Abrir sesión
logo

DEFENSA FRENTE A LAS CIBERAMENAZAS

ÚLTIMA HORA


barra-separadora
blue-balls

Boletines de Vulnerabilidades

Obtención de claves criptográficas en OpenSSl de Debian

Clasificación de la vulnerabilidad
Propiedad Valor
Nivel de Confianza Oficial
Impacto Confidencialidad
Dificultad Principiante
Requerimientos del atacante Acceso remoto sin cuenta a un servicio estandar

Información sobre el sistema
Propiedad Valor
Fabricante afectado GNU/Linux
Software afectado OpenSSL 0.9.8c-1 - 0.9.8g-9 / Debian
OpenSSH

Descripción
Se ha descubierto una vulnerabilidad en OpenSSL 0.9.8c-1 hasta la versión 0.9.8g-9 en Debian. La vulnerabilidad reside en un error de diseño al utilizar un generador de números aleatorios que genera números predecibles.

Un atacante remoto podría obtener claves criptográficas (SSH, OpenVPN, DNSSEC, X.509 y SSL/TLS) mediante un ataque de fuerza bruta.

Existe un exploit público disponible.

Solución


Actualización de software

Debian (DSA-1571-1)

Debian Linux 4.0
Source
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch3.dsc
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c.orig.tar.gz
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch3.diff.gz
alpha (DEC Alpha)
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch3_alpha.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch3_alpha.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch3_alpha.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch3_alpha.deb
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch3_alpha.udeb
amd64 (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch3_amd64.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch3_amd64.deb
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch3_amd64.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch3_amd64.deb
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch3_amd64.udeb
arm (ARM)
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch3_arm.deb
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch3_arm.udeb
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch3_arm.deb
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch3_arm.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch3_arm.deb
hppa (HP PA RISC)
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch3_hppa.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch3_hppa.deb
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch3_hppa.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch3_hppa.deb
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch3_hppa.udeb
i386 (Intel ia32)
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch3_i386.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch3_i386.deb
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch3_i386.deb
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch3_i386.udeb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch3_i386.deb
ia64 (Intel ia64)
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch3_ia64.udeb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch3_ia64.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch3_ia64.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch3_ia64.deb
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch3_ia64.deb
mips (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch3_mips.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch3_mips.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch3_mips.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch3_mips.deb
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch3_mips.udeb
mipsel (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch3_mipsel.udeb
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch3_mipsel.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch3_mipsel.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch3_mipsel.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch3_mipsel.deb
powerpc (PowerPC)
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch3_powerpc.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch3_powerpc.deb
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch3_powerpc.udeb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch3_powerpc.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch3_powerpc.deb
s390 (IBM S/390)
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch3_s390.udeb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch3_s390.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch3_s390.deb
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch3_s390.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch3_s390.deb
sparc (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch3_sparc.deb
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch3_sparc.udeb
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch3_sparc.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch3_sparc.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch3_sparc.deb

Debian (DSA-1576-2)

Debian Linux 4.0
Source
http://security.debian.org/pool/updates/main/o/openssh/openssh_4.3p2-9etch2.dsc
http://security.debian.org/pool/updates/main/o/openssh/openssh_4.3p2.orig.tar.gz
http://security.debian.org/pool/updates/main/o/openssh/openssh_4.3p2-9etch2.diff.gz
Arquitectura independiente
http://security.debian.org/pool/updates/main/o/openssh/ssh-krb5_4.3p2-9etch2_all.deb
http://security.debian.org/pool/updates/main/o/openssh/ssh_4.3p2-9etch2_all.deb
alpha (DEC Alpha)
http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_4.3p2-9etch2_alpha.deb
http://security.debian.org/pool/updates/main/o/openssh/openssh-client_4.3p2-9etch2_alpha.deb
http://security.debian.org/pool/updates/main/o/openssh/openssh-server-udeb_4.3p2-9etch2_alpha.udeb
http://security.debian.org/pool/updates/main/o/openssh/openssh-server_4.3p2-9etch2_alpha.deb
http://security.debian.org/pool/updates/main/o/openssh/openssh-client-udeb_4.3p2-9etch2_alpha.udeb
amd64 (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_4.3p2-9etch2_amd64.deb
http://security.debian.org/pool/updates/main/o/openssh/openssh-client_4.3p2-9etch2_amd64.deb
http://security.debian.org/pool/updates/main/o/openssh/openssh-server_4.3p2-9etch2_amd64.deb
http://security.debian.org/pool/updates/main/o/openssh/openssh-server-udeb_4.3p2-9etch2_amd64.udeb
http://security.debian.org/pool/updates/main/o/openssh/openssh-client-udeb_4.3p2-9etch2_amd64.udeb
arm (ARM)
http://security.debian.org/pool/updates/main/o/openssh/openssh-server_4.3p2-9etch2_arm.deb
http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_4.3p2-9etch2_arm.deb
http://security.debian.org/pool/updates/main/o/openssh/openssh-client_4.3p2-9etch2_arm.deb
http://security.debian.org/pool/updates/main/o/openssh/openssh-server-udeb_4.3p2-9etch2_arm.udeb
http://security.debian.org/pool/updates/main/o/openssh/openssh-client-udeb_4.3p2-9etch2_arm.udeb
hppa (HP PA RISC)
http://security.debian.org/pool/updates/main/o/openssh/openssh-client-udeb_4.3p2-9etch2_hppa.udeb
http://security.debian.org/pool/updates/main/o/openssh/openssh-client_4.3p2-9etch2_hppa.deb
http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_4.3p2-9etch2_hppa.deb
http://security.debian.org/pool/updates/main/o/openssh/openssh-server-udeb_4.3p2-9etch2_hppa.udeb
http://security.debian.org/pool/updates/main/o/openssh/openssh-server_4.3p2-9etch2_hppa.deb
i386 (Intel ia32)
http://security.debian.org/pool/updates/main/o/openssh/openssh-server_4.3p2-9etch2_i386.deb
http://security.debian.org/pool/updates/main/o/openssh/openssh-server-udeb_4.3p2-9etch2_i386.udeb
http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_4.3p2-9etch2_i386.deb
http://security.debian.org/pool/updates/main/o/openssh/openssh-client_4.3p2-9etch2_i386.deb
http://security.debian.org/pool/updates/main/o/openssh/openssh-client-udeb_4.3p2-9etch2_i386.udeb
ia64 (Intel ia64)
http://security.debian.org/pool/updates/main/o/openssh/openssh-client-udeb_4.3p2-9etch2_ia64.udeb
http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_4.3p2-9etch2_ia64.deb
http://security.debian.org/pool/updates/main/o/openssh/openssh-server_4.3p2-9etch2_ia64.deb
http://security.debian.org/pool/updates/main/o/openssh/openssh-server-udeb_4.3p2-9etch2_ia64.udeb
http://security.debian.org/pool/updates/main/o/openssh/openssh-client_4.3p2-9etch2_ia64.deb
mipsel (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/o/openssh/openssh-client-udeb_4.3p2-9etch2_mipsel.udeb
http://security.debian.org/pool/updates/main/o/openssh/openssh-server_4.3p2-9etch2_mipsel.deb
http://security.debian.org/pool/updates/main/o/openssh/openssh-server-udeb_4.3p2-9etch2_mipsel.udeb
http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_4.3p2-9etch2_mipsel.deb
http://security.debian.org/pool/updates/main/o/openssh/openssh-client_4.3p2-9etch2_mipsel.deb
powerpc (PowerPC)
http://security.debian.org/pool/updates/main/o/openssh/openssh-client-udeb_4.3p2-9etch2_powerpc.udeb
http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_4.3p2-9etch2_powerpc.deb
http://security.debian.org/pool/updates/main/o/openssh/openssh-client_4.3p2-9etch2_powerpc.deb
http://security.debian.org/pool/updates/main/o/openssh/openssh-server-udeb_4.3p2-9etch2_powerpc.udeb
http://security.debian.org/pool/updates/main/o/openssh/openssh-server_4.3p2-9etch2_powerpc.deb
s390 (IBM S/390)
http://security.debian.org/pool/updates/main/o/openssh/openssh-client-udeb_4.3p2-9etch2_s390.udeb
http://security.debian.org/pool/updates/main/o/openssh/openssh-server-udeb_4.3p2-9etch2_s390.udeb
http://security.debian.org/pool/updates/main/o/openssh/openssh-client_4.3p2-9etch2_s390.deb
http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_4.3p2-9etch2_s390.deb
http://security.debian.org/pool/updates/main/o/openssh/openssh-server_4.3p2-9etch2_s390.deb
sparc (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/o/openssh/openssh-server-udeb_4.3p2-9etch2_sparc.udeb
http://security.debian.org/pool/updates/main/o/openssh/openssh-client_4.3p2-9etch2_sparc.deb
http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_4.3p2-9etch2_sparc.deb
http://security.debian.org/pool/updates/main/o/openssh/openssh-client-udeb_4.3p2-9etch2_sparc.udeb
http://security.debian.org/pool/updates/main/o/openssh/openssh-server_4.3p2-9etch2_sparc.deb

Identificadores estándar
Propiedad Valor
CVE CVE-2008-0166
BID 29179

Recursos adicionales
Debian Security Advisory (DSA-1571-1)
http://lists.debian.org/debian-security-announce/2008/msg00152.html

Debian Security Advisory (DSA-1576-1)
http://lists.debian.org/debian-security-announce/2008/msg00153.html

Debian Security Advisory (DSA-1576-2)
http://lists.debian.org/debian-security-announce/2008/msg00155.html

Histórico de versiones
Versión Comentario Fecha
1.0 Aviso emitido 2008-05-14
1.1 Aviso actualizado por Debian (DSA-1576-2) 2008-05-19
Volver
logo-gobierno logo-cni ccn-logo
certauth-logo first-logo tfcsirt-logo egc-logo egc-logo CSIRTes
© 2019 Centro Criptológico Nacional, Argentona 30, 28023 MADRID

Este sitio web utiliza cookies propias y de terceros para el correcto funcionamiento y visualización del sitio web por parte del usuario, así como la recogida de estadísticas. Si continúa navegando, consideramos que acepta su uso. Puede cambiar la configuración u obtener más información. Modificar configuración