Dear all,
FYI. Some of you may have Debian or Ubuntu based laptops or end-user systems.
Those of you who have vulnerable X.509 certificates from the DutchGrid CA have been notified yesterday already to give you some leniency, but by now all vulnerable certificates have been revoked. If your certificate comes from another CA, you will be contacted today as well (or it will just implicitly be revoked).
Note that the typical time needed to obtain all possible private keys is about 20 minutes (!) on a standard PC. By now, the list of private keys is a public non-secret.
Please update and react as appropriate!
Cheers, DavidG.
-------- Original Message -------- Subject: OSCT Critical vulnerability alert: Debian OpenSSL predictable random number generator Date: Fri, 16 May 2008 17:59:38 +0200 From: Riccardo Brunetti riccardo.brunetti@to.infn.it To: egee-broadcast@cern.ch CC: OSCT project-egee-osct@cern.ch, project-lcg-security-contacts@cern.ch
Dear EGEE site security contacts and site administrators. Please consider the following security alert, classified as extremely critical.
--------------------------------------------------------------------------------- EGEE Operational Security Coordination Team security alert
Critical vulnerability: Debian OpenSSL predictable random number generator Date: May 16th 2008 URL: http://cern.ch/osct/alerts/openssl-16-05-2008.txt Rating: extremely critical Affects: Debian systems and derivatives, including Ubuntu
---------------------------------------------------------------------------------
A serious Debian (and derivatives, including Ubuntu) OpenSSL vulnerability (CVE-2008-0166) has been announced, related to a predictable random number generator in Debian's OpenSSL package:
http://www.debian.org/security/2008/dsa-1571
As a consequence, all the cryptographic key material which has been generated by OpenSSL 0.9.8c-1 on affected systems is guessable and should be recreated after the OpenSSL security patch has been applied.
The full list of affected credentials is available from the Debian advisory, but please note it includes SSH keys and X.509 certificates.
Sites are strongly encouraged to follow-up on this issue, with a particular emphasis on Debian SSH servers and on systems where users would generate SSH key pairs or X.509 credentials, including grid User Interfaces or laptops.
This vulnerability does not affect Red Hat systems or derivatives (ex: Scientific Linux).
-- Key verification
Additional information to deal with this vulnerability is available at:
http://wiki.debian.org/SSLkeys
Tools for checking SSH keys can be found at the following URLs:
http://itsecurity.net/ http://metasploit.com/users/hdm/tools/debian-openssl/ http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist
In addition, another tool has been prepared by Kent Engström <kent@nsc.liu.se to check X.509 certificates. It can be found at the following URL:
http://www.lysator.liu.se/~kent/ob/
-- Impact on Certificate Authorities
Concerning X.509 host and personal certificates used in the grid environment, members of the IGTF are actively investigating the issue and affected users will be contacted as appropriate.
The UKeScience Root certificate "UKeScienceRoot-2007" (98ef0ee5) that is distributed in the IGTF Trust Anchor versions 1.18, 1.19, and 1.20 is also affected by this issue. A new certificate with the same name (and thus the same) has has been generated based on new key material and is part of the updated release 1.21. For technical reasons, both the root and issuing CA certificate need to be replaced, although only the root certificate is affected by the vulnerability.
As in a standard IGTF trust anchor installation, the subordinate issuing CA is also installed in the repository and this certificate is taken preferentially over any user-supplied version, the impact of this issue is somewhat limited. For software that honours the "signing_policy" or "namespaces" relying-party defined name space constraints policy, no end-entity certificates can easily be impersonated.
Good fingerprints of the updated certificates are:
$ openssl x509 -subject -fingerprint -sha1 -noout -in 98ef0ee5.0 subject= /C=UK/O=eScienceRoot/OU=Authority/CN=UK e-Science Root SHA1 = A1:39:B0:F3:04:6C:0B:F9:F5:0A:1B:33:00:06:4F:83:6B:7D:4F:3E
$ openssl x509 -subject -fingerprint -sha1 -noout -in 367b75c3.0 subject= /C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA SHA1 = CA:1C:B6:6C:A9:E3:27:4D:F7:3E:A9:EB:6A:33:3F:C1:A2:B1:B8:D7
whereas the weak certificates are:
subject= /C=UK/O=eScienceRoot/OU=Authority/CN=UK e-Science Root SHA1 = B1:77:5E:BB:11:13:B4:B5:0E:40:57:F1:E0:6A:BE:B9:4E:44:B7:45
subject= /C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA SHA1 = 31:C1:93:3D:E8:9C:C4:B7:8A:02:B5:2D:56:D5:6B:43:56:0B:9F:CA
There are no other CA certificates affected, although many CAs have vulnerable subscribers.
Best Regards R.Brunetti (OSCT-DC) on behalf of OSCT group