US CERT - dual booters - Debian - Ubunta

[Guest MEB]

Technical Cyber Security Alert TA08-137A -- Debian/Ubuntu OpenSSL Random

Number Generator Vulnerability

 

 

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

National Cyber Alert System

 

Technical Cyber Security Alert TA08-137A

 

 

Debian/Ubuntu OpenSSL Random Number Generator Vulnerability

 

Original release date: May 16, 2008

Last revised: --

Source: US-CERT

 

Systems Affected

 

* Debian, Ubuntu, and Debian-based distributions

 

Overview

 

A vulnerability in the OpenSSL package included with the Debian

GNU/Linux operating system and its derivatives may cause weak

cryptographic keys to be generated. Any package that uses the affected

version of SSL could be vulnerable.

 

I. Description

 

A vulnerabiliity exists in the random number generator used by the

OpenSSL package included with the Debian GNU/Linux, Ubuntu, and other

Debian-based operating systems. This vulnerability causes the

generated numbers to be predictable.

 

The result of this error is that certain encryption keys are much more

common than they should be. This vulnerability affects cryptographic

applications that use keys generated by the flawed versions of the

OpenSSL package. Affected keys include, but may not be limited to, SSH

keys, OpenVPN keys, DNSSEC keys, and key material for use in X.509

certificates and session keys used in SSL/TLS connections. Any of

these keys generated using the affected systems on or after 2006-09-17

may be vulnerable. Keys generated with GnuPG, GNUTLS, ccrypt, or other

encryption utilities that do not use OpenSSL are not vulnerable

because these applications use their own random number generators.

 

II. Impact

 

A remote, unauthenticated attacker may be able to guess secret key

material. The attacker may also be able to gain authenticated access

to the system through the affected service or perform

man-in-the-middle attacks.

 

III. Solution

 

Upgrade

 

Debian and Ubuntu have released fixed versions of OpenSSL to address

this issue. System administrators can use the ssh-vulnkey application

to check for compromised or weak SSH keys. After applying updates,

clients using weak keys may be refused by servers.

 

Workaround

 

Until updates can be applied, administrators and users are encouraged

to restrict access to vulnerable servers. Debian- and Ubuntu-based

systems can use iptables, iptables configuration tools, or

tcp-wrappers to limit access.

 

 

IV. References

 

* DSA-1571-1 openssl - predictable random number generator -

<http://www.debian.org/security/2008/dsa-1571>

 

* Debian wiki - SSL keys - <http://wiki.debian.org/SSLkeys>

 

* Ubuntu OpenSSL vulnerability -

<http://www.ubuntu.com/usn/usn-612-1>

 

* Ubuntu OpenSSH vulnerability -

<http://www.ubuntu.com/usn/usn-612-2>

 

* Ubuntu OpenVPN vulnerability -

<http://www.ubuntu.com/usn/usn-612-3>Ubuntu SSL-cert vulnerability

 

* Ubuntu OpenSSH update - <http://www.ubuntu.com/usn/usn-612-5>

 

* Ubuntu OpenVPN regression - <http://www.ubuntu.com/usn/usn-612-6>

 

* OpenVPN regression - <http://www.ubuntu.com/usn/usn-612-6>

 

 

_________________________________________________________________

 

The most recent version of this document can be found at:

 

<http://www.us-cert.gov/cas/techalerts/TA08-137A.html>

_________________________________________________________________

 

Feedback can be directed to US-CERT Technical Staff. Please send

email to <cert@cert.org> with "TA08-137A Feedback VU#925211" in the

subject.

_________________________________________________________________

 

For instructions on subscribing to or unsubscribing from this

mailing list, visit <http://www.us-cert.gov/cas/signup.html>.

_________________________________________________________________

 

Produced 2008 by US-CERT, a government organization.

 

Terms of use:

 

<http://www.us-cert.gov/legal.html>

____________________________________________________________________

 

Revision History

 

May 16, 2008: Initial release

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.2.1 (GNU/Linux)

 

iQEVAwUBSC3OLvRFkHkM87XOAQIY6Qf/RywAJKkMBte71mgV+XKHOFH9yLy+vOGs

HlC35oyfpijFSPI1TyYpN9vvpvfhL8DDDG6/dNBt+u1uVskcurb5Rh1UMmpEEFg0

kVGos6JDD18T6JpfgvEY9k+4iVAGApNirEYRDsKFVRho/3CaJQ6Tdp/jf3NEzmNE

DPgsEA0n825kBd0dr/v3yT5S9wYsn5x9n6OfyHShXVwYPK/V3jEXbU0uZo0Nt7HX

L0FIVTz5tMWIm1LoTsh+GeE0dsnsg/0+qf1jRRq66GQ+3eMGO/wepTbUmqGCXF0s

I+O756V/mDxrPePJRNcpCjtGZCEjtMNJ4fZPQhosxbNVPpvDV5rGlQ==

=93LZ

-----END PGP SIGNATURE-----