•  

OpenSSL Vulnerability (USN-612-1) Exposed

Wed, May 21, 2008

Security, Technology

broken_lock An interesting article was posted on Technology Review that outlined a vulnerability with OpenSSL.  Apparently a development group decided to make an “improvement” to the OpenSSL source code and the result was a severely degraded entropy to create the cryptographic keys used by OpenSSL applications.

…after a week of analysis, we now know that two changed lines of code have created profound security vulnerabilities in at least four different open-source operating systems, 25 different application programs, and millions of individual computer systems on the Internet.

An official release of this vulnerability can be found at Net-Security with the following statement:

A weakness has been discovered in the random number generator used by OpenSSL on Debian and Ubuntu systems. As a result of this weakness, certain encryption keys are much more common than they should be, such that an attacker could guess the key through a brute-force attack given minimal knowledge of the system. This particularly affects the use of encryption keys in OpenSSH, OpenVPN and SSL certificates.

What’s especially interesting about this vulnerability is that simply updating your OpenSSL binaries isn’t enough to solve the existing issues.  You have to go back and update all of your certificates generated by the modified OpenSSL binaries.  No easy task assuming people even know how this is completed.  See, some applications automatically take care of generating your private keys whenever you install the application.  For those instances you may not even know you are exposed…

What exactly is exposed?  There isn’t a comprehensive list but think about the following items:

  • Apache Web Servers
  • IIS Servers (did you generate a certificate with OpenSSL?)
  • OpenSSH (Other SSH platforms?)
  • IPSec VPN Solutions (Racoon?)

And what about Windows based applications that have private keys generated by the suspected OpenSSL binaries?  I don’t know for sure but I suspect this vulnerability isn’t limited to only the Linux platform.

I have been using FreeSSHD for a while now and I am wondering if they are subject to this vulnerability…  I posted a comment on their forums and hopefully will see a response soon.

If you’re not sure about the impact to your environment I would encourage you to do a little more investigation.

Comments are closed.