OpenSSL 0.9.8c-1 up to versions before 0.9.8g-9 on Debian-based operating systems uses a random number generator that generates predictable numbers, which makes it easier for remote attackers to conduct brute force guessing attacks against cryptographic keys.

A weakness has been discovered in the random number generator used by OpenSSL on Debian and Ubuntu systems. As a result of this weakness, certain encryption keys are much more common than they should be, such that an attacker could guess the key through a brute-force attack given minimal knowledge of the system. This particularly affects the use of encryption keys in OpenSSH.

This vulnerability only affects operating systems which (like Ubuntu) are based on Debian. However, other systems can be indirectly affected if weak keys are imported into them.

We consider this an extremely serious vulnerability, and urge all users to act immediately to secure their systems.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

A weakness has been discovered in the random number generator used by OpenSSL on Debian and Ubuntu systems. As a result of this weakness, certain encryption keys are much more common than they should be, such that an attacker could guess the key through a brute-force attack given minimal knowledge of the system. This particularly affects the use of encryption keys in OpenSSH, OpenVPN and SSL certificates.

This vulnerability only affects operating systems which (like Ubuntu) are based on Debian. However, other systems can be indirectly affected if weak keys are imported into them.

We consider this an extremely serious vulnerability, and urge all users to act immediately to secure their systems. (CVE-2008-0166)

== Who is affected ==

Systems which are running any of the following releases :

* Ubuntu 7.04 (Feisty) * Ubuntu 7.10 (Gutsy) * Ubuntu 8.04 LTS (Hardy)
* Ubuntu 'Intrepid Ibex' (development): libssl <= 0.9.8g-8 * Debian 4.0 (etch) (see corresponding Debian security advisory)

and have openssh-server installed or have been used to create an OpenSSH key or X.509 (SSL) certificate.

All OpenSSH and X.509 keys generated on such systems must be considered untrustworthy, regardless of the system on which they are used, even after the update has been applied.

This includes the automatically generated host keys used by OpenSSH, which are the basis for its server spoofing and man-in-the-middle protection.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

USN-612-2 introduced protections for OpenSSH, related to the OpenSSL vulnerabilities addressed by USN-612-1. This update provides the corresponding updates for OpenSSH in Ubuntu 6.06 LTS. While the OpenSSL in Ubuntu 6.06 is not vulnerable, this update will block weak keys generated on systems that may have been affected themselves.

A weakness has been discovered in the random number generator used by OpenSSL on Debian and Ubuntu systems. As a result of this weakness, certain encryption keys are much more common than they should be, such that an attacker could guess the key through a brute-force attack given minimal knowledge of the system. This particularly affects the use of encryption keys in OpenSSH, OpenVPN and SSL certificates.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The recently announced vulnerability in Debian's openssl package ( DSA-1571-1, CVE-2008-0166 ) indirectly affects OpenSSH. As a result, all user and host keys generated using broken versions of the openssl package must be considered untrustworthy, even after the openssl update has been applied.

1. Install the security updates

This update contains a dependency on the openssl update and will automatically install a corrected version of the libssl0.9.8 package, and a new package openssh-blacklist.

Once the update is applied, weak user keys will be automatically rejected where possible (though they cannot be detected in all cases).
If you are using such keys for user authentication, they will immediately stop working and will need to be replaced (see step 3).

OpenSSH host keys can be automatically regenerated when the OpenSSH security update is applied. The update will prompt for confirmation before taking this step.

2. Update OpenSSH known_hosts files

The regeneration of host keys will cause a warning to be displayed when connecting to the system using SSH until the host key is updated in the known_hosts file. The warning will look like this :

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING:
REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed.

In this case, the host key has simply been changed, and you should update the relevant known_hosts file as indicated in the error message. It is recommended that you use a trustworthy channel to exchange the server key. It is found in the file /etc/ssh/ssh_host_rsa_key.pub on the server; it's fingerprint can be printed using the command :

ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub

In addition to user-specific known_hosts files, there may be a system-wide known hosts file /etc/ssh/ssh_known_hosts. This is file is used both by the ssh client and by sshd for the hosts.equiv functionality. This file needs to be updated as well.

3. Check all OpenSSH user keys

The safest course of action is to regenerate all OpenSSH user keys, except where it can be established to a high degree of certainty that the key was generated on an unaffected system.

Check whether your key is affected by running the ssh-vulnkey tool, included in the security update. By default, ssh-vulnkey will check the standard location for user keys (~/.ssh/id_rsa, ~/.ssh/id_dsa and ~/.ssh/identity), your authorized_keys file (~/.ssh/authorized_keys and ~/.ssh/authorized_keys2), and the system's host keys (/etc/ssh/ssh_host_dsa_key and /etc/ssh/ssh_host_rsa_key).

To check all your own keys, assuming they are in the standard locations (~/.ssh/id_rsa, ~/.ssh/id_dsa, or ~/.ssh/identity) :

ssh-vulnkey

To check all keys on your system :

sudo ssh-vulnkey -a

To check a key in a non-standard location :

ssh-vulnkey /path/to/key

If ssh-vulnkey says 'Unknown (no blacklist information)', then it has no information about whether that key is affected. In this case, you can examine the modification time (mtime) of the file using 'ls -l'.
Keys generated before September 2006 are not affected. Keep in mind that, although unlikely, backup procedures may have changed the file date back in time (or the system clock may have been incorrectly set).
If in doubt, generate a new key and remove the old one from any servers.

4. Regenerate any affected user keys

OpenSSH keys used for user authentication must be manually regenerated, including those which may have since been transferred to a different system after being generated.

New keys can be generated using ssh-keygen, e.g. :

    $ ssh-keygen Generating public/private rsa key pair. Enter file in     which to save the key (/home/user/.ssh/id_rsa): Enter passphrase     (empty for no passphrase): Enter same passphrase again: Your     identification has been saved in /home/user/.ssh/id_rsa. Your     public key has been saved in /home/user/.ssh/id_rsa.pub. The key     fingerprint is: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00     user@host

5. Update authorized_keys files (if necessary)

Once the user keys have been regenerated, the relevant public keys must be propagated to any authorized_keys files (and authorized_keys2 files, if applicable) on remote systems. Be sure to delete the lines containing old keys from those files.

In addition to countermeasures to mitigate the randomness vulnerability, this OpenSSH update fixes several other vulnerabilities :

 CVE-2008-1483: Timo Juhani Lindfors discovered that, when using X11  forwarding, the SSH client selects an X11 forwarding port without  ensuring that it can be bound on all address families. If the system  is configured with IPv6 (even if it does not have working IPv6  connectivity), this could allow a local attacker on the remote server  to hijack X11 forwarding.

 CVE-2007-4752: Jan Pechanec discovered that ssh falls back to  creating a trusted X11 cookie if creating an untrusted cookie fails,  potentially exposing the local display to a malicious remote server  when using X11 forwarding.

Matt Zimmerman discovered that entries in ~/.ssh/authorized_keys with options (such as 'no-port-forwarding' or forced commands) were ignored by the new ssh-vulnkey tool introduced in OpenSSH (see USN-612-2).
This could cause some compromised keys not to be listed in ssh-vulnkey's output.

This update also adds more information to ssh-vulnkey's manual page.

A weakness has been discovered in the random number generator used by OpenSSL on Debian and Ubuntu systems. As a result of this weakness, certain encryption keys are much more common than they should be, such that an attacker could guess the key through a brute-force attack given minimal knowledge of the system. This particularly affects the use of encryption keys in OpenSSH, OpenVPN and SSL certificates.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

USN-612-1 fixed vulnerabilities in openssl. This update provides the corresponding updates for ssl-cert -- potentially compromised snake-oil SSL certificates will be regenerated.

A weakness has been discovered in the random number generator used by OpenSSL on Debian and Ubuntu systems. As a result of this weakness, certain encryption keys are much more common than they should be, such that an attacker could guess the key through a brute-force attack given minimal knowledge of the system. This particularly affects the use of encryption keys in OpenSSH, OpenVPN and SSL certificates.

This vulnerability only affects operating systems which (like Ubuntu) are based on Debian. However, other systems can be indirectly affected if weak keys are imported into them.

We consider this an extremely serious vulnerability, and urge all users to act immediately to secure their systems.
(CVE-2008-0166)

== Who is affected ==

Systems which are running any of the following releases :

* Ubuntu 7.04 (Feisty) * Ubuntu 7.10 (Gutsy) * Ubuntu 8.04 LTS (Hardy) * Ubuntu 'Intrepid Ibex' (development): libssl <= 0.9.8g-8 * Debian 4.0 (etch) (see corresponding Debian security advisory)

and have openssh-server installed or have been used to create an OpenSSH key or X.509 (SSL) certificate.

All OpenSSH and X.509 keys generated on such systems must be considered untrustworthy, regardless of the system on which they are used, even after the update has been applied.

This includes the automatically generated host keys used by OpenSSH, which are the basis for its server spoofing and man-in-the-middle protection.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

A weakness has been discovered in the random number generator used by OpenSSL on Debian and Ubuntu systems. As a result of this weakness, certain encryption keys are much more common than they should be, such that an attacker could guess the key through a brute-force attack given minimal knowledge of the system. This particularly affects the use of shared encryption keys and SSL/TLS certificates in OpenVPN.

This vulnerability only affects operating systems which (like Ubuntu) are based on Debian. However, other systems can be indirectly affected if weak keys are imported into them.

We consider this an extremely serious vulnerability, and urge all users to act immediately to secure their systems.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote x509 certificate on the remote SSL server has been generated on a Debian or Ubuntu system which contains a bug in the random number generator of its OpenSSL library. 

The problem is due to a Debian packager removing nearly all sources of entropy in the remote version of OpenSSL. 

An attacker can easily obtain the private part of the remote key and use this to decipher the remote session or set up a man in the middle attack.

The remote host has one or more ~/.ssh/authorized_keys files containing weak SSH public keys generated on a Debian or Ubuntu system.

The problem is due to a Debian packager removing nearly all sources of entropy in the remote version of OpenSSL.

This problem does not only affect Debian since any user uploading a weak SSH key into the ~/.ssh/authorized_keys file will compromise the security of the remote system.

An attacker could try a brute-force attack against the remote host and logon using these weak keys.

The remote SSH host key has been generated on a Debian or Ubuntu system which contains a bug in the random number generator of its OpenSSL library.

The problem is due to a Debian packager removing nearly all sources of entropy in the remote version of OpenSSL.

An attacker can easily obtain the private part of the remote key and use this to set up decipher the remote session  or set up a man in the middle attack.

Luciano Bello discovered that the random number generator in Debian's openssl package is predictable. This is caused by an incorrect Debian-specific change to the openssl package (CVE-2008-0166 ). As a result, cryptographic key material may be guessable.

This is a Debian-specific vulnerability which does not affect other operating systems which are not based on Debian. However, other systems can be indirectly affected if weak keys are imported into them.

It is strongly recommended that all cryptographic key material which has been generated by OpenSSL versions starting with 0.9.8c-1 on Debian systems is recreated from scratch. Furthermore, all DSA keys ever used on affected Debian systems for signing or authentication purposes should be considered compromised; the Digital Signature Algorithm relies on a secret random value used during signature generation.

The first vulnerable version, 0.9.8c-1, was uploaded to the unstable distribution on 2006-09-17, and has since that date propagated to the testing and current stable (etch) distributions. The old stable distribution (sarge) is not affected.

Affected keys include SSH keys, OpenVPN keys, DNSSEC keys, and key material for use in X.509 certificates and session keys used in SSL/TLS connections. Keys generated with GnuPG or GNUTLS are not affected, though.

A detector for known weak key material will be published at :

 (OpenPGP signature)

Instructions how to implement key rollover for various packages will be published at :

 https://www.debian.org/security/key-rollover/

This website will be continuously updated to reflect new and updated instructions on key rollovers for packages using SSL certificates.
Popular packages not affected will also be listed.

In addition to this critical change, two other vulnerabilities have been fixed in the openssl package which were originally scheduled for release with the next etch point release: OpenSSL's DTLS (Datagram TLS, basically 'SSL over UDP') implementation did not actually implement the DTLS specification, but a potentially much weaker protocol, and contained a vulnerability permitting arbitrary code execution (CVE-2007-4995 ). A side channel attack in the integer multiplication routines is also addressed (CVE-2007-3108 ).

ID	Name	Product	Family	Severity
65109	Ubuntu 7.04 / 7.10 / 8.04 LTS : openssh vulnerability (USN-612-2)	Nessus	Ubuntu Local Security Checks	high
65108	Ubuntu 7.04 / 7.10 / 8.04 LTS : openssl vulnerability (USN-612-1)	Nessus	Ubuntu Local Security Checks	high
32430	Ubuntu 6.06 LTS : openssh update (USN-612-7)	Nessus	Ubuntu Local Security Checks	high
32377	Debian DSA-1576-1 : openssh - predictable random number generator	Nessus	Debian Local Security Checks	high
32359	Ubuntu 7.04 / 7.10 / 8.04 LTS : openssh update (USN-612-5)	Nessus	Ubuntu Local Security Checks	high
32358	Ubuntu 7.04 / 7.10 / 8.04 LTS : ssl-cert vulnerability (USN-612-4)	Nessus	Ubuntu Local Security Checks	high
32357	Ubuntu 7.04 / 7.10 / 8.04 LTS : openvpn vulnerability (USN-612-3)	Nessus	Ubuntu Local Security Checks	high
32321	Debian OpenSSH/OpenSSL Package Random Number Generator Weakness (SSL check)	Nessus	Gain a shell remotely	critical
32320	Weak Debian OpenSSH Keys in ~/.ssh/authorized_keys	Nessus	Gain a shell remotely	critical
32314	Debian OpenSSH/OpenSSL Package Random Number Generator Weakness	Nessus	Gain a shell remotely	critical
32305	Debian DSA-1571-1 : openssl - predictable random number generator	Nessus	Debian Local Security Checks	high

Detections

Analytics

CVE-2008-0166

high

Tenable Plugins

high

high

high

high

high

high

high

critical

critical

critical

high