Debian, Ubuntu SSH Under Attack
Flaw in an SSL package has led to an Internet security storm surge.
May 15, 2008
By Sean Michael Kerner: *www.internetnews.com/img/redesign2008/images/text.gifMore stories by this author:
OpenSSH (define) is one of the most common mechanisms in use for providing secure remote access to servers. A flaw in a key part of how Debian-based Linux distributions like Ubuntu secure OpenSSH has put potentially millions of servers at risk from a brute force attack. The attack could have major implications for the Internet.
The Internet Storm Center (ISC) at SANS is raising the alarm on the issue with a yellow alert on the flaw. According to ISC handler Bojan Zdrnja, the development of automated scripts exploiting key based SSH authentication looks like a real threat to SSH servers around the world. In a blog post, Zdrnja argued that public keys generated on any Debian based machine between September 2006 and 13th of May 2008 are vulnerable.
"It is obvious that this is highly critical -- if you are running a Debian or Ubuntu system, and you are using keys for SSH authentication (ironically, that's something we've been recommending for a long time)," Zdrnja wrote. "In other words, those secure systems can be very easily brute forced."
Security researcher HD Moore, leaders of the Metasploit security effort has gone a step further, explaining in a public post how he was able to brute force 1024, 2048 and 4096-bit keys. The flaw itself exists in a Debian-specific version of the OpenSSL package, which generates the keys that are used in OpenSSH. Even though OpenSSL is widely used by other Linux distributions, it is not necessarily at risk according to Moore.
"The flaw in question was introduced by a Debian-specific patch," Moore told InternetNews.com. "This patch was not pushed upstream to the OpenSSL folks, so only distributions based on Debian have this issue."
"It's obviously a very significant issue being a remote exploit," Canonical CEO Mark Shuttleworth told
