[afnog] Debian, Ubuntu crypto weakness exploits now in the wild
Phil Regnauld
regnauld at x0.dk
Fri May 16 20:00:57 UTC 2008
Everyone might have heard of the Debian and Debian-derived crypto weakness
introduced by a Debian developer who patched OpenSSL, but in case you didn't,
PLEASE read this page:
http://wiki.debian.org/SSLkeys
... and understand that you do not need to be running Debian or Ubuntu to
have a problem. If you have Debian or Ubuntu generated SSH public keys
you have placed on public servers, these can be compromisedas well, using
brute force attacks at this point:
http://metasploit.com/users/hdm/tools/debian-openssl/
"We now have our first pre-generated SSH key. If we continue this
process for all PIDs up to 32,767 and then repeat it for 2048-bit RSA
keys, we have covered the valid key ranges for x86 systems running
the buggy version of the OpenSSL library. With this key set, we can
compromise any user account that has a vulnerable key listed in the
authorized_keys file. This key set is also useful for decrypting
a previously-captured SSH session, if the SSH server was using a
vulnerable host key."
More information about the afnog
mailing list