| | 1 | = UABgrid Security Issue 2008-001 = |
|---|
| | 2 | |
|---|
| | 3 | == PROBLEM == |
|---|
| | 4 | |
|---|
| | 5 | Due to a recent security vulnerability with the specific OpenSSL software packages for the Debian Linux platform, we had to revoke your existing UABgrid user certificate. |
|---|
| | 6 | |
|---|
| | 7 | == SOLUTION == |
|---|
| | 8 | |
|---|
| | 9 | To generate a new user certificate for use with UABgrid resources please go to the following URL and request a new certificate: |
|---|
| | 10 | |
|---|
| | 11 | https://ca.uabgrid.uab.edu/user/custom_request_cert.php |
|---|
| | 12 | |
|---|
| | 13 | You can then download the key (userkey.pem) and certificate (usercert.pem) to your appropriate ~/.globus directory from the Certificate Management Control Panel: |
|---|
| | 14 | |
|---|
| | 15 | https://ca.uabgrid.uab.edu/user/manage_cert.php |
|---|
| | 16 | |
|---|
| | 17 | == DETAILS == |
|---|
| | 18 | |
|---|
| | 19 | The nature of this vulnerability has to do with the generation of random numbers used to create your public/private key pair. On the affected systems, the OpenSSL libraries erroneously create guessable random number. This significantly simplifies the ability to guess your public/private key pair. |
|---|
| | 20 | |
|---|
| | 21 | Because the ca.uabgrid.uab.edu runs on a Debian system and generates the public/private key pair for UABgrid user certs, the user certificates generated on this platform while the vulnerability was in place are not sufficiently unique. |
|---|
| | 22 | |
|---|
| | 23 | The greatest impact of this threat is for *unsigned* public/private key pairs, like those used for key-based SSH logins. The predictability of these key pairs gives an attacker a small number of well-known keys to cycle through in order to gain SSH access to an account that has been configured to allow key-based logins. For example, if you created a public/private key pair on an affected Debian system and then used that key pair to allow remote access to hosts via the $HOME/.ssh/authorized_keys file. |
|---|
| | 24 | |
|---|
| | 25 | We *do not* suspect a potential to exploit this issue to gain access to UABgrid systems because the Grid Security Infrastructure (GSI) uses *signed* public/private key pairs, ie. certificates. These systems do not rely on the "authorized_keys" file for trust. They rely on the UABgrid Certificate Authority's root certificate which was not generated on a affected Debian system. Furthermore, this properly generated key pair is used to sign the user certificate. This means that, while your personal public/private key pair could be guessed, your certificate (ie. the key pair signed by the UABgrid CA) could not be impersonate. |
|---|
| | 26 | |
|---|
| | 27 | The certificates were revoked as a precautionary measure and to ensure that any other use of these key pairs is not compromised. |
|---|
| | 28 | |
|---|
| | 29 | For futher information and to track issues related to this vulnerability, please visit: |
|---|
| | 30 | |
|---|
| | 31 | http://dev.uabgrid.uab.edu/ticket/53 |
|---|
