Ubuntu/Debian vulnerability impact? - Debian

This is a discussion on Ubuntu/Debian vulnerability impact? - Debian ; Ignoramus12901 writes: > On 2008-05-15, Phil Carmody wrote: >> Ignoramus12901 writes: >>> On 2008-05-15, Phil Carmody wrote: >>>> Ignoramus12901 writes: >>>>> Do you know if there are any known exploit scripts written to exploit >>>>> this vulnerability? >>>> >>>> Given ...

+ Reply to Thread
Page 2 of 2 FirstFirst 1 2
Results 21 to 40 of 40

Thread: Ubuntu/Debian vulnerability impact?

  1. Re: Ubuntu/Debian vulnerability impact?

    Ignoramus12901 writes:
    > On 2008-05-15, Phil Carmody wrote:
    >> Ignoramus12901 writes:
    >>> On 2008-05-15, Phil Carmody wrote:
    >>>> Ignoramus12901 writes:
    >>>>> Do you know if there are any known exploit scripts written to exploit
    >>>>> this vulnerability?
    >>>>
    >>>> Given the amount of hammering my SSH ports are getting, I
    >>>> reckon that somebody has one!
    >>>
    >>> At least some of that hammering is due to old brute forcing dictionary
    >>> scripts.
    >>>
    >>> Ie login as root with passwords root, toor, r00t, t00r, root1, ... etc.

    >>
    >> Yup, on one briefly mis-configured machine, I was actually opening
    >> the port to them, and could see that they were doing a dictionary
    >> attack on both passwords and account names. (I heard the server
    >> writing logs constantly, and noticed sshd PIDs steadily increase,
    >> so shut the door pretty soon.)

    >
    > I have the ssh port open at all times.
    >
    > I permit root logon only by authorized_keys, and several other logons
    > explicitly, but by default all other usernames are blocked.


    I permit ssh-ing in (using hosts.allow) only from a single
    solaris box admin'ed by an old colleague, a NetBSD box admin'ed
    by a BoFH and a half, and another Debian box admin'ed by a former
    Debian project lead. So you either need to break both host_access
    and ssh, or break into two separate boxes.

    I've always been a login-as-luser, su/sudo for root access, kind
    of guy.

    Phil
    --
    Dear aunt, let's set so double the killer delete select all.
    -- Microsoft voice recognition live demonstration

  2. Re: Ubuntu/Debian vulnerability impact?

    On Tue, 13 May 2008 21:27:48 -0500, Ignoramus17861 wrote:

    > In regards to this giant ****up:
    >
    > http://www.ubuntu.com/usn/usn-612-2
    >
    > What exactly is the impact of this vulnerability?
    >
    > 1) Does it let a attacker, who has listening ability on a local network,
    > to intercept keys? (ie reduce security of SSH to that of telnet)
    >
    > 2) Does it allow an attacker, who does NOT have a listening ability, to
    > log on to remote machines using known weak keys? (ie brute force a fully
    > remote machine)
    >
    > Just what is the extent of this sad story?


    There is now a detailed examination online, see

    http://metasploit.com/users/hdm/tools/debian-openssl/

    I'm reading this in alt.os.linux.debian - where this has not been posted
    AFAICT, so apologies to people in other groups who may have seen this
    link already.

    And to those of you in alt.os.linux.ubuntu, apologies for posting
    something that does not contribute to your ongoing Windows/Ubuntu
    flamewar....

  3. Re: Ubuntu/Debian vulnerability impact?



    "Mark Madsen" wrote in message
    news:482c7a46$1_1@news.bluewin.ch...

    > And to those of you in alt.os.linux.ubuntu, apologies for posting
    > something that does not contribute to your ongoing Windows/Ubuntu
    > flamewar....


    Thank you for that, some will use it as munitions, I will not worry now as
    my keys were not done on debian system.
    I have had a similar **** up in a random number generator I wrote once, not
    a security issue though.
    Its easy to do when you get programmers that understand the language more
    than the algorithm they are programming or are just too tired when they do
    the work. (hint: take a break if its important)


  4. Re: Ubuntu/Debian vulnerability impact?

    On 2008-05-15, Mark Madsen wrote:
    > On Tue, 13 May 2008 21:27:48 -0500, Ignoramus17861 wrote:
    >
    >> In regards to this giant ****up:
    >>
    >> http://www.ubuntu.com/usn/usn-612-2
    >>
    >> What exactly is the impact of this vulnerability?
    >>
    >> 1) Does it let a attacker, who has listening ability on a local network,
    >> to intercept keys? (ie reduce security of SSH to that of telnet)
    >>
    >> 2) Does it allow an attacker, who does NOT have a listening ability, to
    >> log on to remote machines using known weak keys? (ie brute force a fully
    >> remote machine)
    >>
    >> Just what is the extent of this sad story?

    >
    > There is now a detailed examination online, see
    >
    > http://metasploit.com/users/hdm/tools/debian-openssl/
    >
    > I'm reading this in alt.os.linux.debian - where this has not been posted
    > AFAICT, so apologies to people in other groups who may have seen this
    > link already.


    The page is aweseome, just what I was hoping to find. Bookmarking...


    > And to those of you in alt.os.linux.ubuntu, apologies for posting
    > something that does not contribute to your ongoing Windows/Ubuntu
    > flamewar....


    --
    Due to extreme spam originating from Google Groups, and their inattention
    to spammers, I and many others block all articles originating
    from Google Groups. If you want your postings to be seen by
    more readers you will need to find a different means of
    posting on Usenet.
    http://improve-usenet.org/

  5. Re: Ubuntu/Debian vulnerability impact?

    Ignoramus12901 illuminated alt.os.linux.ubuntu by typing:

    >
    > WRONG.
    >
    > The patch regenerates host keys, but not your private keys.
    >
    > It also does not delete weak keys that you uploaded to your other
    > computers and added to authorized_keys.
    >
    > It would be good to re-read the notice very closely, as your security
    > is very much at risk if you make just one mistake.



    Obviously, weak phrases apart, however, all my systems have reported
    back "Not Blacklisted" as opposed to "Compromised".

    --
    Moog

    "The G is for the gnarled face of someone who's on ninety thousand
    pounds a week who reckoned he should have had a throw in"

  6. Re: Ubuntu/Debian vulnerability impact?

    Mark Madsen illuminated alt.os.linux.ubuntu by typing:

    >
    > And to those of you in alt.os.linux.ubuntu, apologies for posting
    > something that does not contribute to your ongoing Windows/Ubuntu
    > flamewar....


    Only the people wanting to be in a flame war continue with it.

    The rest simply amend their scorefile accordingly.

    --
    Moog

    "The G is for the gnarled face of someone who's on ninety thousand
    pounds a week who reckoned he should have had a throw in"

  7. Re: Ubuntu/Debian vulnerability impact?

    On 2008-05-15, Moog wrote:
    > Ignoramus12901 illuminated alt.os.linux.ubuntu by typing:
    >
    >>
    >> WRONG.
    >>
    >> The patch regenerates host keys, but not your private keys.
    >>
    >> It also does not delete weak keys that you uploaded to your other
    >> computers and added to authorized_keys.
    >>
    >> It would be good to re-read the notice very closely, as your security
    >> is very much at risk if you make just one mistake.

    >
    >
    > Obviously, weak phrases apart, however, all my systems have reported
    > back "Not Blacklisted" as opposed to "Compromised".
    >


    Great!

    Did you upload any of your weak SSH keys to any other servers that are
    not based on Debian? Did you check them also?

    --
    Due to extreme spam originating from Google Groups, and their inattention
    to spammers, I and many others block all articles originating
    from Google Groups. If you want your postings to be seen by
    more readers you will need to find a different means of
    posting on Usenet.
    http://improve-usenet.org/

  8. Re: Ubuntu/Debian vulnerability impact?

    Ignoramus21037 illuminated alt.os.linux.ubuntu by typing:
    > On 2008-05-15, Moog wrote:
    >> Ignoramus12901 illuminated alt.os.linux.ubuntu by typing:
    >>
    >>>
    >>> WRONG.
    >>>
    >>> The patch regenerates host keys, but not your private keys.
    >>>
    >>> It also does not delete weak keys that you uploaded to your other
    >>> computers and added to authorized_keys.
    >>>
    >>> It would be good to re-read the notice very closely, as your security
    >>> is very much at risk if you make just one mistake.

    >>
    >>
    >> Obviously, weak phrases apart, however, all my systems have reported
    >> back "Not Blacklisted" as opposed to "Compromised".
    >>

    >
    > Great!
    >
    > Did you upload any of your weak SSH keys to any other servers that are
    > not based on Debian? Did you check them also?


    No none-debian servers. All checked. All come back OK.

    --
    Moog

    "The G is for the gnarled face of someone who's on ninety thousand
    pounds a week who reckoned he should have had a throw in"

  9. Re: Ubuntu/Debian vulnerability impact?

    On 2008-05-15, Moog wrote:
    > Ignoramus21037 illuminated alt.os.linux.ubuntu by typing:
    >> On 2008-05-15, Moog wrote:
    >>> Ignoramus12901 illuminated alt.os.linux.ubuntu by typing:
    >>>
    >>>>
    >>>> WRONG.
    >>>>
    >>>> The patch regenerates host keys, but not your private keys.
    >>>>
    >>>> It also does not delete weak keys that you uploaded to your other
    >>>> computers and added to authorized_keys.
    >>>>
    >>>> It would be good to re-read the notice very closely, as your security
    >>>> is very much at risk if you make just one mistake.
    >>>
    >>>
    >>> Obviously, weak phrases apart, however, all my systems have reported
    >>> back "Not Blacklisted" as opposed to "Compromised".
    >>>

    >>
    >> Great!
    >>
    >> Did you upload any of your weak SSH keys to any other servers that are
    >> not based on Debian? Did you check them also?

    >
    > No none-debian servers. All checked. All come back OK.
    >


    Congrats. For me, it was about 8 of my privately owned computers and
    about 6 computers at work with an extensive trust network. I hope that
    I did not forget anything.

    There is one more laptop left that is currently powered off.

    --
    Due to extreme spam originating from Google Groups, and their inattention
    to spammers, I and many others block all articles originating
    from Google Groups. If you want your postings to be seen by
    more readers you will need to find a different means of
    posting on Usenet.
    http://improve-usenet.org/

  10. Re: Ubuntu/Debian vulnerability impact?

    Ignoramus21037 illuminated alt.os.linux.ubuntu by typing:
    > On 2008-05-15, Moog wrote:
    >> Ignoramus21037 illuminated alt.os.linux.ubuntu by typing:
    >>> On 2008-05-15, Moog wrote:
    >>>> Ignoramus12901 illuminated alt.os.linux.ubuntu by typing:
    >>>>
    >>>>>
    >>>>> WRONG.
    >>>>>
    >>>>> The patch regenerates host keys, but not your private keys.
    >>>>>
    >>>>> It also does not delete weak keys that you uploaded to your other
    >>>>> computers and added to authorized_keys.
    >>>>>
    >>>>> It would be good to re-read the notice very closely, as your security
    >>>>> is very much at risk if you make just one mistake.
    >>>>
    >>>>
    >>>> Obviously, weak phrases apart, however, all my systems have reported
    >>>> back "Not Blacklisted" as opposed to "Compromised".
    >>>>
    >>>
    >>> Great!
    >>>
    >>> Did you upload any of your weak SSH keys to any other servers that are
    >>> not based on Debian? Did you check them also?

    >>
    >> No none-debian servers. All checked. All come back OK.
    >>

    >
    > Congrats. For me, it was about 8 of my privately owned computers and
    > about 6 computers at work with an extensive trust network. I hope that
    > I did not forget anything.
    >
    > There is one more laptop left that is currently powered off.


    Good luck.

    It's interesting that this security issue with ssh has caused so much
    discussion.

    Correct me if I'm wrong, but it was the Debian community that pointed
    it out and the fix was almost instantaneous.

    If only this sort of of diagnose/respond regime could be employed in
    other walks of life.

    --
    Moog

    "The G is for the gnarled face of someone who's on ninety thousand
    pounds a week who reckoned he should have had a throw in"


  11. Re: Ubuntu/Debian vulnerability impact?

    Moog wrote:

    (not crossposting)

    > It's interesting that this security issue with ssh has caused so much
    > discussion.


    No wonder as this is a severe problem indeed.

    > Correct me if I'm wrong, but it was the Debian community that pointed
    > it out and the fix was almost instantaneous.


    Almost instantaneous? I have an unusual large number of attempts to
    break my ssh server since 8th of May. DSA-1571-1 was published 13th of
    May. Of course I can't proof that these unwanted visits are related to
    a possible exploit existing prior to Tuesday. But then relating the two
    facts is still tempting.

    Günther

  12. Re: Ubuntu/Debian vulnerability impact?

    On 2008-05-15, Moog wrote:

    > Only the people wanting to be in a flame war continue with it.
    >
    > The rest simply amend their scorefile accordingly.
    >




    ;-)


    --
    Joe - Linux User #449481/Ubuntu User #19733
    joe at hits - buffalo dot com
    "Hate is baggage, life is too short to go around pissed off all the
    time..." - Danny, American History X

  13. Re: Ubuntu/Debian vulnerability impact?



    "Moog" wrote in message
    news:slrng2pbne.j4d.efcmoog@hardy.local...


    > It's interesting that this security issue with ssh has caused so much
    > discussion.
    >
    > Correct me if I'm wrong, but it was the Debian community that pointed
    > it out and the fix was almost instantaneous.
    >
    > If only this sort of of diagnose/respond regime could be employed in
    > other walks of life.


    Moog, I notice in one of the other threads that quark and co are talking in
    terms of root kits and stuff being inserted as a result of this flaw.
    Is it very likely that some bad guys found the flaw in the two years it has
    been present and used it?
    I suppose they could find it fairly easy if they just diff important source
    files and are looking for bugs like that.
    I doubt if the community in general do such a thing so the bad guys could
    have known about it for a while.

    How do you check for unauthorised file changes on a Ubuntu system?

    Is there a live CD with a checker on it?
    Something that will compare what is in the packages with what is on the
    system + something to check for malicious entries in the hosts, permissions,
    etc.?

    PS please ignore the rest who will come along in a bit and say this is a
    troll, this could be very serious.


  14. Re: Ubuntu/Debian vulnerability impact?

    On Fri, 16 May 2008 08:58:06 +0100, dennis@home wrote:

    > ow do you check for unauthorised file changes on a Ubuntu system?
    >
    > Is there a live CD with a checker on it? Something that will compare
    > what is in the packages with what is on the system + something to check
    > for malicious entries in the hosts, permissions, etc.?
    >
    > PS please ignore the rest who will come along in a bit and say this is a
    > troll, this could be very serious.


    Exactly, but I wonder if I am just being paranoid. If there was a need
    for a system scan, or reinstall, then they would have said so on the
    debian security announcement. Right?

    sf

  15. Re: Ubuntu/Debian vulnerability impact?

    On 2008-05-16, jellybean stonerfish wrote:
    > On Fri, 16 May 2008 08:58:06 +0100, dennis@home wrote:
    >
    >> ow do you check for unauthorised file changes on a Ubuntu system?
    >>
    >> Is there a live CD with a checker on it? Something that will compare
    >> what is in the packages with what is on the system + something to check
    >> for malicious entries in the hosts, permissions, etc.?
    >>
    >> PS please ignore the rest who will come along in a bit and say this is a
    >> troll, this could be very serious.

    >
    > Exactly, but I wonder if I am just being paranoid. If there was a need
    > for a system scan, or reinstall, then they would have said so on the
    > debian security announcement. Right?
    >


    How can they find out if you were compromised due to this bug?

    You could have been.

    Hard to know.

    --
    Due to extreme spam originating from Google Groups, and their inattention
    to spammers, I and many others block all articles originating
    from Google Groups. If you want your postings to be seen by
    more readers you will need to find a different means of
    posting on Usenet.
    http://improve-usenet.org/

  16. Re: Ubuntu/Debian vulnerability impact?



    "jellybean stonerfish" wrote in message
    news:SogXj.3317$ah4.247@flpi148.ffdc.sbc.com...
    > On Fri, 16 May 2008 08:58:06 +0100, dennis@home wrote:
    >
    >> ow do you check for unauthorised file changes on a Ubuntu system?
    >>
    >> Is there a live CD with a checker on it? Something that will compare
    >> what is in the packages with what is on the system + something to check
    >> for malicious entries in the hosts, permissions, etc.?
    >>
    >> PS please ignore the rest who will come along in a bit and say this is a
    >> troll, this could be very serious.

    >
    > Exactly, but I wonder if I am just being paranoid. If there was a need
    > for a system scan, or reinstall, then they would have said so on the
    > debian security announcement. Right?
    >
    >


    Its actually no different to any other security fix..
    there is a period during which machines are vulnerable after the bug is
    there and before it is fixed..
    if someone finds the bug and uses it to exploit a machine, that machine is
    compromised and needs to be fixed..
    fixing it means checking for *any* exploit that could have been inserted.

    The big problem here AFAICS is that it has been open for about two years and
    its relatively easy for the bad guys to find.
    (You can bet that the bad guys diff all the code changes looking for
    vulnerabilities and will probably have found this one.)
    This means that there are a huge number of machines that *may* have been
    compromised and they all need checking.
    Just closing the hole and ignoring the last two years is not a fix.

    My advice, backup your data and reinstall, its probably quicker than doing
    all the checks if they are not automated.
    Then get the software writers to do a liveCD with a checker and run it
    occasionally or at least after every set of fixes.





  17. Re: Ubuntu/Debian vulnerability impact?

    Joe illuminated alt.os.linux.ubuntu by typing:
    > On 2008-05-15, Moog wrote:
    >
    >> Only the people wanting to be in a flame war continue with it.
    >>
    >> The rest simply amend their scorefile accordingly.
    >>

    >
    >
    >
    > ;-)


    Heh.

    --
    Moog

    "The G is for the gnarled face of someone who's on ninety thousand
    pounds a week who reckoned he should have had a throw in"

  18. Re: Ubuntu/Debian vulnerability impact?

    dennis@home illuminated alt.os.linux.ubuntu by typing:
    >
    >
    > "Moog" wrote in message
    > news:slrng2pbne.j4d.efcmoog@hardy.local...
    >
    >
    >> It's interesting that this security issue with ssh has caused so much
    >> discussion.
    >>
    >> Correct me if I'm wrong, but it was the Debian community that pointed
    >> it out and the fix was almost instantaneous.
    >>
    >> If only this sort of of diagnose/respond regime could be employed in
    >> other walks of life.

    >
    > Moog, I notice in one of the other threads that quark and co are talking in
    > terms of root kits and stuff being inserted as a result of this flaw.


    Well. I can only speak for myself here, but rkhunter runs as a cron
    job on a regular basis on all my boxes.

    I don't know what "other stuff" they refer to.....
    Perhaps Apache related? I dunno. As I don't run any apache servers on
    the machines I administer, or have inetd or xinetd enabled, then I'm
    not sure how port 22 with keys that have been classed as "not
    blacklisted" would actually allow anything in.

    > Is it very likely that some bad guys found the flaw in the two years it has
    > been present and used it?


    I agree. It is a huge worry. Everyoe should check their systems. I
    suggest if you've got a "compromised" key, you'd need to either
    cleanse or re-install.

    > I suppose they could find it fairly easy if they just diff important source
    > files and are looking for bugs like that.
    > I doubt if the community in general do such a thing so the bad guys could
    > have known about it for a while.
    >
    > How do you check for unauthorised file changes on a Ubuntu system?


    You deny root access via SSH. (or any other service that has an open
    port)

    > Is there a live CD with a checker on it?
    > Something that will compare what is in the packages with what is on the
    > system + something to check for malicious entries in the hosts, permissions,
    > etc.?


    I'm not aware of one. But I'm sure something like that will be in
    existence.

    > PS please ignore the rest who will come along in a bit and say this is a
    > troll, this could be very serious.


    Indeed. In fact, I edon't think anyone thinks you're trolling at all.

    What I would say is that two people have done checks. Myself with no
    problematic keys from 16. Ignoramus with 6 blacklisteds from 9.

    Just on such a small number sampled, that gives a very high percentage.

    --
    Moog

    "The G is for the gnarled face of someone who's on ninety thousand
    pounds a week who reckoned he should have had a throw in"

  19. Re: Ubuntu/Debian vulnerability impact?

    >Ignoramus12901 wrote:
    >> Do you know if there are any known exploit scripts written to exploit
    >> this vulnerability?


    * Mark Wooding wrote:
    >I'm afraid I don't. Anyone else?


    There are a couple of interesting scripts, and the complete set of
    vulnerable ssh keys for a selection of key sizes, linked from:
    http://metasploit.com/users/hdm/tools/debian-openssl/


    Ross

    --
    Ross Younger news#N@crazyscot.com (if N fails, try N+1)

  20. Re: Ubuntu/Debian vulnerability impact?

    I demand that Moog may or may not have written...

    [snip]
    > What I would say is that two people have done checks. Myself with no
    > problematic keys from 16. Ignoramus with 6 blacklisteds from 9.


    I had one bad key of three used to access to remote systems. However, it was
    locked down using the "from=" parameter in the relevant authorized_keys file.

    I also had some bad sshd keys, but they don't matter since the sshds in
    question aren't publicly accessible.

    > Just on such a small number sampled, that gives a very high percentage.


    100% on some systems, I shouldn't wonder.

    Randomised key sizes (at generation time ‒ pick two ends of a range) would
    seem to be useful to me, but I'm no cryptographer...

    --
    | Darren Salt | linux or ds at | nr. Ashington, | Toon
    | RISC OS, Linux | youmustbejoking,demon,co,uk | Northumberland | Army
    | + Buy local produce. Try to walk or cycle. TRANSPORT CAUSES GLOBAL WARMING.

    Mumble.

+ Reply to Thread
Page 2 of 2 FirstFirst 1 2