wiki:UGS-2008-001
Last modified 9 years ago Last modified on 06/09/08 18:03:46

UABgrid Security Issue 2008-001

PROBLEM

Due to a recent security vulnerability with the specific OpenSSL software packages for the Debian Linux platform, we had to revoke your existing UABgrid user certificate.

SOLUTION

To generate a new user certificate for use with UABgrid resources please go to the following URL and request a new certificate:

https://ca.uabgrid.uab.edu/user/custom_request_cert.php

You can then download the key (userkey.pem) and certificate (usercert.pem) to your appropriate ~/.globus directory from the Certificate Management Control Panel:

https://ca.uabgrid.uab.edu/user/manage_cert.php

DETAILS

The nature of this vulnerability has to do with the generation of random numbers used to create your public/private key pair. On the affected systems, the OpenSSL libraries erroneously create guessable random number. This significantly simplifies the ability to guess your public/private key pair.

Because the ca.uabgrid.uab.edu runs on a Debian system and generates the public/private key pair for UABgrid user certs, the user certificates generated on this platform while the vulnerability was in place are not sufficiently unique.

The greatest impact of this threat is for *unsigned* public/private key pairs, like those used for key-based SSH logins. The predictability of these key pairs gives an attacker a small number of well-known keys to cycle through in order to gain SSH access to an account that has been configured to allow key-based logins. For example, if you created a public/private key pair on an affected Debian system and then used that key pair to allow remote access to hosts via the $HOME/.ssh/authorized_keys file.

We *do not* suspect a potential to exploit this issue to gain access to UABgrid systems because the Grid Security Infrastructure (GSI) uses *signed* public/private key pairs, ie. certificates. These systems do not rely on the "authorized_keys" file for trust. They rely on the UABgrid Certificate Authority's root certificate which was not generated on a affected Debian system. Furthermore, this properly generated key pair is used to sign the user certificate. This means that, while your personal public/private key pair could be guessed, your certificate (ie. the key pair signed by the UABgrid CA) could not be impersonate.

The certificates were revoked as a precautionary measure and to ensure that any other use of these key pairs is not compromised.

For futher information and to track issues related to this vulnerability, please visit:

http://dev.uabgrid.uab.edu/ticket/53