I am a big fan of Debian and Ubuntu- but not a big fan of gaping, ginormous security holes. The "predictable Pseudo Random Number Generator" OpenSSL vulnerability in Debian (and Ubuntu, and other Debian variants) leaves a gaping hole not only in those systems, but systems which are using keys from vulnerable systems. Patches need to be applied and keys regenerated, and we probably only have a couple of days before exploit code is loose. From the Debian Security Advisory:
"It is strongly recommended that all cryptographic key material which has been generated by OpenSSL versions starting with 0.9.8c-1 on Debian systems is recreated from scratch. Furthermore, all DSA keys ever used on affected Debian systems for signing or authentication purposes should be considered compromised; the Digital Signature Algorithm relies on a secret random value used during signature generation."
Rather than mangle a technical discussion of the issue, here are some actually useful references:
- Debian Security Advisory DSA-1571-1
- Related OpenSSH advisory DSA-1576-1
- Ubuntu Security Notice USN-612-1
- NVD summary of CVE-2008-0166
- Article at ZDNet Australia
- SANS ISC Diary entry
- Note, misidentifies the problem as being with OpenSSH- the root problem is with OpenSSL, which extends to OpenSSH.
- Not directly related, but worrisome coincidence, SANS ISC post on SSH brute-force attacks.
- This one's very real. I may have seen a pile of systems' doorknobs rattled on port 22 in something I get paid to do.
In review, we have stuff to do. And, the if word "predictable" can be used to describe your "random" process, you have a problem.
Jack
