Fwd: Commentary on Debian/Ubuntu OpenSSL/OpenSSH prng issues [Originally To SANS.org]

Bill Ricker bill.n1vux at gmail.com
Sat May 17 03:11:00 BST 2008 

Questions/comments on http://isc.sans.org/diary.html?storyid=4420 are
misinformed, and not entirely covered by recent updates.

(1) Yes, there is impact beyond the Debian/Ubunutu family --e.g., DSA
keys *validated* [http://isc.sans.org/diary.html?storyid=4414]. But
also Peers and partners of affected systems need checkups as well, see
(4) below; at a bare minimum, they need to flush their known_hosts and
authorized_keys files of vulnerable keys using the dowkd.pl script.
DSA keys created elsewhere but hosted with a defective SSLeay lib is
technically compromised if it has ever been offered for validation due
to insecure nonce from the weak PRNG.

   Other distros should be pushing out the ssh-blacklist package --
until they do, their users who have trusted a debian weak key (in
known_hosts for outgoing or in authorized_keys for incoming) are at
*greater* risk than those on a patched Debian/Ubuntu which will reject
weak keys.

(2) The Debian/Ubunutu family is large -
 http://distrowatch.com/dwres.php?resource=independence#debian

(3) To answer Lee's 2nd question [
http://isc.sans.org/diary.html?storyid=4420 #3], Putty is *not*
implicated.  0.60 source tree's sshrand.c is *similar*
entropy-harvesting code to OpenSSL md_rand.c, but is not a close
relative let alone taking patches from Debian. There is no IF(N)DEF
PURIFY, no MD_Update, no commented out entropy.  Changes file makes no
mention of OpenSSH (except for compatibility with) or Debian or
OpenSSL.

   The old bug where Debian's packaged Putty failed to correctly set
file permissions on private keys is totally unrelated.

   Putty is vulnerable only to the same extent as all non-patched
Debian and non-Debian SSHd/SSL servers - residual misplaced trust of
any weak Debian host keys in known_hosts or weak Debian user keys in
authorized_keys if running Putty's SSHD, and of any technically
compromised DSA keys (that had been verified by a weak PRNG
challenge).

(4) Other packages on affected Debian/Ubuntu systems affected -- and
their peer/partners -- are listed at
http://www.debian.org/security/key-rollover/

(5) re "ANY cryptographic material created on vulnerable systems can
be compromised", no, only that which uses the OpenSSH / OpenSSL
libraries. PGP is likely to be independent; it wasn't listed for or
against on the list at (4). This should be researched. (Putty should
be added to the list of Not Affected per (3).)

-- Bill N1VUX
no longer a fulltime crypto/security professional but still a
mathematician at heart and a FOSSnik by preference.
n1vux at arrl.net bill.n1vux at gmail.com

More information about the Ubuntu-us-ma mailing list