grid-announce May 2008

grid-announce@nikhef.nl

1 participants
1 discussions

[Fwd: OSCT Critical vulnerability alert: Debian OpenSSL predictable random number generator]
by David Groep 16 May '08

16 May '08

Dear all, FYI. Some of you may have Debian or Ubuntu based laptops or end-user systems. Those of you who have vulnerable X.509 certificates from the DutchGrid CA have been notified yesterday already to give you some leniency, but by now all vulnerable certificates have been revoked. If your certificate comes from another CA, you will be contacted today as well (or it will just implicitly be revoked). Note that the typical time needed to obtain all possible private keys is about 20 minutes (!) on a standard PC. By now, the list of private keys is a public non-secret. Please update and react as appropriate! Cheers, DavidG. -------- Original Message -------- Subject: OSCT Critical vulnerability alert: Debian OpenSSL predictable random number generator Date: Fri, 16 May 2008 17:59:38 +0200 From: Riccardo Brunetti <riccardo.brunetti(a)to.infn.it> To: <egee-broadcast(a)cern.ch> CC: OSCT <project-egee-osct(a)cern.ch>, <project-lcg-security-contacts(a)cern.ch> Dear EGEE site security contacts and site administrators. Please consider the following security alert, classified as extremely critical. --------------------------------------------------------------------------------- EGEE Operational Security Coordination Team security alert Critical vulnerability: Debian OpenSSL predictable random number generator Date: May 16th 2008 URL: http://cern.ch/osct/alerts/openssl-16-05-2008.txt Rating: extremely critical Affects: Debian systems and derivatives, including Ubuntu --------------------------------------------------------------------------------- A serious Debian (and derivatives, including Ubuntu) OpenSSL vulnerability (CVE-2008-0166) has been announced, related to a predictable random number generator in Debian's OpenSSL package: http://www.debian.org/security/2008/dsa-1571 As a consequence, all the cryptographic key material which has been generated by OpenSSL 0.9.8c-1 on affected systems is guessable and should be recreated after the OpenSSL security patch has been applied. The full list of affected credentials is available from the Debian advisory, but please note it includes SSH keys and X.509 certificates. Sites are strongly encouraged to follow-up on this issue, with a particular emphasis on Debian SSH servers and on systems where users would generate SSH key pairs or X.509 credentials, including grid User Interfaces or laptops. This vulnerability does not affect Red Hat systems or derivatives (ex: Scientific Linux). -- Key verification Additional information to deal with this vulnerability is available at: http://wiki.debian.org/SSLkeys Tools for checking SSH keys can be found at the following URLs: http://itsecurity.net/ http://metasploit.com/users/hdm/tools/debian-openssl/ http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist In addition, another tool has been prepared by Kent EngstrÃ¶m <kent(a)nsc.liu.se to check X.509 certificates. It can be found at the following URL: http://www.lysator.liu.se/~kent/ob/ -- Impact on Certificate Authorities Concerning X.509 host and personal certificates used in the grid environment, members of the IGTF are actively investigating the issue and affected users will be contacted as appropriate. The UKeScience Root certificate "UKeScienceRoot-2007" (98ef0ee5) that is distributed in the IGTF Trust Anchor versions 1.18, 1.19, and 1.20 is also affected by this issue. A new certificate with the same name (and thus the same) has has been generated based on new key material and is part of the updated release 1.21. For technical reasons, both the root and issuing CA certificate need to be replaced, although only the root certificate is affected by the vulnerability. As in a standard IGTF trust anchor installation, the subordinate issuing CA is also installed in the repository and this certificate is taken preferentially over any user-supplied version, the impact of this issue is somewhat limited. For software that honours the "signing_policy" or "namespaces" relying-party defined name space constraints policy, no end-entity certificates can easily be impersonated. Good fingerprints of the updated certificates are: $ openssl x509 -subject -fingerprint -sha1 -noout -in 98ef0ee5.0 subject= /C=UK/O=eScienceRoot/OU=Authority/CN=UK e-Science Root SHA1 = A1:39:B0:F3:04:6C:0B:F9:F5:0A:1B:33:00:06:4F:83:6B:7D:4F:3E $ openssl x509 -subject -fingerprint -sha1 -noout -in 367b75c3.0 subject= /C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA SHA1 = CA:1C:B6:6C:A9:E3:27:4D:F7:3E:A9:EB:6A:33:3F:C1:A2:B1:B8:D7 whereas the weak certificates are: subject= /C=UK/O=eScienceRoot/OU=Authority/CN=UK e-Science Root SHA1 = B1:77:5E:BB:11:13:B4:B5:0E:40:57:F1:E0:6A:BE:B9:4E:44:B7:45 subject= /C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA SHA1 = 31:C1:93:3D:E8:9C:C4:B7:8A:02:B5:2D:56:D5:6B:43:56:0B:9F:CA There are no other CA certificates affected, although many CAs have vulnerable subscribers. Best Regards R.Brunetti (OSCT-DC) on behalf of OSCT group -- David Groep ** National Institute for Nuclear and High Energy Physics, PDP/Grid group ** ** Room: H1.56 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

grid-announce May 2008