It has been found by Luciano Bello that the Debian OpenSSL package has a severe security bug since 2006. By removing some lines of code from the
md_rand.c source code that originally caused the memory check tool Valgrind to alert (see original Debian discussion here) the box of pandorra has been opened and the flaw been introduced.
By removing that specific part of the OpenSSL code, effectively the random seed function has been crippled, and eventually the only random value remaining was the current process ID. Since on linux only a maximum no of 32,768 process IDs exist, the worth of this pseudo random number generator (PRNG) is heavily limited.
Update: a set of instructions has been added under IV. How to fix/repair your server (click here).This shows the steps to a secure server with new SSH server side keys.
Update II: a new fix has been released as of May, 16th (4.3p2-9etch2). You should therefore apply step IV. again to upgrade your SSH package to the recent version.
As a summary based on infos from metasploit.com.
- Debian based distributions are affected aswell (i.e. Ubuntu, Kubuntu, Xubuntu, Edubuntu, Gobuntu etc. pp)
- SSL and SSH keys generated between 09/2006 and 05/2008 are vulerable to brute force attacks
- SSL certificates need recreation and signed again by Certificate Authority
- Certificate Authority keys need to be regenerated and revoked.
- SSH public key authentication on other distributions than Debian may be affected aswell when keys have been generated on Debian systems
- SSH servers using host keys generated on Debian are vulnerably to man-in-the-middle attacks
III. Testing for weakness and vulerability
server$ wget -c http://security.debian.org/project/extra/dowkd/dowkd.pl.gz
server$ gunzip dowk.pl.gz
server$ chmod 700 dowk.pl
server$ ./dowkd.pl host 127.0.0.1
(checks your local SSH host keys)
server$ ./dowkd.pl user
(checks all users available on your system)
Vulnerabilities will be reported. Nonetheless we recommend to apply step IV. How to fix/repair your server (click here).
Before reading on: if this article helps you, please click our non-offensive sponsor (Google-Adsense) and help us maintaining this project free. Thanks…
Log into your server as root and perform the following steps:
server$ apt-get update
server$ apt-get upgrade
server$ apt-get dist-upgrade
The OpenSSH and OpenSSL packages will be updated then. You will be asked a couple of questions concerning your server configuration. It should be fairly self explaining.
The server side SSH keys (known_host keys on your local machine) will be regenerated. If you still don’t trust your server, you can check your new host keys for vulnerability by entering this:
(the response should be
server$ ./dowkd.pl user
(if this reports weak keys read on)
Login as user whose keys have been recognized as weak and do the following:
server$ ssh-keygen -t dsa -b 1024
You should be done now.
H.D. Moore of metasploit.com already prepared
Debian toys and rainbow tables (pre-generated keys) for all possible 32,768 PIDs with up to 4096 bits in keysize that may be used for testing the brute force vulnerability of your systems.
» debian.org: Security Advisory DSA-1571-1 openssl…
» debian.org: Security Advisory DSA-1576-1 openssh…
» debian.org: Vulnerability test tool… (OpenPGP signature)…
» metasploit.com: OpenSSL Rainbow Tables …