Predictable random number generator discovered in the Debian version of OpenSSL
Friday, May 16, 2008
A major security hole was discovered in the pseudo-random number generator (PRNG) of the Debian version of OpenSSL. OpenSSL is one of the most used cryptographic software, that allows the creation of secure network connections with the protocols called SSL and TLS. It is included in many popular computer programs, like the Mozilla Firefox web browser and the Apache web server. Debian is one of the most used GNU/Linux distributions, on which are based other distributions, like Ubuntu and Knoppix. The problem affects all the Debian-based distributions that were used to create cryptographic keys since the September 17, 2006. The bug was discovered by Luciano Bello, an argentine Debian package maintainer, and was announced on May 13, 2008.
This vulnerability was caused by the removal of two lines of code from the original version of the OpenSSL library. These lines were used to gather some entropy data by the library, needed to seed the PRNG used to create private keys, on which the secure connections are based. Without this entropy, the only dynamic data used was the PID of the software. Under Linux the PID can be a number between 1 and 32,768, that is a too small range of values if used to seed the PRNG and will cause the generation of predictable numbers. Therefore any key generated can be predictable, with only 32,767 possible keys for a given architecture and key length, and the secrecy of the network connections created with those keys is fully compromised.
These lines were removed as "suggested" by two audit tools (Valgrind and Purify) used to find vulnerabilities in the software distributed by Debian. These tools warned the Debian maintainers that some data was used before its initialization, that normally can lead to a security bug, but this time it was not the case, as the OpenSSL developers wrote on March 13, 2003. Anyway this change was erroneously applied on September 17, 2006, when the OpenSSL Debian version 0.9.8c-1 was released to the public.
Even though the Debian maintainer responsible for this software released a patch to fix this bug on May 8, 2008, the impact may be severe. In fact OpenSSL is commonly used in software to protect the passwords, to offer privacy and security. Any private key created with this version of OpenSSL is weak and must be replaced, included the session keys that are created and used only temporary. This means that any data encrypted with these keys can be decrypted without a big deal, even if these keys are used (but not created) with a version of the library not affected, like the ones included in other operating systems.
For example any web server running under any operating system may use a weak key created on a vulnerable Debian-based system. Any encrypted connection (HTTPS) to this web server established by any browser can be decrypted. This may be a serious problem for sites that requires a secure connection, like banks or private web sites. Also, if some encrypted connection was recorded in the past, it can be decrypted in the same way.
Another serious problem is for the network security software, like OpenSSH and OpenVPN, that are used to encrypt the traffic to protect passwords and grant the access to an administrative console or a private network protected by firewalls. This may allows hackers to gain unwanted access to private computers, networks or data traveled over the network, even if a not affected version of OpenSSL was used.
The same behavior can be applied to any software or protocol that use SSL, like POP3S, SSMTP, FTPS, if used with a weak key. This is the case of Tor, software used to offer strong anonymity on the TCP/IP, where about 300 of 1,500-2,000 nodes used a weak key. With 15-20% of weak Tor nodes, there is a probability of 0.34-0.8% circa to build a circuit that has all tree nodes weak, resulting in a full loss of anonymity. Also the case of only one weak node begin used may facilitate some types of attack to the anonymity. The Tor hidden services, a sort of anonymous public servers, are affected too. However the issue was speedily addressed on May 14, 2008.
The same problem also interested anonymous remailers like Mixmaster and Mixminion, that use OpenSSL to create the remailer keys for the servers and the nym keys for the clients. Although currently there is no official announcement, at least two remailer changed their keys because were weak.
- H D Moore. "Debian OpenSSL Predictable PRNG Toys" — , May 16, 2008
- Frell Remailer Admins. "Frell: New keys" — , May 14, 2008
- Bananasplit Admin. "Banana has new keys" — , May 14, 2008
- Roger Dingledine. "The Debian OpenSSL flaw: what does it mean for Tor clients?" — , May 13, 2008
- Geoff Thorpe. "Avoid uninitialized data in random buffer" — , March 13, 2003