Mailing List Archive

ssl weak key generation (supposed to effect only debian)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

the recently publicized SSL weak key generation for debian-based systems
(c.f. http://www.debian.org/security/key-rollover/)
has lead our university computing center to retract our
Gentoo-generated SSL keys based on an advisory from the German
DFN cert :-(

I have not found any information about whether this might also
affect Gentoo systems. A test with the Perl script from
http://security.debian.org/project/extra/dowkd/dowkd.pl.gz
does not show vulnerability:
~ summary: keys found: 2, weak keys: 0

So I guess that Gentoo-generated keys are not affected.
Still it would be nice to have an official statement
to prevent official certification bodies from retracting
valid Gentoo-generated keys.

Regards,
Peter
- --
Peter Schneider-Kamp mailto:psk@informatik.rwth-aachen.de
LuFG Informatik II http://verify.rwth-aachen.de/psk
RWTH Aachen phone: +49 241 80-21211
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkguoJQACgkQ3VbrCXkKHhxQigCfSoeTKHLeq2nprKI5BuBgPJhg
KtgAniEai4bE7HnTDKNsA/pnspdVZMFU
=xywx
-----END PGP SIGNATURE-----
--
gentoo-security@lists.gentoo.org mailing list
Re: ssl weak key generation (supposed to effect only debian) [ In reply to ]
Hi Peter,

On Saturday, 17. May 2008, Peter Schneider-Kamp wrote:
> the recently publicized SSL weak key generation for debian-based systems
> (c.f. http://www.debian.org/security/key-rollover/)
> has lead our university computing center to retract our
> Gentoo-generated SSL keys based on an advisory from the German
> DFN cert :-(

I could not find where these advisories are published on their site, I
guess they are not publicly distributed.


> I have not found any information about whether this might also
> affect Gentoo systems. A test with the Perl script from
> http://security.debian.org/project/extra/dowkd/dowkd.pl.gz
> does not show vulnerability:
> ~ summary: keys found: 2, weak keys: 0
>
> So I guess that Gentoo-generated keys are not affected.
> Still it would be nice to have an official statement
> to prevent official certification bodies from retracting
> valid Gentoo-generated keys.

The Gentoo Security Team internally reviewed patches to
our "dev-libs/openssl" package right when we heard about the issue via a
private channel. We could confirm that the patch is not included in our
distribution. Furthermore, additional tests showed that there is no
dependence only on PID when generating keys, and that some Gentoo produced
keys are not included in the blacklist (which you also confirmed).

We issued no formal statement*, because Debian was so clear about the scope
of the vulnerability. To think that any distribution is affected, simply
because they do not publicly state they are not, is a bad habit. Other
CERTs usually contact us for vendor statements when they think we are
affected by one vulnerability.

The only thing compromising DSA keys generated on Gentoo is the usage of
the private key on an affected Debian, but even that was covered in both
the Debian and Ubuntu advisories.

Regards,
Robert // Gentoo Security


* I would not consider my blog entry on http://planet.gentoo.org a
formal statement.
Re: ssl weak key generation (supposed to effect only debian) [ In reply to ]
Robert Buchholz wrote:
> Hi Peter,
>
> On Saturday, 17. May 2008, Peter Schneider-Kamp wrote:
>
>> the recently publicized SSL weak key generation for debian-based systems
>> (c.f. http://www.debian.org/security/key-rollover/)
>> has lead our university computing center to retract our
>> Gentoo-generated SSL keys based on an advisory from the German
>> DFN cert :-(
>>
>
> I could not find where these advisories are published on their site, I
> guess they are not publicly distributed.
>
>
>
> To think that any distribution is affected, simply
> because they do not publicly state they are not, is a bad habit.
>
>
>
< ....... >

> Regards,
> Robert // Gentoo Security
>

It's something of a "lesser of two evils" situation. In the absence of
evidence either way, the only habit that would be worse is assuming that
any distribution is not affected, simply because they do not publicly
state that they are. Having said that, it's good to know that
apparently Gentoo is not impacted.
Re: ssl weak key generation (supposed to effect only debian) [ In reply to ]
On Sat, 17 May 2008, Byron wrote:

> It's something of a "lesser of two evils" situation. In the absence of
> evidence either way, the only habit that would be worse is assuming that
> any distribution is not affected, simply because they do not publicly state
> that they are. Having said that, it's good to know that apparently Gentoo
> is not impacted.
>

Hi,

- when a vulnerability has been found inside the package, the package is
vulnerable, it's not claimed to be distro-specific, and by default you
are right in assuming that every distro is affected.

- when a vulnerability has been found in a *distro-specific* patch or
script (or ebuild (or Windows-specific version ) ), the vulnerability is
claimed to reside in the distro scripts, or in the distro patch. So it's
distro-specific.

each linux distribution can not handle every other-distro-specific
vulnerability. Gentoo has sometimes gentoo-specific vulnerabilities
[1], and Debian too. Debian does not issue any statement that they are
not affected by a Gentoo-specific vulnerability. No distro does that.
And there would be a lot of other distributions to monitor [2]... That
would really be a mess.

[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1383

[2]
http://distrowatch.com/dwres.php?resource=major
http://distrowatch.com/dwres.php?resource=cd
http://distrowatch.com/dwres.php?resource=firewalls


http://www.debian.org/security/key-rollover/
"In Debian Security Advisory 1571, the Debian Security Team disclosed a
weakness in the random number generator used by OpenSSL on Debian and its
derivatives."

http://lists.debian.org/debian-security-announce/2008/msg00152.html
"Debian-specific: yes"

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0166
"OpenSSL 0.9.8c-1 up to versions before 0.9.8g-9 on Debian-based
operating systems"

If you are unsure about your provider advisory, go and see the original
and official advisories (Debian, Mitre CVE) which are very clear. Then
revoke your contract and change of provider :)

Futhermore, a public RSA weak key (because being created by a vulnerable
Debian openssl) that would have been uploaded to
gentoo:~foo/.ssh/authorized_keys on a Gentoo system would make this
Gentoo system vulnerable to a trivial remote compromise as soon as the
attacker knows the "foo" user login. We can't simply say "be confident,
you are safe because you are using Gentoo". That would be lying. It
depends on your configuration and consequently that's the responsibility
of the root. There are a lot of similar configuration or user-land
risks, and that's not the purpose of the vulnerability monitoring that
is provided by the GLSA process.

By the way, the gentoo-security@gentoo.org mailing list is obviously the
right place to publicly inform that Gentoo openssl package is not
vulnerable to CVE-2008-0166. Now that's done, thanks to Peter who
firstly asked for it.


cheers,
--
Raphael Marichez aka Falco
Gentoo Linux Security Team