[Cialug] Fw: US-CERT Technical Cyber Security Alert TA08-137A -- Debian/Ubuntu OpenSSL Random Number Generator Vulnerability

albus albus at iowaconnect.com
Mon May 19 09:20:19 CDT 2008 

Just a FYI.
Most of you probably already know, but for those that may not.


----- Original Message ----- 
From: "CERT Advisory" <cert-advisory at cert.org>
To: <cert-advisory at cert.org>
Sent: Friday, May 16, 2008 1:18 PM
Subject: US-CERT Technical Cyber Security Alert TA08-137A -- Debian/Ubuntu OpenSSL Random Number Generator Vulnerability


> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
>    National Cyber Alert System
>   
>   Technical Cyber Security Alert TA08-137A
> 
> 
> Debian/Ubuntu OpenSSL Random Number Generator Vulnerability
> 
>   Original release date: May 16, 2008
>   Last revised: --
>   Source: US-CERT
> 
> Systems Affected
> 
>     * Debian, Ubuntu, and Debian-based distributions
> 
> Overview
> 
>   A  vulnerability  in  the  OpenSSL  package  included  with the Debian
>   GNU/Linux   operating  system  and  its  derivatives  may  cause  weak
>   cryptographic keys to be generated. Any package that uses the affected
>   version of SSL could be vulnerable.
> 
> I. Description
> 
>   A  vulnerabiliity  exists  in  the random number generator used by the
>   OpenSSL  package included with the Debian GNU/Linux, Ubuntu, and other
>   Debian-based   operating   systems.   This  vulnerability  causes  the
>   generated numbers to be predictable.
> 
>   The result of this error is that certain encryption keys are much more
>   common  than  they should be. This vulnerability affects cryptographic
>   applications  that  use  keys  generated by the flawed versions of the
>   OpenSSL package. Affected keys include, but may not be limited to, SSH
>   keys,  OpenVPN  keys,  DNSSEC  keys, and key material for use in X.509
>   certificates  and  session  keys  used  in SSL/TLS connections. Any of
>   these keys generated using the affected systems on or after 2006-09-17
>   may be vulnerable. Keys generated with GnuPG, GNUTLS, ccrypt, or other
>   encryption  utilities  that  do  not  use  OpenSSL  are not vulnerable
>   because these applications use their own random number generators.
> 
> II. Impact
> 
>   A  remote,  unauthenticated  attacker  may be able to guess secret key
>   material.  The  attacker may also be able to gain authenticated access
>   to    the   system   through   the   affected   service   or   perform
>   man-in-the-middle attacks.
> 
> III. Solution
> 
> Upgrade
> 
>   Debian  and  Ubuntu have released fixed versions of OpenSSL to address
>   this  issue. System administrators can use the ssh-vulnkey application
>   to  check  for  compromised  or weak SSH keys. After applying updates,
>   clients using weak keys may be refused by servers.
> 
> Workaround
> 
>   Until  updates can be applied, administrators and users are encouraged
>   to  restrict  access  to  vulnerable servers. Debian- and Ubuntu-based
>   systems   can   use   iptables,   iptables   configuration  tools,  or
>   tcp-wrappers to limit access.
> 
> 
> IV. References
> 
> * DSA-1571-1 openssl - predictable random number generator  -
>   <http://www.debian.org/security/2008/dsa-1571>
>     
> * Debian wiki - SSL keys - <http://wiki.debian.org/SSLkeys>
>     
> * Ubuntu OpenSSL vulnerability -
>   <http://www.ubuntu.com/usn/usn-612-1>
>     
> * Ubuntu OpenSSH vulnerability -
>   <http://www.ubuntu.com/usn/usn-612-2>
>     
> * Ubuntu OpenVPN vulnerability -
>   <http://www.ubuntu.com/usn/usn-612-3>Ubuntu SSL-cert vulnerability
> 
> * Ubuntu OpenSSH update - <http://www.ubuntu.com/usn/usn-612-5>
>     
> * Ubuntu OpenVPN regression - <http://www.ubuntu.com/usn/usn-612-6>
>     
> * OpenVPN regression - <http://www.ubuntu.com/usn/usn-612-6>
> 
> 
> _________________________________________________________________
> 
>  The most recent version of this document can be found at:
> 
>    <http://www.us-cert.gov/cas/techalerts/TA08-137A.html>
> _________________________________________________________________
> 
>  Feedback can be directed to US-CERT Technical Staff. Please send
>  email to <cert at cert.org> with "TA08-137A Feedback VU#925211" in the
>  subject.
> _________________________________________________________________
> 
>  For instructions on subscribing to or unsubscribing from this
>  mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
> _________________________________________________________________
> 
>  Produced 2008 by US-CERT, a government organization.
> 
>  Terms of use:
> 
>    <http://www.us-cert.gov/legal.html>
> ____________________________________________________________________
> 
>  Revision History
> 
>  May 16, 2008: Initial release
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.1 (GNU/Linux)
> 
> iQEVAwUBSC3OLvRFkHkM87XOAQIY6Qf/RywAJKkMBte71mgV+XKHOFH9yLy+vOGs
> HlC35oyfpijFSPI1TyYpN9vvpvfhL8DDDG6/dNBt+u1uVskcurb5Rh1UMmpEEFg0
> kVGos6JDD18T6JpfgvEY9k+4iVAGApNirEYRDsKFVRho/3CaJQ6Tdp/jf3NEzmNE
> DPgsEA0n825kBd0dr/v3yT5S9wYsn5x9n6OfyHShXVwYPK/V3jEXbU0uZo0Nt7HX
> L0FIVTz5tMWIm1LoTsh+GeE0dsnsg/0+qf1jRRq66GQ+3eMGO/wepTbUmqGCXF0s
> I+O756V/mDxrPePJRNcpCjtGZCEjtMNJ4fZPQhosxbNVPpvDV5rGlQ==
> =93LZ
> -----END PGP SIGNATURE-----
> 
>

More information about the Cialug mailing list