[Klug-general] SSL bug
Karl Lattimer
karl at qdh.org.uk
Thu May 22 12:04:07 BST 2008
On Thu, 22 May 2008 11:17:33 +0100, "Karl Buckland" <karl at digital-end.com>
wrote:
> It only regenerates standard keys that the system knows about. Many
people
> running servers have to generate keys/certificates for all sorts of other
> reasons and those keys are not automatically regenerated.
>
> 2008/5/22 Andrew Miller (Spode) <spode at thinkbikes.com>:
>
>> I'm running Ubuntu Server 8.04 and I did an update as soon as I heard
> about
>> the fix. It *automatically* regenerated new keys for me. I just had to
>> remove my server from my known_hosts file in order to login.
>>
>> Sure, it's a big issue - but did anyone actually exploit it? To be
> patched
>> up before anyone has actually exploited it is pretty good. Microsoft
> vuln.
>> are discovered and known for ages before repaired.
>>
>> But, I have to admit, (play devils advocate), it would certainly shake
> my
>> confidence as an outsider...
This is being actively exploited, crackers have generated all 32,xxx keys
and are now using them to attack servers. They are generally being used
against ssh at present, but the ssl attacks are probably on their way. Its
harder to scan SSL services though as a single server can host multiple
sites. Its also harder to exploit as some kind of injection is required.
If you use dsa/ssh logins on any servers I recommend you find all of the
authenticated_users files and expunge bad keys from them. This doesn't just
affect debian servers, this affects all servers that have been connected to
via weak keys.
K,
>> Spode
>>
>>
>> On Thu, May 22, 2008 at 10:09 AM, Peter Frost <P.Frost at kent.ac.uk>
> wrote:
>>
>>> Colin McCarthy wrote:
>>>
>>> Karl, while it is good to highlight security issues and possible rub
> it
>>>> in people's faces a little, can we all try and do it with the typing
> of rude
>>>> words.
>>>>
>>>
>>>
>>> Absolutely!
>>>
>>> FART! BUM! BIGJOBS!
>>>
>>>
>>> _______________________________________________
>>> Kent mailing list
>>> Kent at mailman.lug.org.uk
>>> https://mailman.lug.org.uk/mailman/listinfo/kent
>>>
>>
>>
>> _______________________________________________
>> Kent mailing list
>> Kent at mailman.lug.org.uk
>> https://mailman.lug.org.uk/mailman/listinfo/kent
>>
More information about the Kent
mailing list