Debian Bug Leaves Private SSL/SSH Keys Guessable 670
SecurityBob writes "Debian package maintainers tend to very often modify the source code of the package they are maintaining so that it better fits into the distribution itself. However, most of the time, their changes are not sent back to upstream for validation, which might cause some tension between upstream developers and Debian packagers. Today, a critical security advisory has been released: a Debian packager modified the source code of OpenSSL back in 2006 so as to remove the seeding of OpenSSL random number generator, which in turns makes cryptographic key material generated on a Debian system guessable. The solution? Upgrade OpenSSL and re-generate all your SSH and SSL keys. This problem not only affects Debian, but also all its derivatives, such as Ubuntu." Reader RichiH also points to Debian's announcement and Ubuntu's announcement.
Updated advisory from Ubuntu (Score:5, Informative)
Re:It will be fixed (Score:1, Informative)
Re:It will be fixed (Score:5, Informative)
I'm sure the problem will be fixed if the developers acknowledge that the problem exists. Not a big worry.
Yes, it is a big worry because any keys generated with this package are now potentially suspect. This means that anybody who's used Debian or a Debian derived distribution like Ubuntu needs to go back and destroy all host and personal keys generated since 2006. All of those keys are potentially guessable.
And that's a real vulnerability. Early versions of Netscape's SSL implementation (the first SSL implementation) were trivially crackable because of just such a vulnerability [berkeley.edu].
Re:It will be fixed (Score:4, Informative)
There most certainly is something to see here, this is kind of a big deal.
Re:i wondered what was going on (Score:3, Informative)
Re:The big question is.. (Score:5, Informative)
Re:stupid stupid stupid (Score:3, Informative)
http://securepoint.com/lists/html/bugtraq/2007-02/msg00056.html [securepoint.com]
To non-IT people (Score:2, Informative)
Re:It will be fixed (Score:5, Informative)
This has the potential to turn into a huge pain in the arse for Debian based shops, who will need to reissue SSL certificates, SSH keys, and a whole host of other essential elements of their security infrastructure.
Re:It will be fixed (Score:2, Informative)
i was sure that netscape problem was due to the US crypto export regs (the silly encryption=munitions thing) that limited the encryption to 40-bit keys.
Then you are mistaken. Read the linked to paper. N bit security doesn't protect you much when you can guess N-10 bits of the N bits.
Re:To non-IT people (Score:2, Informative)
Re:Updated advisory from Ubuntu (Score:5, Informative)
Re:The big question is.. (Score:2, Informative)
(Oh, and you meant "UNinitialized" memory.)
Re:To non-IT people (Score:4, Informative)
Re:The big question is.. (Score:5, Informative)
Re:i wondered what was going on (Score:5, Informative)
To simplify and generalize it, if every machine uses X+1*256 to get a 256 bit key equal to 768, then you could reverse that and know X would =2 (3*256=768) and fake the credentials. The random number generator should change that to X+R*256 which make reversing the key harder because you can only solve to X+R=3 now. In practice, it will be a really larger number and a lot different process though. I can't say that I fully understand it but that simplification should show the difference well enough to give an Idea of where the problem is.
Re:It will be fixed (Score:5, Informative)
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=363516 [debian.org]
Says the first comment to the patch, in regards to what is being reversed:
"What it's doing is adding uninitialised numbers to the pool to create random numbers."
OpenSSL having more-random numbers vs. Valgrind looking good. And Valgrind won?
The consensus in the bug report seems to be not to do it, but then someone adds the patch anyways.
Re:It will be fixed (Score:5, Informative)
This doesn't change the fact that this is a really serious fuckup. Debian lost quite some credibility in my eyes.
Re:stupid stupid stupid (Score:5, Informative)
The offending patch: http://svn.debian.org/viewsvn/pkg-openssl/openssl/trunk/rand/md_rand.c?rev=141&view=diff&r1=141&r2=140&p1=openssl/trunk/rand/md_rand.c&p2=/openssl/trunk/rand/md_rand.c [debian.org]
The fix: http://svn.debian.org/viewsvn/pkg-openssl/openssl/trunk/crypto/rand/md_rand.c?rev=300&view=diff&r1=300&r2=299&p1=openssl/trunk/crypto/rand/md_rand.c&p2=/openssl/trunk/crypto/rand/md_rand.c [debian.org]
Re:stupid stupid stupid (Score:5, Informative)
http://svn.debian.org/viewsvn/pkg-openssl/openssl/trunk/rand/md_rand.c?rev=141&view=diff&r1=141&r2=140&p1=openssl/trunk/rand/md_rand.c&p2=/openssl/trunk/rand/md_rand.c [debian.org] which shows the change that introduced the bug; and its parent node:
http://svn.debian.org/viewsvn/pkg-openssl/openssl/trunk/rand/?rev=141#dirlist [debian.org] which shows the maintainer responsible.
From looking at this patch, I think this is what happened. valgrind complained about a rather unusual coding convention in ssleay_rand_bytes. This is a function that returns random data into a buffer. However, before writing into the buffer, it reads from the buffer and incorporates the old contents into the internal random state. valgrind complained about this use of an output buffer for input. Normally you would never want to use potentially uninitialized data like this, but in this case it is OK as all that is being done is the data is being folded into the random state. In the worst case, this can't hurt, and maybe it will help, if the old data had some randomness.
Anyway, valgrind complained about it, and the maintainer commented out the use of the buffer. That would actually be OK, it is not a big deal. But the implementor made a mistake, and also commented out another similar usage, in a different function, ssleay_rand_add. This was a huge mistake, as the purpose of ssleay_rand_add is to add randomness into the random state. In that function, buf is an INPUT buffer, and adding it into the random state is perfectly legitimate, in fact it is the whole purpose of the function. But apparently because it looked similar to the questionable usage in ssleay_rand_bytes, the maintainer commented out the code in ssleay_rand_add at the same time. (I don't know whether valgrind also complained about this second usage, but if so, it was mistaken. I think it's more likely that the maintainer just got fooled and over-generalized from the valgrind complaint.)
So the whole thing was an attempt to clean up code and remove warnings, but the fix accidentally broke a crucial piece of functionality, rendering ssleay_rand_add completely non-functional. So any attempt to add randomness into the RNG state, such as for seeding purposes, is ineffective. The random state ends up with much less variability, and therefore all the crypto is weak. As Bruce Schneier points out, bad crypto looks much the same as good crypto, so it took this long to notice it.
Hats off to the reviewer who picked up on the problem. Don't know who it was, but the same Kurt Roeckx [kroeckx@debian.org] checked in the fix.
Re:The big question is.. (Score:5, Informative)
Re:Why open source doesn't work for business (Score:4, Informative)
You have no recourse unless you have PAID to have one, like with almost everything else in the world. The GPL specifically states that it's not a warranty or guarantee that things will work.
However, if you were using it in a business, I would hope that you either a) hired your own programmers to work with the code or b) bought a support package/liability clause from someone like Red Hat. In which case it would be down to your programmers or Red Hat respectively. But we're not talking about Red Hat. Or any of the other big-name, support-contract-and-some-sort-of-indemnity-clause-included distros. They don't have this problem, presumably because they are not that stupid.
We're talking about Debian. Got a support contract / liability agreement with Debian? No? Bad luck. It's a bit like asking Microsoft to accept responsibility for your pirate copy of Windows, then, isn't it?
Re:stupid stupid stupid (Score:5, Informative)
If you seed very often with data containing a lot of entropy (for example, radioactive decay), then there's no problem. It's also not a problem to add the time in the mix if you mark it as having almost no entropy.
Re:Of course... (Score:3, Informative)
Re:Of course... (Score:5, Informative)
Re:It will be fixed (Score:5, Informative)
Actually, here [marc.info] is where the Debian maintainer brought this up with upstream, and he was not told how stupid it was, in fact the Debian maintainer says, "the pool might receive less entropy." and upstream says, "If it helps with debugging, I'm in favor of removing them."
Re:It will be fixed (Score:5, Informative)
From http://wiki.debian.org/SSLkeys
Additionally, some DSA keys may be compromised in the following situations:
* key generated with broken openssl = bad
* key generated with good openssl and used to ssh from a machine with bad ssl = bad
* key generated with good openssl and used to ssh from a machine with good ssl = good
This is because the random numbers used during the signature process must also be good.
Re:Surely this is not the only source of entropy! (Score:1, Informative)
Don't mess with code you don't understand, especially when it is so important.
If you used this code to generate certificate requests, do you need to repurchase your SSL certificates?
Re:What does "guessable" mean here? (Score:5, Informative)
There is no such thing as a master key, but it would mean that several different servers may have generated the same "random" keys and that a clever attacker could create a dictionary of plausible keys (or, more plausibly, an algorithm to generate them) and try all of them on your server with a good chance to have one of them working. The dictionary would probably be huge however. A good measure would be to block an IP on SSH after a reasonnable number of failures (like 100)
Re:It will be fixed (Score:2, Informative)
The package maintainer first checked with upstream [marc.info] about the best way to resolve this. In retrospect, it's clear that upstream didn't either understand what was being asked, or what the code was doing. In any event, another Debian Developer, Luciano Bello, later found the problem and resolved it.
Re:Of course... (Score:5, Informative)
Especially when they won't work anymore [ubuntu.com]:
The GP poster said the same thing, but this is for the benefit of other readers who were skeptical that any such policy was in place.
So, basically, once you upgrade, you'll have no apparent way to access your other machines [1] to upload your new key. That's just spiffy!
[1] Uninstall openssh-blacklist first.
Passwords may be compromised, too (Score:5, Informative)
From http://wiki.debian.org/SSLkeys [debian.org]
Re:stupid stupid stupid (Score:5, Informative)
Seriously guys, take a few minutes to understand the code before hacking on it. If it was written by a n00b, you need to understand it to make sure they didn't do other stuff wrong. If it was written by someone competent (which is probably the case for openssl), then you need to make sure you're not the one making the mistake. In this case, to make it work with valgrind, the patch should have been to debian/rules, simply changing the way Configure was called.
Re:What does "guessable" mean here? (Score:3, Informative)
Re:It will be fixed (Score:4, Informative)
http://www.links.org/?p=327#comment-176642 [links.org]
Obviously some of the OpenSSL devs probably should've been like "zOMG, SITUATION FUBAR", but it wasn't a formal code review being requested, more of a "hey, what do you think of this and this?" and the patch was never submitted to upstream.
Some important information (Score:3, Informative)
http://security.debian.org/project/extra/dowkd/dowkd.pl.gz [debian.org]
To use it:
$ perl dowkd.pl user
$ perl dowkd.pl host localhost
See http://lists.debian.org/debian-security-announce/2008/msg00152.html [debian.org]
Why isn't such a scan isn't part of the package update? http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=481106 [debian.org]
262148 possible keypairs? (Score:5, Informative)
Re:Degree of Compromise? (Score:5, Informative)
Re:stupid stupid stupid (Score:1, Informative)
http://marc.info/?l=openssl-dev&m=114651085826293&w=2 [marc.info]
In a follow-up message, Ulf Möller of OpenSSL approved of the patch. He at least should have known better.
Re:It will be fixed (Score:3, Informative)
Similarly, the fact that there is a problem with the OpenSSH package means that the security mechanism that is guarding access to your system is no longer as secure as it was previously thought -- that makes it compromised. The individual systems may or may not have been compromised themselves by way of the compromised security mechanism, but continuing to use OpenSSL knowing it (the key gen algorithm, specifically) is less secure than it should be is just asking for trouble.
Re:correct me if I'm wrong (Score:5, Informative)
No, I don't think you're quite correct. The original patch in that thread is not what actually was applied. There are two functions, one for seeding the pseudo-random number generator, and one for getting random data out of it. The one for getting random data out was actually mixing in some uninitialized data into the entropy pool. This is not particularly harmful, but not particularly helpful either, and it caused Valgrind to complain. So, the maintainer removed that line, but also removed the line that mixes in the value provided to seed the random number in the first place (maybe it was being called with unitialized data at some point, too).
See my comment here for more details: http://reddit.com/info/6j7a9/comments/c03zxko [reddit.com]
Re:It will be fixed (Score:1, Informative)
Debian people screwed up. This leaves a huge distaste in my mouth for Debian (and Ubuntu).
Re:Kurt Roeckx (debian) mail to openssl-dev list (Score:4, Informative)
Re:It will be fixed (Score:3, Informative)
ah fuck it
this is slashdot
Re:It will be fixed (Score:5, Informative)
Incorrect, no matter what Ben claims. According to http://www.openssl.org/support/ [openssl.org], openssl-dev is for the developers of openssl itself. To quote the list description: Discussions on development of the OpenSSL library. Not for application development questions!
So yes, perhaps Kurt could have been more explicit in his description of what he was trying to do, but he was definitely using the appropriate address to reach the developers.
noah
Re:The big question is.. (Score:3, Informative)
However, Debian didn't use this flag, but instead tried to comment out the code themselves. And they commented out too much, breaking the whole thing completely.
Re:Passwords may be compromised, too (Score:2, Informative)
Vulnerable host keys will be regenerated
Some of the OpenSSH server host keys on this system were generated with a version of OpenSSL that had a broken random number generator. As a result, these host keys are from a well-known set, are subject to brute-force attacks, and must be regenerated.
Users of this system should be informed of this change, as they will be prompted about the host key change the next time they log in. Use 'ssh-keygen -l -f HOST_KEY_FILE' after the upgrade has changed to print the fingerprints of the new host keys.
The affected host keys are:
User keys may also be affected by this problem. The 'ssh-vulnkey' command may be used as a partial test for this. See
Re:Does SSH not use /dev/random? (Score:5, Informative)
To update the host keys on servers (Score:2, Informative)
Since they didn't mention how to do this in the security advisory, or give you a warning message when you apply the update that you should regen your keys here's how to regenerate the host keys. Either log in as root or put sudo before each of these (this should work remotely, I didn't have problems but YMMV)
rm -frm -f
ssh-keygen -b 1024 -N '' -f
ssh-keygen -b 2048 -N '' -f
You'll then be asked about the key changing next time you log in.
I just spent all day updating servers. Doesn't sound so bad till you realize all these servers also had client keys used for remote backups that had to be recreated and verified, etc.
Re:262148 possible keypairs? (Score:4, Informative)
[1] ./dowkd.pl file key*.pub | grep 'weak key' | wc -l
$ for i in `seq 1 500`; do ssh-keygen -N '' -t rsa -f key$i; done
$
500
$
Re:Updated advisory from Ubuntu (Score:3, Informative)
Re:It will be fixed (Score:4, Informative)
Re:The issue is a bit more complicated... (Score:4, Informative)
The problem is not the fact that the uninitialized memory seeding was removed. The problem is that the removal was done in an incompetent and destructive manner. Rather than remove only the uninitialized memory seeding, the maintainer managed to remove all seeding.
Reading uninitialized memory as part of random seeding isn't very useful but it's not bad either, since at worst the data is predictable, and OpenSSL mixes it with lots of other randomness. But when you botch your change and completely destroy any randomness present in the system, this is not the fault of the software you were trying to "fix".
Re:Once again, shoddy code leads to errors (Score:1, Informative)
Yes, truly horrible.
The code explained what was going on perfectly. The Debian maintainers were just not paying attention.
Don't forget the authorized_keys files (Score:2, Informative)
If you try logging in with a new key where an old one is expected, you will get an error and remove the old one from authorized_keys. When the client is never in use however, the hole might stay in there for a long time
Ubuntu Dapper 6.06 LTS fine, too (Score:3, Informative)
Re:Some important information (Score:2, Informative)
Had to change out all the other machines.
if you
$ cd
$ rm ssh_host*
$ wajig reconfigure openssh-server
changing user keys - become user and ssh-keygen
You may have to fiddle with knownhosts and authorized_hosts as documented many places..
Re:What does "guessable" mean here? (Score:3, Informative)
What you are doing here is dropping only one packet per minute (with a maximum burst of 5 by default). The opposite of what you intended.
To make it work the way you intended, you need two rules:
iptables -I INPUT 1 -p tcp --dport 22 --syn -m limit --limit 1/minute -j ACCEPT
iptables -I INPUT 2 -p tcp --dport 22 --syn -j DROP
The limit rule runs first, accepting an average of 1 syn packet per minute. If the rate is exceeded then the rule fails and the DROP rule runs, which drops all further attempts to connect to ssh.
Re:It will be fixed (Score:5, Informative)
The problem is that in the same file, in another function all other sources of entropy were being merged into the pool of randomness using exactly the same code line as the one code line flagged by Valgrind. The maintainer assumed that the second code line has a similar function to the first and commented that one as well. AFAIK that also did not show up in the emails to the upstream list.
So we have:
* Upstream using clever hacks that rely on uninitialized memory having some randomness to it
* Upstream using same code and same variable names to describe different things
* Upstream having no comments in the code explaining the two things above
* Maintainer slightly over-generalizing a change
* A bug slipping trough the cracks in the review processes
* Another Debian Developer discovering the bug and recognizing its significance despite all of the above
* Debian project coming out and admitting all of the above and scrambling to get fixes out to its users ASAP
I am impressed by the swift action of the people involved in fixing this. And while I think everyone can find some lesson be learned here, I think this is another good example of free software in action. And I hope that in the aftermath of this we will find ways to prevent this from happening in the future without stifling our progress.
http://www.aigarius.com/blog/2008/05/14/too-similar-to-be-different/ [aigarius.com]
Re:It will be fixed (Score:3, Informative)
Why not read every line, of every piece of code you compile, to make sure it wasn't tampered with?
Why not write your own code, code you review yourself and compile and maintain for your own use?
Unless you write, review, compile every piece of software source yourself, you have to trust someone to do at least one of them. At that point, you trust someone to do it for you, and you're already where your compaint lies. Its just that you don't realize it yet.
Compiling code you've never looked at is just as risky as trusting that someone to write the code for you. In fact, I suspect that the Debian Source would have compiled with the same problem, had you compiled it yourself.
So no, compiling from source (Debian) wouldn't have solved this problem, unless you could realize and fix the changes from the Debian Source and the Master Source yourself. But you didn't, someone else did.
Your point is kind of moot, isn't it?
MOD PARENT DOWN (Score:3, Informative)
This is dangerously misleading! Blocking IPs after a reasonable number of failures stops only one particular attack against SSH. It prevents someone from logging into a user account that has a compromised-Debian-generated SSH public key by brute force, trying all possible compromised-Debian key pairs. There are a number of other attacks.
The most serious involve the SSH host key. The public host key is given to anyone who attempts to connect to the machine, whether they succuessfully authenticate or not. This must be the case -- giving out the public key is part of establishing an encrypted connection, and you must have encryption before you send your password or something. An attacker can connect ONCE to your server and, from the public host key, lookup the corresponding private key offline in microseconds. They can then decrypt any SSH communications they can sniff where that server is the server. You have little more security than telnet. They can perform a man-in-the-middle attack on the server. Even if a user is carefully using public-key authentication with something other than a compromised-Debian-generated key rather than password authentication, if they connect to a server with a compromised-Debian-generated host key, they might be connecting to a MITM attacker who can then perform any action on the server as said user.
Public-key authentication is still seriously vulnerable even if you limit the number of attempts. Normally, I can generate a key pair on machine A and set up machines B and C to allow me to log in with that public key, and a root attacker on machine B or C will not be able to access the other machine with my identity. If machine A is a compromised-Debian machine, this no longer holds. Anyone with access to the public key can immediately obtain the private key and impersonate me. Moreover, I normally wouldn't take the same precautions with my public key as my private key, but with a compromised-Debian-generated key pair they are practically equivalent. In general, there is no basis to rely on the public key being secret, which you implicitly recommend doing.
Any rational and informed person will immediately regenerate all key pairs generated with a compromised-Debian machine, and remove such public keys from any authorized_keys files in which they appear. They would also do well to consider the Ubuntu strategy of rejecting known weak public keys for public-key authentication.