[Tfug] Debian SSH vulnerability
Tom Rini
trini at kernel.crashing.org
Wed May 14 14:18:11 MST 2008
On Tue, May 13, 2008 at 07:34:29PM -0700, Jeff Breadner wrote:
> John Gruenenfelder wrote:
> > However, my understanding is also that you (and your systems) are only
> > affected by this vulnerabilty is your keys were created *after* the package
> > maintainer broke the random number generation and, obviously, before the
> > bugfix was released.
>
> On my system (kubuntu 8.04), when I applied the latest updates, a new
> utility 'ssh-vulnkey' was installed. You can use this to identify which
> keys are vulnerable to this attack vector, and which are OK.
Which "might" be vulnerable. For the past few weeks I've been seeing a
ton of attempted logins to my home box, which was fine as no user keys
(host key was bad 'tho) were vulnerable, so no logins. But I figured
something must be up...
But this is the fun part. This isn't so much a "oh, you can login to
everyones box now with user A/pass B" but a "if you really wanna steal
what juser has been doing here a possible vector..". At least that's my
take on it, but I'm not on vendor-sec anymore..
--
Tom Rini
More information about the tfug
mailing list