Debian OpenSSL, Abuse and Own

Thursday, May 15, 2008

Debian released an advisory that the random number generator in Debian's openssl package is predictable, hence the cryptographic key is guessable.

This vulnerability is specific to Debian and its derivatives - Yes, it means Ubuntu is vulnerable.

How do you save yourself from this vulnerability ?
1) Update and Patch your system.
2) Re-Generate your SSH Keys.

There are reports of SSH brute force and scanning is on rise, Well ofcourse that was going to happen if you have a real remote vulnerability which makes it easier to exploit linux.

A Working exploit is published on the internet, One is at BugTraq and second one worth mentioning are the efforts from HD Moore from Metasploit project, he has generated all the 65536 Keys, the keys are baked and ready to use. Get the keys and start exploiting the Debian based machines.

This vulnerability affects Debian and its derivatives only so Redhat, Slackware. SuSE are not vulnerable.

If you use Debian based distribution, you need to patch it quick before you get hit by a botnet :P


  © Blogger templates Newspaper by 2008

Back to TOP