May 14, 2008 · Security, Server ·

Sponsored Link
A weakness has been discovered in the random number generator used by OpenSSL on Debian and Ubuntu systems. As a result of this weakness, certain encryption keys are much more common than they should be, such that an attacker could guess the key through a brute-force attack given minimal knowledge of the system. This particularly affects the use of encryption keys in OpenSSH, OpenVPN
and SSL certificates.You can check Ubuntu security notice from here

This vulnerability only affects operating systems which (like Ubuntu) are based on Debian. However, other systems can be indirectly affected if weak keys are imported into them.

We consider this an extremely serious vulnerability, and urge all users to act immediately to secure their systems. (CVE-2008-0166) This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu.

Affected keys include SSH keys, OpenVPN keys, DNSSEC keys, and key material for use in X.509 ertificates and session keys used in SSL/TLS connections. Keys generated with GnuPG or GNUTLS are not affected,
though.

The following Ubuntu releases are affected:

Ubuntu 7.04
Ubuntu 7.10
Ubuntu 8.04 LTS

Solution 1

You can download and install .deb packages from here

Upgrade instructions
-----------------

dpkg -i file.deb -- will install the referenced file.

If you are using the apt-get package manager, use the line for sources.list as given below:

apt-get update -- will update the internal database

apt-get upgrade -- will install corrected packages

Solution 2

In this method you can check your SSH key is effected with this security hole or not

Download the following files

dowkd.pl.gz

dowkd.pl.gz.asc

(OpenPGP signature)

Upgrade instructions
--------------------

wget url -- will fetch the file for you and download pgp file also

wget http://security.debian.org/project/extra/dowkd/dowkd.pl.gz

gunzip dowkd.pl.gz

chmod +x dowkd.pl

./dowkd.pl file /etc/ssh/ssh_host_{dsa,rsa}_key.pub 2>/dev/null

This will tell you if the public key is weak. If it is, you should move/remove the key pair, then generate a new pair with the following command

sudo dpkg-reconfigure -plow openssh-server

Authorized keys, that can login using key based authentication.

./dowkd.pl file ~/.ssh/authorized_keys 2>/dev/null

This will return any weak keys that are authorized to login using key based authentication, these entries should be removed and a new one generated and added to the file.

You can create a new one using “ssh-keygen”, and redistribute the public key

Sponsored Link

5 Comments to “Fix for OpenSSL/SSH/VPN Vulnerability in Ubuntu 7.04/7.10/8.04”

  1. johnd says:

    I believe Ubuntu provides its own set of tools for checking for vulnerable keys: ssh-vulnkey and openvpn-vulnkey. I suppose it’s functionally equivalent to Debian’s Perl script, but since the Ubuntu copies are already being shipped with the updated, patched packages, one could recommend to prefer these.

    Usage instructions are covered in the security notice link above as provided by Ubuntu Geek in this article.

  2. johnd says:

    Actually, openvpn-vulnkey instructions are here:

    http://www.ubuntu.com/usn/usn-612-3

  3. admin says:

    @johnd – thank for your comments really helpful for users

  4. lolwhites says:

    I updated today with aptitude and one of the packages installed was [UPGRADE] ssl-cert 1.0.14-0ubuntu2 -> 1.0.14-0ubuntu2.1

    Was this the security flaw being fixed?

  5. johnd says:

    @4 (Lolwhites): you do need to upgrade ssl-cert to fix the security leak, but there are more packages. See the corresponding security notice (it contains a list of related packages):

    http://www.ubuntu.com/usn/usn-612-1

Leave a Reply

  • Recent comments