[CentOS-announce] Impact of the Debian OpenSSL vulnerability

Thu May 15 18:08:39 UTC 2008
Daniel de Kok <daniel at centos.org>

A severe vulnerability was found in the random number generator (RNG)
of the Debian OpenSSL package, starting with version 0.9.8c-1 (and
similar packages in derived distributions such as Ubuntu). While this
bug is not present in the OpenSSL packages provided by CentOS, it may
still affect CentOS users.

The bug barred the OpenSSL random number generator from gaining enough
entropy required for generating unpredicatable keys. In fact it
appearss that the only source for entropy was the process ID of the
process generating a key, which is chosen from a very small range and
is predictable. As such, all keys generated using the Debian OpenSSL
library should be considered compromized. Programs that use OpenSSL
include OpenSSH and OpenVPN. Note that GnuPG and GNU TLS do not use
OpenSSL, so they are not affected.

This vulnerability can affect CentOS machines through the use of keys
that were generated with the OpenSSL package from Debian. For
instance, if a user uses OpenSSH public key authentication to log on
to a CentOS server, and this user generated the key pair with a
vulnerable OpenSSL library, the server is at heavy risk because the
key can be reproduced easily.

Additionally, all (good) DSA keys that were ever used on a vulnerable
Debian machine for signing or authentication should also be considered
compromized due to a known attack on DSA keys.

As a result of this bug, everyone should audit *every* key or
cerficicate that was generated with OpenSSL, to trace its origin and
make sure that it was not generated with a vulnerable Debian OpenSSL
package. Or in the case of DSA keys care should be taken that they
were not generated or used on a system with a vulnerable OpenSSL
package. Keys that are potentially compromised should be replaced with
strong keys.

The Debian Wiki[2] has a preliminary list of affected application. A
tool to detect potentially weak keys is also provided, but it contains
an incomplete list of affected keys and can give false positives.

The Metasploit project provides a full list of weak keys in various
configurations[3].

Questions on how this may affect CentOS users should be directed to
the CentOS users list. List subscription information is available
from:

http://lists.centos.org/mailman/listinfo/centos

With kind regards,
The CentOS Team

[1] http://www.debian.org/security/2008/dsa-1571
[2] http://wiki.debian.org/SSLkeys
[3] http://metasploit.com/users/hdm/tools/debian-openssl/