The OpenSSL bug

The OpenSSL bug in Debian based distributions made his way around the net. Many users are affected by the threat because not only SSH but also e.g. OpenVPN, IPSec, Mail, Web and DNS(sec) server which generate keys using OpenSSL have to be seen as compromised. Also non Debian systems have to be taken into account since users may have copied weak keys to the system.

The story about all is that a Debian package maintainer changed the code of OpenSSL because Valgrind – a tool to check the quality of source code – complained about some memory leaks. The result of this change is that uninitialized memory – used as a source for random data – was not used anymore and the seed for the crypto functions was only the pid of the process generating the keys.

The result is a very small possible key range when using the affected SSL versions. One day after the SSL bug was published by Debian HD Moore generated the most common SSH keys within this range. The same day the first brute-force tools appeared, which make use of this key tables.

HD moore also has some premature artwork using a dilbert comic on his page to blame about the Debian distribution: “Debian – You Can Never be Sure”

But this is only half of the truth. Yes, Debian maintainers changed the code of a very important package within the distribution. But before this happened, they asked on the OpenSSL mailing list about this change. And the OpenSSL people affirmed that this change does not affect the security of OpenSSL..

More information about the threat and how to handle it can be found on the official Debian wiki.

Clemens Kurtenbach
S21sec labs

Deja un comentario