Ticket #53 (closed defect: fixed)

Opened 2 years ago

Last modified 1 year ago

Debian systems have a buggy OpenSSL implementation

Reported by: jpr@uab.edu Assigned to: jpr@uab.edu
Priority: high Milestone:
Component: provisioning Version:
Keywords: debian openssl prng security Cc:

Description

A security vulnerability has been discovered in Debian-based packages of OpenSSL on the 4.0+ release, ie. current stable. It's not in 3.1 (sarge). This requires patches to be applied and an audit of vulnerable keys generated on Debian systems with the affected OpenSSL libraries.

This ticket is for identifying the affected systems and determining the impact of this vulnerability on uabgrid services.

Change History

05/14/08 20:21:49 changed by jpr@uab.edu

Some of the services on UABgrid are effected by this.

We use Debian 4.0 (etch) for several of the VM's that provide services to UABgrid.

* ca.uabgrid: which hosts the user portion of UABgrid CA and assigns user certificates for use on the grid

* apps.uabgrid: which hosts web apps for Mediawiki (docs.uabgrid and Wordpress (blogs.uabgrid).

I need to regenerate the host certificates for these systems, since the CSR is currently generated local to the system. The CA functionality for user certs was migrated to this platform last July, so I will need to expire the user certs generated since that time. This affects 12 UABgrid user certificates, half of which were assigned last Sept (and are set to expire this Sept).

Note: The the UABgrid CA keys were not generated on this host and the host certificates for UABgrid are not signed on ca.uabgrid. Except for those noted above, the host certs and operational integrity of the UABgrid CA is sound.

We use Debian 3.1 (sarge) for the UABgrid identity and group management services platform (myVocs box) which runs Shibboleth, GridShib? and Sympa. According to the Debian vulnerability report Debian 3.1's OpenSSL was not effected because it runs OpenSSL v.0.9.7. I checked, and this is the case.

http://lists.debian.org/debian-security-announce/2008/msg00152.html

05/14/08 20:25:06 changed by jpr@uab.edu

  • status changed from new to assigned.

UAB Data Security sent a nice like the helps provide motivation to address this vulnerability

http://metasploit.com/users/hdm/tools/debian-openssl/

05/14/08 20:41:58 changed by jpr@uab.edu

Some how I left off the link to the Debian Security Advisory in the original post:

http://www.debian.org/security/2008/dsa-1571

05/14/08 21:56:48 changed by jpr@uab.edu

Documentation for how this patch is being applied to the affected systems is being further developed in on the wiki page HowToPatchDebianOpenSslBug.

05/15/08 07:45:35 changed by jpr@uab.edu

Last night, the three VM systems affected by this bug had the OpenSSL patches applied and new keys created for the SSH service. Please see the documentation recording the process.

The primary host names and corresponding secondary interface names for the affected systems are:

  • ca.uabgrid.uab.edu
  • apps.uabgrid.uab.edu
    • docs.uabgrid.uab.edu
    • blogs.uabgrid.uab.edu
  • projects.uabgrid.uab.edu
    • dev.uabgrid.uab.edu

Please review the new host key fingerprints to confirm the updated SSH identies.

05/15/08 11:11:50 changed by jpr@uab.edu

I've checked on the authorized_keys configuration for these nodes.

There are no files found matching this search on these systems. We have not been using this form of login to access these systems. These systems also have a very small set (<5 at most) of user accounts defined and there is no knowledge of them having ever been used to create keys for password-less login to other systems. The login scenario is normally from non-Debian based systems to these systems, but again, no authorized_keys files exist.

These systems are not vulnerable to an authorized_key exploit and there is no indication any user keys were generated on these systems for authorized_keys based login to other systems.

06/09/08 18:13:46 changed by jpr@uab.edu

The UABgrid user certificates created on ca.uabgrid.uab.edu during the time of this vulnerability were revoked.

UABgrid security announcement 2008-001 was sent out to the affected users.

06/09/08 18:20:56 changed by jpr@uab.edu

  • status changed from assigned to closed.
  • resolution set to fixed.

Having completed the impact assessment, patch application, and certificate revocation this security issue has been resolved. The ticket can be re-opened if additional steps become necessary.