int(3995)

Boletines de Vulnerabilidades


Obtención de claves criptográficas en OpenSSl de Debian

Clasificación de la vulnerabilidad

Propiedad Valor
Nivel de Confianza Oficial
Impacto Confidencialidad
Dificultad Principiante
Requerimientos del atacante Acceso remoto sin cuenta a un servicio estandar

Información sobre el sistema

Propiedad Valor
Fabricante afectado GNU/Linux
Software afectado OpenSSL 0.9.8c-1 - 0.9.8g-9 / Debian
OpenSSH

Descripción

Se ha descubierto una vulnerabilidad en OpenSSL 0.9.8c-1 hasta la versión 0.9.8g-9 en Debian. La vulnerabilidad reside en un error de diseño al utilizar un generador de números aleatorios que genera números predecibles.

Un atacante remoto podría obtener claves criptográficas (SSH, OpenVPN, DNSSEC, X.509 y SSL/TLS) mediante un ataque de fuerza bruta.

Existe un exploit público disponible.

Solución



Actualización de software

Debian (DSA-1571-1)

Debian Linux 4.0
Source
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch3.dsc
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c.orig.tar.gz
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch3.diff.gz
alpha (DEC Alpha)
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch3_alpha.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch3_alpha.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch3_alpha.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch3_alpha.deb
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch3_alpha.udeb
amd64 (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch3_amd64.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch3_amd64.deb
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch3_amd64.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch3_amd64.deb
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch3_amd64.udeb
arm (ARM)
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch3_arm.deb
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch3_arm.udeb
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch3_arm.deb
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch3_arm.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch3_arm.deb
hppa (HP PA RISC)
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch3_hppa.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch3_hppa.deb
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch3_hppa.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch3_hppa.deb
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch3_hppa.udeb
i386 (Intel ia32)
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch3_i386.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch3_i386.deb
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch3_i386.deb
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch3_i386.udeb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch3_i386.deb
ia64 (Intel ia64)
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch3_ia64.udeb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch3_ia64.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch3_ia64.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch3_ia64.deb
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch3_ia64.deb
mips (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch3_mips.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch3_mips.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch3_mips.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch3_mips.deb
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch3_mips.udeb
mipsel (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch3_mipsel.udeb
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch3_mipsel.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch3_mipsel.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch3_mipsel.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch3_mipsel.deb
powerpc (PowerPC)
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch3_powerpc.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch3_powerpc.deb
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch3_powerpc.udeb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch3_powerpc.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch3_powerpc.deb
s390 (IBM S/390)
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch3_s390.udeb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch3_s390.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch3_s390.deb
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch3_s390.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch3_s390.deb
sparc (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch3_sparc.deb
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch3_sparc.udeb
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch3_sparc.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch3_sparc.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch3_sparc.deb

Debian (DSA-1576-2)

Debian Linux 4.0
Source
http://security.debian.org/pool/updates/main/o/openssh/openssh_4.3p2-9etch2.dsc
http://security.debian.org/pool/updates/main/o/openssh/openssh_4.3p2.orig.tar.gz
http://security.debian.org/pool/updates/main/o/openssh/openssh_4.3p2-9etch2.diff.gz
Arquitectura independiente
http://security.debian.org/pool/updates/main/o/openssh/ssh-krb5_4.3p2-9etch2_all.deb
http://security.debian.org/pool/updates/main/o/openssh/ssh_4.3p2-9etch2_all.deb
alpha (DEC Alpha)
http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_4.3p2-9etch2_alpha.deb
http://security.debian.org/pool/updates/main/o/openssh/openssh-client_4.3p2-9etch2_alpha.deb
http://security.debian.org/pool/updates/main/o/openssh/openssh-server-udeb_4.3p2-9etch2_alpha.udeb
http://security.debian.org/pool/updates/main/o/openssh/openssh-server_4.3p2-9etch2_alpha.deb
http://security.debian.org/pool/updates/main/o/openssh/openssh-client-udeb_4.3p2-9etch2_alpha.udeb
amd64 (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_4.3p2-9etch2_amd64.deb
http://security.debian.org/pool/updates/main/o/openssh/openssh-client_4.3p2-9etch2_amd64.deb
http://security.debian.org/pool/updates/main/o/openssh/openssh-server_4.3p2-9etch2_amd64.deb
http://security.debian.org/pool/updates/main/o/openssh/openssh-server-udeb_4.3p2-9etch2_amd64.udeb
http://security.debian.org/pool/updates/main/o/openssh/openssh-client-udeb_4.3p2-9etch2_amd64.udeb
arm (ARM)
http://security.debian.org/pool/updates/main/o/openssh/openssh-server_4.3p2-9etch2_arm.deb
http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_4.3p2-9etch2_arm.deb
http://security.debian.org/pool/updates/main/o/openssh/openssh-client_4.3p2-9etch2_arm.deb
http://security.debian.org/pool/updates/main/o/openssh/openssh-server-udeb_4.3p2-9etch2_arm.udeb
http://security.debian.org/pool/updates/main/o/openssh/openssh-client-udeb_4.3p2-9etch2_arm.udeb
hppa (HP PA RISC)
http://security.debian.org/pool/updates/main/o/openssh/openssh-client-udeb_4.3p2-9etch2_hppa.udeb
http://security.debian.org/pool/updates/main/o/openssh/openssh-client_4.3p2-9etch2_hppa.deb
http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_4.3p2-9etch2_hppa.deb
http://security.debian.org/pool/updates/main/o/openssh/openssh-server-udeb_4.3p2-9etch2_hppa.udeb
http://security.debian.org/pool/updates/main/o/openssh/openssh-server_4.3p2-9etch2_hppa.deb
i386 (Intel ia32)
http://security.debian.org/pool/updates/main/o/openssh/openssh-server_4.3p2-9etch2_i386.deb
http://security.debian.org/pool/updates/main/o/openssh/openssh-server-udeb_4.3p2-9etch2_i386.udeb
http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_4.3p2-9etch2_i386.deb
http://security.debian.org/pool/updates/main/o/openssh/openssh-client_4.3p2-9etch2_i386.deb
http://security.debian.org/pool/updates/main/o/openssh/openssh-client-udeb_4.3p2-9etch2_i386.udeb
ia64 (Intel ia64)
http://security.debian.org/pool/updates/main/o/openssh/openssh-client-udeb_4.3p2-9etch2_ia64.udeb
http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_4.3p2-9etch2_ia64.deb
http://security.debian.org/pool/updates/main/o/openssh/openssh-server_4.3p2-9etch2_ia64.deb
http://security.debian.org/pool/updates/main/o/openssh/openssh-server-udeb_4.3p2-9etch2_ia64.udeb
http://security.debian.org/pool/updates/main/o/openssh/openssh-client_4.3p2-9etch2_ia64.deb
mipsel (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/o/openssh/openssh-client-udeb_4.3p2-9etch2_mipsel.udeb
http://security.debian.org/pool/updates/main/o/openssh/openssh-server_4.3p2-9etch2_mipsel.deb
http://security.debian.org/pool/updates/main/o/openssh/openssh-server-udeb_4.3p2-9etch2_mipsel.udeb
http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_4.3p2-9etch2_mipsel.deb
http://security.debian.org/pool/updates/main/o/openssh/openssh-client_4.3p2-9etch2_mipsel.deb
powerpc (PowerPC)
http://security.debian.org/pool/updates/main/o/openssh/openssh-client-udeb_4.3p2-9etch2_powerpc.udeb
http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_4.3p2-9etch2_powerpc.deb
http://security.debian.org/pool/updates/main/o/openssh/openssh-client_4.3p2-9etch2_powerpc.deb
http://security.debian.org/pool/updates/main/o/openssh/openssh-server-udeb_4.3p2-9etch2_powerpc.udeb
http://security.debian.org/pool/updates/main/o/openssh/openssh-server_4.3p2-9etch2_powerpc.deb
s390 (IBM S/390)
http://security.debian.org/pool/updates/main/o/openssh/openssh-client-udeb_4.3p2-9etch2_s390.udeb
http://security.debian.org/pool/updates/main/o/openssh/openssh-server-udeb_4.3p2-9etch2_s390.udeb
http://security.debian.org/pool/updates/main/o/openssh/openssh-client_4.3p2-9etch2_s390.deb
http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_4.3p2-9etch2_s390.deb
http://security.debian.org/pool/updates/main/o/openssh/openssh-server_4.3p2-9etch2_s390.deb
sparc (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/o/openssh/openssh-server-udeb_4.3p2-9etch2_sparc.udeb
http://security.debian.org/pool/updates/main/o/openssh/openssh-client_4.3p2-9etch2_sparc.deb
http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_4.3p2-9etch2_sparc.deb
http://security.debian.org/pool/updates/main/o/openssh/openssh-client-udeb_4.3p2-9etch2_sparc.udeb
http://security.debian.org/pool/updates/main/o/openssh/openssh-server_4.3p2-9etch2_sparc.deb

Identificadores estándar

Propiedad Valor
CVE CVE-2008-0166
BID 29179

Recursos adicionales

Debian Security Advisory (DSA-1571-1)
http://lists.debian.org/debian-security-announce/2008/msg00152.html

Debian Security Advisory (DSA-1576-1)
http://lists.debian.org/debian-security-announce/2008/msg00153.html

Debian Security Advisory (DSA-1576-2)
http://lists.debian.org/debian-security-announce/2008/msg00155.html

Histórico de versiones

Versión Comentario Fecha
1.0 Aviso emitido 2008-05-14
1.1 Aviso actualizado por Debian (DSA-1576-2) 2008-05-19

Miembros de

Ministerio de Defensa
CNI
CCN
CCN-CERT