OpenSSL massive pwnage

In English, Security, Techie, ,

All SSL and SSH keys generated on Debian-based systems (Ubuntu, Kubuntu, etc) between september 2006 and May 13th, 2008 may be insecure.
In the case of SSL keys, all generated certificates will be need to recreated and sent off to the Certificate Authority to sign.
Any Certificate Authority keys generated on a Debian-based system will need be regenerated and revoked.
All system administrators that allow users to access their servers with SSH and public key authentication need to audit those keys to see if any of them were created on a vulnerabile system.
Any tools that relied on OpenSSL’s PRNG to secure the data they transferred may be vulnerable to an offline attack.
Any SSH server that uses a host key generated by a flawed system is subject to traffic decryption and a man-in-the-middle attack would be invisible to the users.

The first vulnerable version, 0.9.8c-1, was uploaded to the unstable distribution on 2006-09-17, and has since that date propagated to the testing and current stable (etch) distributions.

Affected keys include SSH keys, OpenVPN keys, DNSSEC keys, and key material for use in X.509 certificates and session keys used in SSL/TLS connections. Keys generated with GnuPG or GNUTLS are not affected, though.

Applications/protocols known to use these keys:

References:

Posted by jekil
May 17, 2008

Did you enjoy this post? Why not leave a comment below and continue the conversation, or subscribe to my feed and get articles like this delivered automatically to your feed reader.

Comments

No comments yet.

Leave a comment

(required)

(required)