Debian OpenSSL Predictable Key Vulnerability

Submitted by justin on Tue, 05/13/2008 - 17:26.

It seems Debian has introduced a critical flaw into the OpenSSL implementation that could allow an attacker to listen in on an encrypted web session or even an SSH session. What's worse is that even after an upgrade, old keys will still contain this vulnerability. This means that Debian (and Debian based systems - like Ubuntu) will have to patch/upgrade their systems and then regenerate all of their encryption keys. The Debian announcement can be found at Debian.org and the Ubuntu advisory can be found at Ubuntu.com. Update your systems as soon as you can!

Update:
It looks like code has been released to the wild to brute force ssh
keys to gain unauthorized access to servers running the bad openssl code
(with openssh and key authorization enabled):

http://www.milw0rm.com/exploits/5622

Note that debian has released a detector for known weak keys. Details
can be found at http://www.debian.org/security/2008/dsa-1571.

Reply

The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

More information about formatting options

Captcha Image: you will need to recognize the text in it.
Please type in the letters/numbers that are shown in the image above.