OpenSSL Vulnerability!!!

Discussion in 'HOWTO-Related Questions' started by SamTzu, May 16, 2008.

  1. SamTzu

    SamTzu Member HowtoForge Supporter

    Warning Bill Robinson!

    There is a serious security flaw in most of our Debian / Ubuntu based servers!!!

    http://www.ubuntu.com/usn/usn-612-1


    == Who is affected ==

    Systems which are running any of the following releases:
    * Ubuntu 7.04 (Feisty)
    * Ubuntu 7.10 (Gutsy)
    * Ubuntu 8.04 LTS (Hardy)
    * Ubuntu "Intrepid Ibex" (development): libssl <= 0.9.8g-8
    * Debian 4.0 (etch) (see corresponding Debian security advisory)


    Now a question.

    How can we update/regenerate our Open SSL/SSH systems/certificates?
    I my self have just built a nice ISPConfig system with chrooted SSH on Ubuntu 8.04.
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    1) Install all available SSL related updates from your linux distribution.

    2) Recreate the ISPConfig SSL Cert for port 81:

    http://www.howtoforge.com/forums/showpost.php?p=358&postcount=4

    3) Recreate the SSL certs for the websites in ISPConfig by going to the website settings and select "Create" as action. Be aware that this will create a new self signed certificate and you will have to sign it again by an SSL authority afterwards.

    4) Recreate all SSH keys and certs that you use on your system. I diont have the exact steps at hand, but I guess you will find them in current threads that are related to this issue in the debian and ubuntu forums.

    5) Recreate the sl certs from postfix (see perfect setup guide)

    6) Recreate the ssl certs for courier or dovecot, if you use ssl encrypted connections.
     
  3. SamTzu

    SamTzu Member HowtoForge Supporter

    thx. I will post here my experiences when I get around to this.
     
  4. bswinnerton

    bswinnerton New Member

    Does this mean that we will have to purchase new certificates? When logging into my SSL signer, my options are revoke or reissue.
     
  5. daveb

    daveb Member

    If you call godaddy ssl support they should give you a extra credit to rekey your cert.
     
  6. bswinnerton

    bswinnerton New Member

    Thanks! Did that and they did it no questions asked.
     
  7. topdog

    topdog Active Member HowtoForge Supporter

    Please NOTE that not only debian/debian based systems are affected, any system that is using keys that were generated on a vulnerable system is affected.

    Given the number of users that use ubuntu based desktop systems am guessing there a ton of servers and other network devices out there that are now at risk of compromise just because debian always wants to do their own thing.
     
  8. bswinnerton

    bswinnerton New Member

    Yes, thank you for pointing that out topdog. A lot of people think that just because their server isn't a debian based server they don't have anything to worry about. If they made the key on their personal ubuntu/debian box they have to re-key it!
     
  9. SamTzu

    SamTzu Member HowtoForge Supporter

    Ok, here goes. Ubuntu 8.04

    This will upgrade the packages that have newer versions available, and install any new dependencies which are required to do that. It also wanted to reinstall the apparmor. (I removed it afterwards.)

    You will see a blue screen that sais...

    After this I redid Postfix
    Redoing the mail certs you should look up in here.

    Now I'm wondering if I still have remake the chrooted SSH I have running here?
     
    Last edited: May 18, 2008
  10. topdog

    topdog Active Member HowtoForge Supporter

    The key regeneration as stated with the update does not seem to work, my ssh keys where not recreated i had to go create new keys and post them to all servers where my public keys is.

    Right now i think the biggest threat is with ssh,openvpn openswan/freeswan/strongswan keys as these allow access to networks and devices.
     
  11. topdog

    topdog Active Member HowtoForge Supporter

Share This Page