[CentOS] OpenSSL/SSH Bug on Debian - Compromised key pairs
Ned Slider
ned at unixmail.co.uk
Thu May 15 16:56:19 UTC 2008
Daniel de Kok wrote:
>
> "Furthermore, all DSA keys ever used on affected Debian systems for
> signing or authentication purposes should be considered compromised;
> the Digital Signature Algorithm relies on a secret random value used
> during signature generation."
>
> Take care,
> Daniel
SANS have more on this today and will likely continue to update the
story as new developments emerge:
http://isc.sans.org/
To summarise, scripts that allow brute-forcing of keys are already in
the wild - expect to see an upturn in activity on port 22 as a result.
Further, for SSL secured websites, if the public key is known, no
brute-forcing is even necessary.
Ned
More information about the CentOS
mailing list