Fix for OpenSSL/SSH/VPN Vulnerability in Ubuntu 7.04/7.10/8.04
Sponsored Link
and SSL certificates.You can check Ubuntu security notice from here
This vulnerability only affects operating systems which (like Ubuntu) are based on Debian. However, other systems can be indirectly affected if weak keys are imported into them.
We consider this an extremely serious vulnerability, and urge all users to act immediately to secure their systems. (CVE-2008-0166) This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu.
Affected keys include SSH keys, OpenVPN keys, DNSSEC keys, and key material for use in X.509 ertificates and session keys used in SSL/TLS connections. Keys generated with GnuPG or GNUTLS are not affected,
though.
The following Ubuntu releases are affected:
Ubuntu 7.04
Ubuntu 7.10
Ubuntu 8.04 LTS
Solution 1
You can download and install .deb packages from here
Upgrade instructions
-----------------
dpkg -i file.deb -- will install the referenced file.
If you are using the apt-get package manager, use the line for sources.list as given below:
apt-get update -- will update the internal database
apt-get upgrade -- will install corrected packages
Solution 2
In this method you can check your SSH key is effected with this security hole or not
Download the following files
(OpenPGP signature)
Upgrade instructions
--------------------
wget url -- will fetch the file for you and download pgp file also
wget http://security.debian.org/project/extra/dowkd/dowkd.pl.gz
gunzip dowkd.pl.gz
chmod +x dowkd.pl
./dowkd.pl file /etc/ssh/ssh_host_{dsa,rsa}_key.pub 2>/dev/null
This will tell you if the public key is weak. If it is, you should move/remove the key pair, then generate a new pair with the following command
sudo dpkg-reconfigure -plow openssh-server
Authorized keys, that can login using key based authentication.
./dowkd.pl file ~/.ssh/authorized_keys 2>/dev/null
This will return any weak keys that are authorized to login using key based authentication, these entries should be removed and a new one generated and added to the file.
You can create a new one using “ssh-keygen”, and redistribute the public key
I believe Ubuntu provides its own set of tools for checking for vulnerable keys: ssh-vulnkey and openvpn-vulnkey. I suppose it’s functionally equivalent to Debian’s Perl script, but since the Ubuntu copies are already being shipped with the updated, patched packages, one could recommend to prefer these.
Usage instructions are covered in the security notice link above as provided by Ubuntu Geek in this article.
Actually, openvpn-vulnkey instructions are here:
http://www.ubuntu.com/usn/usn-612-3
@johnd – thank for your comments really helpful for users
I updated today with aptitude and one of the packages installed was [UPGRADE] ssl-cert 1.0.14-0ubuntu2 -> 1.0.14-0ubuntu2.1
Was this the security flaw being fixed?
@4 (Lolwhites): you do need to upgrade ssl-cert to fix the security leak, but there are more packages. See the corresponding security notice (it contains a list of related packages):
http://www.ubuntu.com/usn/usn-612-1