 Debian team opens linux to hackers
DailyTech - Huge Hole in Open Source Software Found, Leaves Millions Vulnerable Quote:
Now an even worse security flaw has been found in some of the basic code used by a wide variety of Linux security programs. The error originated back in May 2006 when workers on the open-source security project committed a grave and unrealized error.
A simple programming error reduced the entropy in the generated program keys created by the OpenSSL library. Why does this matter? The OpenSSL library's key generation and other routines are used by the SSH remote access program, the IPsec Virtual Private Network (VPN), the Apache Web server, secure email clients, programs that offer secure internet portals and more.
Just two lines of code created crippling security holes in four different open source operating systems, 25 application programs, and millions of internet-attached computer systems. The vulnerability was publicly discovered for the first time May 13, after having left the door open nearly two years. A patch has been distributed, but that can do nothing to repair the damage that has occurred to compromise systems. Worse yet, it appears that through the installation of compromised keys on other systems, numerous systems not even running the code have likely been compromised.
| Quote:
Now that the floodgates are opened, a hacker HD Moore of the Metasploit project has released "toys" to help malicious users crack the poor defenseless Linux and Ubuntu boxes. Moore's website provides lists of precalculated keys based on the bug, to allow malicious users to easily identify vulnerable systems.
Fixing the key problem is not as simple as fixing a buffer overflow vulnerability, another typical security flaw. As the keys generated our actual files, merely patching the system will not change these files. Every single key will need to be replaced in a difficult and time consuming process. Further keys need to be certified and distributed, which takes more time and is error prone.
| Quote:
The Valgrind code caused errors, so the programmers simply commented out all the code, including the other methods of generating randomness on accident. Only the code which utilized the process ID, an integer ranging from 0 to 32,767, remained to provide randomness. It turns out the "fix" turned grievous error was not the work of the OpenSSL programmers themselves, but of the Debian team, known for their security expertise.
OpenSSL developer Ben Laurie raged, "Never fix a bug you don't understand! Had Debian [sent the bug to us] in this case, we (the OpenSSL Team) would have fallen about laughing, and once we had got our breath back, told them what a terrible idea this was. But no, it seems that every vendor wants to 'add value' by getting in between the user of the software and its author."
|
good job Debian programmer morons.... send this crap to the appropriate teams before sending out the "fix" 
Thanks HL and Corsair!
My opinions are my own and not representative of this site or its members.  | 
May 23rd, 2008
Similar Threads 
