All software professionals know of tricky software bugs. We all have spend endless hours spotting, correcting and analyzing our software code.
A programming error dated back in May 2006, reduced the amount of entropy used to create the cryptographic keys in a piece of code called the OpenSSL library, which is used by programs like the Apache Web server, the SSH remote access program, the IPsec Virtual Private Network (VPN), secure e-mail programs, some software used for anonymously accessing the Internet, and so on.
So instead of the security system to be able to generate millions of cryptographic keys, it reduced the number of different keys that these Linux computers can generate to 32,767 different keys, depending on the computer’s processor architecture, the size of the key, and the key type.
The number of systems affected is unknown. Vulnerable keys have being found to Debian and Ubuntu Linux distributions.
How that happened? Apparently some programmers using an automated tool, called Valgrind, discovered that the OpenSSL library was using a block of memory without initializing the memory to a known state. That is generally bad, but for the OpenSSL library is intentionally used to help generate randomness.
Why the programmers did not inform the original authors of OpenSSL library?
“Never fix a bug you don’t understand!” said OpenSSL developer Ben Laurie on his blog.
That statement is so true. The mistake is an innocent mistake and not an attempt to introduce secret vulnerabilities. (Garfinkel, 2008)
Why the code documentation did not mention the intended use of the code?
Why they did not inform the original author of the code?
How many more vulnerabilities are lay hidden for years?
A lesson hard learned. Made me thinking about the quality of code documentation in some open projects, but most of all puzzled me the negligence to inform the original author of the bug, especially of that magnitude.
Be careful when using automated code analysis tools particular on code that you have not written yourself.
At least in Open Source software someone can review the bugs and inform the community.
This is the link to Debian security advisor on OpenSSL. http://www.us.debian.org/security/2008/dsa-1571 The security advisor states that it is strongly recommended that all cryptographic key material which has been generated by OpenSSL versions starting with 0.9.8c-1 on Debian systems is recreated from scratch.
A detector for known weak key material is available at: http://security.debian.org/project/extra/dowkd/dowkd.pl.gz
Reference
Simson Garfinkel (2008). Alarming Open – Source Security Holes. Technology Review Available at: http://www.technologyreview.com/Infotech/20801/page1/
No Responses to “Scaring Open-Source Security Holes”