LinHES Forums
http://forum.linhes.org/

libssl exploit
http://forum.linhes.org/viewtopic.php?f=5&t=18302
Page 1 of 1

Author:  techman83 [ Wed May 14, 2008 12:02 am ]
Post subject:  libssl exploit

It has come to my attention that there is a security issue with libssl0.9.8 in debian etch.

http://article.gmane.org/gmane.linux.de ... ounce/1614
http://www.securityfocus.com/bid/29179

I can confirm that this is an issue within the Current Release R5F27. For those with boxes available externally and using ssh, as root I suggest doing the following:

Code:
wget http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch3_i386.deb
wget http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch3_i386.deb
dpkg -i libssl0.9.8_0.9.8c-4etch3_i386.deb
dpkg -i libssl-dev_0.9.8c-4etch3_i386.deb


Next you will have to regenerate your keys (as updating the package doesn't do this):

Code:
rm /etc/ssh/ssh_host_*
dpkg-reconfigure openssh-server


You may get an error the next time you login into the box using ssh, eg:
Code:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
42:28:ad:36:77:a6:07:58:b8:88:8d:f9:9f:3d:07:3f.
Please contact your system administrator.


That example is using linux to login to the box, just remove the offending key from your known hosts, not sure what the process is for Windows clients. This doesn't affect drive shares etc, just anything to do with ssl.

Also, if you are using passwordless ssh anywhere, you should regenerate those keys (making sure if you've blocked password logins somewhere that you unblock them before doing so, as logging in with a new key afterwards may be a challenge :wink: ).

EDIT: I had to change from using apt to grabbing the packages separately, as the package in apt wasn't quite up to date enough.

Author:  Yeraze [ Thu May 15, 2008 9:41 am ]
Post subject: 

Works great, thanks for the Instructions.

And interestingly enough, I was able to perform this via SSH remotely.. and restarting the SSH server did _not_ disconnect me.

Author:  rando [ Thu May 15, 2008 3:44 pm ]
Post subject: 

I also performed these steps while logged in via SSH and was not disconnected at any point during the process.

Author:  techman83 [ Thu May 15, 2008 7:18 pm ]
Post subject: 

Yeah, that's normal. I did mine from work :P (although my mythbox isn't my gateway, and I had to do 4 other servers as well!)

Glad the instructions were easy enough, I forget I've been working with this stuff for a while now sometimes!!

Author:  pao [ Fri May 16, 2008 7:36 am ]
Post subject: 

Does cecil, or anyone with R5.5 RC, know if it too has the vulnerable OpenSSL package?

Author:  tjc [ Fri May 16, 2008 5:42 pm ]
Post subject: 

If it does, it won't for long...

Author:  manicmike [ Sun May 18, 2008 11:53 pm ]
Post subject: 

tjc wrote:
If it does, it won't for long...


It's in the list anyway.

Please don't forget to also install the openssh-blacklist package at http://security.debian.org/pool/updates/main/o/openssh-blacklist/openssh-blacklist_0.1.1_all.deb

Author:  cecil [ Sun May 25, 2008 12:47 am ]
Post subject: 

Resolved in R5.5...

Author:  pao [ Tue May 27, 2008 9:40 pm ]
Post subject: 

Thanks Cecil for getting this in so late in the dev cycle!

Author:  Mon1018 [ Wed May 28, 2008 4:04 am ]
Post subject: 

Great work~ thanks for the Instructions.

Page 1 of 1 All times are UTC - 6 hours
Powered by phpBB® Forum Software © phpBB Group
http://www.phpbb.com/