FWD: Important Security Problem on Debian and Ubuntu Linux Systems

From: mcallister@mit.edu
Date: Wed May 14 2008 - 13:41:17 EDT

Next message: mcallister@MIT.EDU: "power shutdown affecting BLAST computers"
Previous message: Brian McAllister: "BLAST farm moved"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Jeffrey I. Schiller" <jis@MIT.EDU>
Subject: Important Security Problem on Debian and Ubuntu Linux Systems
Date: Wed, 14 May 2008 00:17:10 -0400
To: itpartners@MIT.EDU

Today a serious security problem was discovered in two Linux
distributions, Debian and Ubuntu. All such systems installed or
upgraded since the end of 2006 are affected (aka Debian Etch is
affected but not Sarge). Ubuntu 6.X and beyond are affected.

Other distributions are *NOT* affected. Red Hat is *NOT* affected.

Windows and Macintosh computers are *NOT* affected.

The problem is in the random number generator that is used to generate
certain kinds of cryptographic keys. In particular those used by the
"ssh" programs for remote login as well as keys used in
certificates. Although non-Debian and non-Ubuntu systems do not have
the bug, if keys generated on affected systems are used on other
systems, then they are at risk.

PGP and GPG keys are safe (they don't use the buggy random number
generator).

So. If you manage Linux systems, you should check out the pages
below. Fixed packages are available for the affected systems. The
links below will help find them. Note: The last link is to a tool
which can be used remotely to determine if a host has a weak SSH key!
You should use this tool to test any systems you suspect may have weak
keys (you can bet the bad guys will be using this program against
us!).

Debian:

http://www.debian-administration.org/articles/596

Ubuntu:

https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/229964

Here is a tool that can help detect some weak keys:

http://security.debian.org/project/extra/dowkd/dowkd.pl.gz

-Jeff

-- 
========================================================================
Jeffrey I. Schiller
MIT Network Manager
Information Services and Technology
Massachusetts Institute of Technology
77 Massachusetts Avenue  Room W92-190
Cambridge, MA 02139-4307
617.253.0161 - Voice
jis@mit.edu
========================================================================

Next message: mcallister@MIT.EDU: "power shutdown affecting BLAST computers"
Previous message: Brian McAllister: "BLAST farm moved"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.2 : Mon Feb 24 2014 - 14:07:33 EST