Vulnerabilità

To: Debian-Italian-List <debian-italian@lists.debian.org>
Subject: Vulnerabilità
From: "Patrizio O.C. Melis" <cobe571@gmail.com>
Date: Sat, 17 May 2008 01:59:47 +0200
Message-id: <[🔎] c3b70bb10805161659w37fdbc03mb63c4951d65b1ece@mail.gmail.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

          National Cyber Alert System

  Technical Cyber Security Alert TA08-137A


Debian/Ubuntu OpenSSL Random Number Generator Vulnerability

  Original release date: May 16, 2008
  Last revised: --
  Source: US-CERT

Systems Affected

    * Debian, Ubuntu, and Debian-based distributions

Overview

  A  vulnerability  in  the  OpenSSL  package  included  with the Debian
  GNU/Linux   operating  system  and  its  derivatives  may  cause  weak
  cryptographic keys to be generated. Any package that uses the affected
  version of SSL could be vulnerable.

I. Description

  A  vulnerabiliity  exists  in  the random number generator used by the
  OpenSSL  package included with the Debian GNU/Linux, Ubuntu, and other
  Debian-based   operating   systems.   This  vulnerability  causes  the
  generated numbers to be predictable.

  The result of this error is that certain encryption keys are much more
  common  than  they should be. This vulnerability affects cryptographic
  applications  that  use  keys  generated by the flawed versions of the
  OpenSSL package. Affected keys include, but may not be limited to, SSH
  keys,  OpenVPN  keys,  DNSSEC  keys, and key material for use in X.509
  certificates  and  session  keys  used  in SSL/TLS connections. Any of
  these keys generated using the affected systems on or after 2006-09-17
  may be vulnerable. Keys generated with GnuPG, GNUTLS, ccrypt, or other
  encryption  utilities  that  do  not  use  OpenSSL  are not vulnerable
  because these applications use their own random number generators.

II. Impact

  A  remote,  unauthenticated  attacker  may be able to guess secret key
  material.  The  attacker may also be able to gain authenticated access
  to    the   system   through   the   affected   service   or   perform
  man-in-the-middle attacks.

III. Solution

Upgrade

  Debian  and  Ubuntu have released fixed versions of OpenSSL to address
  this  issue. System administrators can use the ssh-vulnkey application
  to  check  for  compromised  or weak SSH keys. After applying updates,
  clients using weak keys may be refused by servers.

Workaround

  Until  updates can be applied, administrators and users are encouraged
  to  restrict  access  to  vulnerable servers. Debian- and Ubuntu-based
  systems   can   use   iptables,   iptables   configuration  tools,  or
  tcp-wrappers to limit access.


IV. References

 * DSA-1571-1 openssl - predictable random number generator  -
  <http://www.debian.org/security/2008/dsa-1571>

 * Debian wiki - SSL keys - <http://wiki.debian.org/SSLkeys>

 * Ubuntu OpenSSL vulnerability -
  <http://www.ubuntu.com/usn/usn-612-1>

 * Ubuntu OpenSSH vulnerability -
  <http://www.ubuntu.com/usn/usn-612-2>

 * Ubuntu OpenVPN vulnerability -
  <http://www.ubuntu.com/usn/usn-612-3>Ubuntu SSL-cert vulnerability

 * Ubuntu OpenSSH update - <http://www.ubuntu.com/usn/usn-612-5>

 * Ubuntu OpenVPN regression - <http://www.ubuntu.com/usn/usn-612-6>

 * OpenVPN regression - <http://www.ubuntu.com/usn/usn-612-6>


 _________________________________________________________________

 The most recent version of this document can be found at:

   <http://www.us-cert.gov/cas/techalerts/TA08-137A.html>
 _________________________________________________________________

 Feedback can be directed to US-CERT Technical Staff. Please send
 email to <cert@cert.org> with "TA08-137A Feedback VU#925211" in the
 subject.
 _________________________________________________________________

 For instructions on subscribing to or unsubscribing from this
 mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
 _________________________________________________________________

 Produced 2008 by US-CERT, a government organization.

 Terms of use:

   <http://www.us-cert.gov/legal.html>
 ____________________________________________________________________

 Revision History

 May 16, 2008: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBSC3OLvRFkHkM87XOAQIY6Qf/RywAJKkMBte71mgV+XKHOFH9yLy+vOGs
HlC35oyfpijFSPI1TyYpN9vvpvfhL8DDDG6/dNBt+u1uVskcurb5Rh1UMmpEEFg0
kVGos6JDD18T6JpfgvEY9k+4iVAGApNirEYRDsKFVRho/3CaJQ6Tdp/jf3NEzmNE
DPgsEA0n825kBd0dr/v3yT5S9wYsn5x9n6OfyHShXVwYPK/V3jEXbU0uZo0Nt7HX
L0FIVTz5tMWIm1LoTsh+GeE0dsnsg/0+qf1jRRq66GQ+3eMGO/wepTbUmqGCXF0s
I+O756V/mDxrPePJRNcpCjtGZCEjtMNJ4fZPQhosxbNVPpvDV5rGlQ==
=93LZ
-----END PGP SIGNATURE-----

Reply to:

Follow-Ups:
- Re: Vulnerabilità
  - From: Gabriele 'LightKnight' Stilli <superenzima@libero.it>

Prev by Date: Re: comando mount
Next by Date: Re: Vulnerabilità
Previous by thread: Corsi serali di Grafica e Lingue
Next by thread: Re: Vulnerabilità
Index(es):
- Date
- Thread