Re: Fwd: Implications of Debian OpenSSL flaw for MIT PKINIT

To: debian-www@lists.debian.org
Cc: team@security.debian.org, Ken Raeburn <raeburn@MIT.EDU>
Subject: Re: Fwd: Implications of Debian OpenSSL flaw for MIT PKINIT
From: Russ Allbery <rra@debian.org>
Date: Fri, 16 May 2008 15:11:55 -0700
Message-id: <[🔎] 87mympoq50.fsf@windlord.stanford.edu>
In-reply-to: <[🔎] 20080516215959.GB12290@kodama.kitenet.net> (Joey Hess's message of "Fri\, 16 May 2008 17\:59\:59 -0400")
References: <[🔎] 87k5huq6dn.fsf@windlord.stanford.edu> <[🔎] 20080516215959.GB12290@kodama.kitenet.net>

Joey Hess <joeyh@debian.org> writes:

> Could you summarise the changes that should be made to the key-rollover
> page (or provide a patch)?

Absolutely.  Here's a patch that I think captures the essence and the
important details.

--- rollover.html.orig	2008-05-16 15:07:35.000000000 -0700
+++ rollover.html	2008-05-16 15:07:11.000000000 -0700
@@ -261,27 +261,36 @@
 in Debian 4.0 is not affected at all.
 </p>
 <p>
-In Lenny the separate binary package krb5-pkinit uses OpenSSL.
-</p><ul>
-<li>
-MIT Kerberos itself does not generate long-term key pairs even when the
-PKINIT plugin is used, so any vulnerable long-term key pairs would have
-been generated outside of the MIT Kerberos software itself. The PKINIT
-plugin only references existing key pairs and isn't responsible for key
+In Lenny the separate binary package krb5-pkinit uses OpenSSL.  MIT
+Kerberos itself does not generate long-term key pairs even when the PKINIT
+plugin is used, so any vulnerable long-term key pairs would have been
+generated outside of the MIT Kerberos software itself. The PKINIT plugin
+only references existing key pairs and isn't responsible for key
 management.
-</li>
-<li>
-All of the random session key generation inside the PKINIT plugin is
-done using the regular MIT Kerberos random key functions, <em>not</em> the
-OpenSSL random number generator, and hence sessions created via PKINIT
-are not subject to this vulnerability.
-</li>
-</ul>
-
+</p>
+<p>
+Long-term key pairs used with PKINIT may be affected if generated on an
+affected Debian system, but such generation is external to MIT Kerberos.
+</p>
 <p>
-MIT Kerberos itself is not in affected. However, long-term key pairs used
-with PKINIT may be affected if generated on an affected Debian system, but
-such generation is external to MIT Kerberos.
+However, the OpenSSL random key functions are used for the DH exchange
+when PKINIT authentication is used, which means that an attacker may be
+able to use brute-force to gain access to the KDC response to a PKINIT
+authentication and subsequently gain access to any sessions created using
+service tickets from that authentication.
+</p>
+<p>
+Any KDCs using the PKINIT plugin from Lenny should have their libssl0.9.8
+packages upgraded immediately and the Kerberos KDC restarted with:
+</p>
+<p>
+/etc/init.d/krb5-kdc restart
+</p>
+<p>
+Any Kerberos ticket-granting tickets (TGTs) or encrypted sessions resulting
+from PKINIT authentication using a Kerberos KDC with the affected libssl
+should be treated as suspect; it's possible that attackers with packet
+captures will be able to compromise those keys and sessions.
 </p>
 <h1><a name="openswan">OpenSWAN / StrongSWAN</a></h1>
 <pre>rm /etc/ipsec.d/private/`hostname`Key.pem /etc/ipsec.d/certs/`hostname`Cert.pem

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

References:
- Fwd: Implications of Debian OpenSSL flaw for MIT PKINIT
  - From: Russ Allbery <rra@debian.org>
- Re: Fwd: Implications of Debian OpenSSL flaw for MIT PKINIT
  - From: Joey Hess <joeyh@debian.org>

Prev by Date: Re: Fwd: Implications of Debian OpenSSL flaw for MIT PKINIT
Next by Date: key rollover: Generic OpenSSL PEM instructions
Previous by thread: Re: Fwd: Implications of Debian OpenSSL flaw for MIT PKINIT
Next by thread: key rollover: Generic OpenSSL PEM instructions
Index(es):
- Date
- Thread