see this as rainbow tables for SSH keys) are in the wild so we would like to remind all of you to regenerate SSH keys ASAP. Please keep in mind that SSL certificates should be regenerated as well. This can be even more problematic if you had your certificates signed since you'll have to go through this process again (and possibly pay money again).

      Update 2310 UTC: The new Debian package for SSH (ssh_4.3p2-9etch1) also applies a package called "openssh-blacklist". After this update, your SSH server will refuse keys from the compromised set. The package also installs a new tool called "ssh-vulnkey" that can help in hunting down key files that contain weak keys. Note that in combination with the existing ssh-keyscan, ssh-vulnkey can be used to easily identify servers that use weak host keys, so while these Debian patches help those who patch, they also make attacks easier against those who did not yet patch.

      Additional Links
      http://www.pcmag.com/article2/0,2817,2305554,00.asp
      http://www.avertlabs.com/research/blog/index.php/2008/05/16/code-cleanup-gone-wr ong/

      H.D. Moore's Analysis
      http://metasploit.com/users/hdm/tools/debian-openssl/

      QUOTE: But the bug introduced by Debian effectively reduces the strength of the key to 32768 permutations, which is 16 bits. Famed security researcher HD Moore has actually already pre-calculated all of the potential keys for the most common cases. It took mere hours. So now you can be hacked even without someone brute-forcing your encryption