The OpenSSL bug

The OpenSSL bug in Debian based distributions made his way around the net. Many users are affected by the threat because not only SSH but also e.g. OpenVPN, IPSec, Mail, Web and DNS(sec) server which generate keys using OpenSSL have to be seen as compromised. Also non Debian systems have to be taken into account since users may have copied weak keys to the system.

The story about all is that a Debian package maintainer changed the code of OpenSSL because Valgrind – a tool to check the quality of source code – complained about some memory leaks. The result of this change is that uninitialized memory – used as a source for random data – was not used anymore and the seed for the crypto functions was only the pid of the process generating the keys.

The result is a very small possible key range when using the affected SSL versions. One day after the SSL bug was published by Debian HD Moore generated the most common SSH keys within this range. The same day the first brute-force tools appeared, which make use of this key tables.

HD moore also has some premature artwork using a dilbert comic on his page to blame about the Debian distribution: “Debian – You Can Never be Sure”

But this is only half of the truth. Yes, Debian maintainers changed the code of a very important package within the distribution. But before this happened, they asked on the OpenSSL mailing list about this change. And the OpenSSL people affirmed that this change does not affect the security of OpenSSL..

More information about the threat and how to handle it can be found on the official Debian wiki.

Clemens Kurtenbach
S21sec labs

Deja un comentario

  • nocilla 21 May, 2008 a las 1:42 pm Reply

    I’ve read the mail thread but i don’t find where the openssl guys says you can remove the lines. I found where the openssl guys says that for debug the problems with valgrind, can comment the 2 lines. From here i think that the debian programmer didn’t uncomment them when the debugging step finished.

    I think the error comes not only from openssl developers as it has sayed in lot of sites, the error comes from both, openssl and debian. You know, if something works, DON’T TOUCH!

  • S21sec labs 21 May, 2008 a las 2:05 pm Reply


    I totally agree with you. This error is a result from mistakes on both sides. But this opinion is surely not the general estimation of people who read “Debian OpenSSL Bug” in most of the news.