Loading ...
Sorry, an error occurred while loading the content.

Re: [nslu2-linux] Debian openssl security advisory, and the impact on nslu2-linux firm

Expand Messages
  • Phil Endecott
    ... Of course the important thing is to find out where your compromised keys went, and they could be in a ~/.ssh/authorized_keys file on any machine,
    Message 1 of 3 , May 14, 2008
    • 0 Attachment
      Rod Whitby wrote:
      > We've looked at the SlugOS and Unslung binary releases, and don't
      > believe they are affected.

      Of course the important thing is to find out where your compromised
      keys went, and they could be in a ~/.ssh/authorized_keys file on any
      machine, irrespective of whether that machine's own openssl was broken
      or not. To be on the safe side, everyone should "rm
      /home/*/.ssh/authorized_keys ~root/.ssh/authorized_keys" on all
      machines. Do this very urgently on any internet-accessible machines,
      as the number of keys that an attacker needs to try is very small.


      Phil.
    • olangelsa
      ... So, I am using openssl 0.9.7m-3. Is it then correct to assume that my system is not affected by this vulnerability? Thanks in advance for confirmation.
      Message 2 of 3 , May 15, 2008
      • 0 Attachment
        --- In nslu2-linux@yahoogroups.com, "Phil Endecott"
        <spam_from_nslu2_linux@...> wrote:
        >
        > Rod Whitby wrote:
        > > We've looked at the SlugOS and Unslung binary releases, and don't
        > > believe they are affected.
        >
        > Of course the important thing is to find out where your compromised
        > keys went, and they could be in a ~/.ssh/authorized_keys file on any
        > machine, irrespective of whether that machine's own openssl was broken
        > or not. To be on the safe side, everyone should "rm
        > /home/*/.ssh/authorized_keys ~root/.ssh/authorized_keys" on all
        > machines. Do this very urgently on any internet-accessible machines,
        > as the number of keys that an attacker needs to try is very small.
        >
        >
        > Phil.
        >

        So, I am using openssl 0.9.7m-3. Is it then correct to assume that my
        system is not affected by this vulnerability?

        Thanks in advance for confirmation.

        Best regards,
      • Rod Whitby
        ... As Phil points out, your system is probably unaffected (no SlugOS or Unslung systems are affected), but your keys may be affected if they were generated on
        Message 3 of 3 , May 15, 2008
        • 0 Attachment
          olangelsa wrote:
          > --- In nslu2-linux@yahoogroups.com, "Phil Endecott"
          > <spam_from_nslu2_linux@...> wrote:
          >> Rod Whitby wrote:
          >>> We've looked at the SlugOS and Unslung binary releases, and don't
          >>> believe they are affected.
          >> Of course the important thing is to find out where your compromised
          >> keys went, and they could be in a ~/.ssh/authorized_keys file on any
          >> machine, irrespective of whether that machine's own openssl was broken
          >> or not. To be on the safe side, everyone should "rm
          >> /home/*/.ssh/authorized_keys ~root/.ssh/authorized_keys" on all
          >> machines. Do this very urgently on any internet-accessible machines,
          >> as the number of keys that an attacker needs to try is very small.
          >
          > So, I am using openssl 0.9.7m-3. Is it then correct to assume that my
          > system is not affected by this vulnerability?

          As Phil points out, your system is probably unaffected (no SlugOS or
          Unslung systems are affected), but your keys may be affected if they
          were generated on a vulnerable system.

          You need to either *know* that your keys were generated on a system
          which is not affected, or you need to regenerate your keys. If your
          keys were generated on a SlugOS or Unslung binary firmware system, then
          they should not be affected.

          Note that nslu2-linux cannot take responsibility for the security of
          your system, so you should not take this response as any sort of
          guarantee. There are tools available on Ubuntu now (ssh-vuln) which are
          designed to check your keys for vulnerability.

          -- Rod
        Your message has been successfully submitted and would be delivered to recipients shortly.