Linux News Today features the latest news from the global Linux community. This site is updated daily. Click here to return to our homepage. Get the lowest cost and the best tech support on any Linux web hosting plan. Click here for details.
                                          home   |   news archives   |   linux forum   |   advertise on our site   |   contact

Promote your company. Reach over 450,000 Linux software developers, Linux users, Web hosting companies, etc. Boost your sales and promote your brand. Read more, click here.

Get the best Linux or Windows hosting service. Click here to learn more.

Sponsored by
Sun Hosting

Sponsored by
Montreal Server Colocation

Install your server in Sun Hosting's modern colocation center in Montreal. Get all the details by clicking here.

Security vulnerabilities in some Linux distributions

Add to     Digg this story Digg this

May 24, 2008

A noted security researcher said on May 22 that a recently discovered security vulnerabilities in widely used Linux distributions can be exploited by potential attackers in guessing cryptographic keys, possibly leading to the forgery of specific digital signatures and theft of confidential and sensitive data.

First noted by the Debian Project, the security vulnerability is in the random number generator used to produce a variety of digital keys, including SSH (Secure Shell) keys and SSL certificates. The latter are widely used to secure traffic between users and secure sites on the Internet.

HD Moore, best known as the exploit researcher who created the Metasploit penetration testing framework, called the vulnerability in Debian and Ubuntu systems "ugly" and said it will be a big job for administrators to find every flawed key, then reissue them.

The bug makes it relatively easy to guess keys, according to Moore. In a posting to his blog this week, Moore claimed he was able to generate 1024 and 2048 bit keys in just under two hours.

However, stronger keys take considerably longer to create if needed. He estimated that an 8192-bit RSA keyset would take some 3,100 hours (about 129 days) to generate.

With that information out in the wild, other researchers also warned the Linux community. "This is very, very, VERY serious and SCARY," said Bojan Zdrnja, an analyst at the Internet Storm Center in a warning posted on the organization's site on May 22.

Moore also published several key-generating tools that included a shared library and a key generation script. Symantec also warned customers of its DeepSight threat network of the vulnerability and Moore's follow-on information and tools disclosures.

Additionally, Symantec noted that another hacker, "Markus M" published a tool set that automates brute force attacks of the key weakness to the Full Disclosure security mailing list.

That revelation pushed the ISC to up its INFO-Con threat status to "yellow," a relatively rare occurrence.

"The development of automated scripts exploiting keys looks like a real threat to SSH servers around the world," said Zdrnja in a later posting to the group's site.

It's not just users running Debian-based systems -- which includes the popular Ubuntu Linux distribution -- who are at risk, Moore cautioned, but virtually anyone. If data copied to other platforms has been secured by keys generated on a Debian distribution, that data could be misappropriated.

Moore added "there's a lot of different areas that you're going to have to look, not just within Debian. System administrators will have to audit every single key. Even systems that do not use the Debian software need to be audited in case any key is being used that was created on a Debian system."

Although he said the situation is serious, Moore doubted that there would be general and widespread attacks. Instead, he said the most likely outcome would be targeted attacks on systems that administered large numbers of Debian users.

Moore, ISC and others have recommended that Debian and Ubuntu users patch their systems quickly and that users and administrators regenerate all keys produced on a Debian system between September 2006 and May 13, 2008.

Moore said the Sep. 2006 date was when the first builds that included the flaw were made available to the Linux community.

Moore also discounted any connection between the Debian vulnerability and his disclosures, and brute force attacks some vendors, including Symantec, have been tracking in the last 48 hours.

"The timing is definitely odd," he acknowledged, but said the differences -- the attacks have been against user-generated passwords, not authentication keys -- means the two events are probably just coincidental and may not be related.

Source: ISC.

Add to     Digg this story Digg this

Article featured on Tech Blog and on Business 5.0

This article was featured on Tech Blog and Business 5.0.

Linux News is read by over 450,000 people involved in the field of Linux application development, professional Web hosting services, Linux security, Linux Web development, etc. Inquire about our reasonable advertising rates on our news website. One of our advertising representatives will be in touch with you. Simply email us to learn about our ad rates and how we can help drive relevant traffic to your website. Advertising space is limited.

                      Site powered by Linux Hosting            Sponsored by Sure Mail™ and by Domain Appraisers            Linux news while they are still fresh.    © Linux News