Woops! Debian's OpenSSL Security Flaw
Debian Linux has been revealed to have a major security flaw. The distribution changed its OpenSSL code and inadvertently made private keys easily crackable. H. D. Moore posted about on this recent bug on Metasploit. He stated "All SSL and SSH keys generated on Debian-based systems (Ubuntu, Kubuntu, etc) between September 2006 and May 13th, 2008 may be affected."
This is a huge security flaw and the popularity of the affected distribution makes it even more dangerous to security of the internet. Moore further explains:
In the case of SSL keys, all generated certificates will be need to recreated and sent off to the Certificate Authority to sign. Any Certificate Authority keys generated on a Debian-based system will need be regenerated and revoked. All system administrators that allow users to access their servers with SSH and public key authentication need to audit those keys to see if any of them were created on a vulnerable system. Any tools that relied on OpenSSL's PRNG to secure the data they transferred may be vulnerable to an offline attack. Any SSH server that uses a host key generated by a flawed system is subject to traffic decryption and a man-in-the-middle attack would be invisible to the users. This flaw is ugly because even systems that do not use the Debian software need to be audited in case any key is being used that was created on a Debian system. The Debian and Ubuntu projects have released a set of tools for identifying vulnerable keys. You can find these listed in the references section below.If you have generated any keys using a vulerable version of OpenSSL, it is critical that you update your version of OpenSSL to remove the security flaw and then regenerate all affected keys and certificates. Moore provides a method of checking whether a key is affected if you are unsure.
Debian OpenSSL Predictable PRNG Toys - [Metasploit]
Originally posted on Sun May 18, 2008