<div class="field field-type-text field-field-referenced-cves"><div class="field-label">Referenced CVEs: </div><div class="field-items"><div class="field-item">CVE-2008-0166</div></div></div><div class="field field-type-text field-field-description"><div class="field-label">Description: </div><div class="field-items"><div class="field-item"><div class="usn">
Ubuntu Security Notice USN-612-3 May 13, 2008
A weakness has been discovered in the random number generator used
by OpenSSL on Debian and Ubuntu systems. As a result of this
weakness, certain encryption keys are much more common than they
should be, such that an attacker could guess the key through a
brute-force attack given minimal knowledge of the system. This
particularly affects the use of shared encryption keys and SSL/TLS
certificates in OpenVPN.
This vulnerability only affects operating systems which (like
Ubuntu) are based on Debian. However, other systems can be
indirectly affected if weak keys are imported into them.
We consider this an extremely serious vulnerability, and urge all
users to act immediately to secure their systems.
The following Ubuntu releases are affected:
Ubuntu 8.04 LTS
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 8.04 LTS:
Once the update is applied, weak shared encryption keys and
SSL/TLS certificates will be rejected where possible (though
they cannot be detected in all cases). If you are using such
keys or certificates, OpenVPN will not start and the keys or
certificates will need to be regenerated.
The safest course of action is to regenerate all OpenVPN
certificates and key files, except where it can be established
to a high degree of certainty that the certificate or shared key
was generated on an unaffected system.
Once the update is applied, you can check for weak OpenVPN shared
secret keys with the openvpn-vulnkey command.
$ openvpn-vulnkey /path/to/key
OpenVPN shared keys can be regenerated using the openvpn command.
$ openvpn --genkey --secret
Additionally, you can check for weak SSL/TLS certificates by
installing openssl-blacklist via your package manager, and using
the openssl-vulnkey command.
$ openssl-vulnkey /path/to/key
Please note that openssl-vulnkey only checks RSA private keys
with 1024 and 2048 bit lengths. If in doubt, destroy the
certificate and/or key and generate a new one. Please consult the
OpenVPN documentation when recreating SSL/TLS certificates.
Also, if certificates have been generated for use on other systems,
they must be found and replaced as well.
Det är för närvarande 1 användare som tittar på det här ämnet. (0 medlemmar och 1 gäster)