Skip Navigation Links 

Previous Article || Security Home || Next Article |

Posted: 5/15/2008 11:17

Ubuntu and Debian Linux Security Issue

Earlier this week, a significant security vulnerability was announced involving Linux distributions derived from Debian and/or Ubuntu. The pseduo-random number generator (PRNG) function in these operating systems contained a flaw which makes these numbers predictable. The net result is that any form of encryption used in applications such as Secure Shell terminal sessions, OpenVPN and SSL certificates used for secure web pages are vulnerable to attack on these operating systems. Windows, MacOSX and other Unix based computers do not appear to be vulnerable to this security flaw.

If you are running any distribution of Linux, you need to pay attention. Many distributions of Linux are based on either the Debian or Ubuntu code and are vulnerable to exploit.  Those distributions derived from RedHat or other distributions may not be vulnerable unless SSL certificates or SSH Keys were created on a vulnerable system and were copied to a non-vulnerable system.

The recommendations are: 

  1. Determine if a particular Linux system is based on the Debian or Ubuntu Linux operating system.
  2. If the system is based on these operating systems, go to the vendor website to download and apply the appropriate update which addresses this vulnerability. (The Debian and Ubuntu advisories are listed below for your convenience.)
  3. Regenerate all SSL certificates and SSH keys for the system. Directions on this is available at the Debian Website.
  4. Reduce the exposure where possible by limiting access to the Secure Shell service to campus IP Addresses, and if necessary, home broadband connections only. Similar precautions are recommended to secure web servers which do not need to be publicly accessible.


Also, be aware that we believe targeted attacks are eminent, and that a popular penetration testing tool has already been updated in a way that makes it trivial to compromise many vulnerable systems.

If you have any questions, please contact security@uark.edu or conact the University IT Services Help Desk at 479-575-2905.


References:

http://www.kb.cert.org/vuls/id/925211
http://www.debian.org/security/2008/dsa-1571
http://www.ubuntu.com/usn/USN-612-1
 
|W3C XHTML 1.0| |W3C CSS|