For almost two years the OpenSSL library used by Linux distribution Debian has been generating useless cryptographic keys — although Debian has issued a patch, experts warn that systems may still be exposed.

On Tuesday, the Debian project admitted that security expert Luciano Bello had discovered that an update to Debian's OpenSSL package in 2006 weakened the system's Random Number Generator, making SSH and SSL encryption and authentication — used to secure communications for applications such as Internet banking — useless.

"Because this vulnerability affects the OpenSSL package, which is used for generating various keys including SSH keys, session keys for SSL/TLS connections, OpenVPN and DNSSec keys and others, the implications are quite significant," Nishad Herath, chief executive officer of security consultancy Novologica, told ZDNet.com.au.

The vulnerability primarily affects Debian and Debian-derived systems, such as Ubuntu, according to Metasploit founder, H. D. Moore. However non-Debian systems are also exposed, said Herath.

"Non-Debian systems are also made vulnerable if they were using key material generated on an affected Debian system. To make matters worse, all DSA keys used for signing and authentication purposes on an affected Debian system is also made vulnerable — the Debian official security advisory recommends that such keys be considered compromised," said Herath.

Metasploit's Moore, yesterday told IT Radio's Risky Business that patching won't fix the problem either.

"Patching the vulnerability does not remove the vulnerability — it just prevents it from happening from that point on," he said.

Gabriel Haythornthwaite, information security consultant for Castelain, told ZDNet.com.au this means: "An attacker, who is predicting what a key would have been at the time, can break into a session or can retrospectively gather information from the session."

Novologica's Herath said this is a "spectacular screw up" on the part of the maintainers of the Debian system.

"It is quite commonplace that package maintainers of certain Linux distributions modify the source code of a given package to suit the specificities of a particular distribution. However, these changes are often not submitted to the original developers of the package for scrutiny," he said.

The changes made to the Debian OpenSSL package ... is in my view a spectacular screw up that clearly demonstrates the dangers of this modification process, where changes are not reviewed by the original authors of the package let alone any third-party experts prior to being made available to the public."

The Debian project has published a detector for known weak key material, which also provides instructions for rolling over encryption keys.

Related links

Leave a comment

You must read and type the 6 chars within 0..9 and A..F

* indicates mandatory fields.

Log in


Sign up | Forgot your password?

Blogs

RSS feed

  • Staff Aussies to pay more for Win 7

    If you are looking to make some money in these troubled times, perhaps importing copies of Windows 7 could be for you. Read more »

    -- posted by Staff

  • Staff Firefox: Greens want it, 3.5rc2 not up to par

    This week's roundup looks at the situation surrounding a campaign to change Outlook HTML renderer, a Greens MP wants to install Firefox but is restricted and all the photos from the iPhone 3GS launch. Read more »

    -- posted by Staff

  • Chris Duckett Microsoft misses the Outlook point

    Ask designers which mail program is the bane of their existence, and you'll find that Outlook tops the list. The reason why the most popular email reader is also the most painful is simple: it uses Word to render HTML emails. Read more »

    -- posted by Chris Duckett

What's on?