Re: [Actux] Fwd: [ILUG] serious openssl/openssh hole found

[ Thread Index | Date Index | More lists.tuxfamily.org/actux Archives ] 

j'ai regardé de quoi il retournait sur full-disclosure : en gros c'est
juste une réduction de l'entropie de la bi-clé utilisée dans
l'authentification par bi-clé RSA (65536 bi-clés possibles). Mais pour
prendre pied sur le serveur, il est nécessaire qu'il existe une telle
bi-clé biaisée dans le .ssh/authorized-keys, et il n'y a pas d'autre
alternatives que de faire un bruteforce pour se connecter. Avec un
fail2ban doté d'une durée de ban de 10 minutes et bannissant au bout
de 6 tentatives, en une journée on ne teste que 6*(60/10)*24 = 864
clés.

Encore une fois, beaucoup de bruit pour pas grand chose ... Si, une
lecon à retenir : on ne s'improvise pas expert crypto

On Thu, May 15, 2008 at 12:38 PM, Kereoz <kereoz@xxxxxxxxxx> wrote:
> Pour les Debianeux et Ubuntu-istes :)
>
>
> ---------- Forwarded message ----------
> From: Justin Mason <jm@xxxxxxxxxx>
> Date: Tue, May 13, 2008 at 3:38 PM
> Subject: [ILUG] serious openssl/openssh hole found
> To: ilug@xxxxxxxx
>
>
> http://lists.debian.org/debian-security-announce/2008/msg00152.html
>
>  'Luciano Bello discovered that the random number generator in Debian's
>  openssl package is predictable.  This is caused by an incorrect
>  Debian-specific change to the openssl package (CVE-2008-0166).  As a
>  result, cryptographic key material may be guessable.
>
>  It is strongly recommended that all cryptographic key material which has
>  been generated by OpenSSL versions starting with 0.9.8c-1 on Debian
>  systems (ie. since 2006!) is recreated from scratch.  Furthermore, all
>  DSA keys ever used on affected Debian systems for signing or
>  authentication purposes should be considered compromised; the Digital
>  Signature Algorithm relies on a secret random value used during
>  signature generation.'
>
>
> http://www.ubuntu.com/usn/usn-612-1 :
>
>  == Who is affected ==
>
>  Systems which are running any of the following releases:
>  * Ubuntu 7.04 (Feisty)
>  * Ubuntu 7.10 (Gutsy)
>  * Ubuntu 8.04 LTS (Hardy)
>  * Ubuntu "Intrepid Ibex" (development): libssl <= 0.9.8g-8
>  * Debian 4.0 (etch) (see corresponding Debian security advisory)
>
>  and have openssh-server installed or have been used to create an OpenSSH
>  key or X.509 (SSL) certificate. All OpenSSH and X.509 keys generated on
>  such systems must be considered untrustworthy, regardless of the system on
>  which they are used, even after the update has been applied. This includes
>  the automatically generated host keys used by OpenSSH, which are the basis
>  for its server spoofing and man-in-the-middle protection.
>
>
> caused by this incorrect "fix" from the debian maintainers in their own
> package: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=363516
>
> One wonders why that fix never made it upstream.
>
> bad news....
>
> --j.
> --
> Irish Linux Users' Group mailing list
> About this list : http://mail.linux.ie/mailman/listinfo/ilug
> Who we are : http://www.linux.ie/
> Where we are : http://www.linux.ie/map/
>
>
>
> --
> Christophe HAUSER, http://www.kereoz.org
> Association Actux, http://actux.tuxfamily.org
>
>
>

Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/