Even though a vulnerability in the OpenSSL library used to generate key pairs on Debian-based Linux distributions has been fixed, IT administrators will be hard-pressed to ensure each key is unbreakable, a security researcher said this week.
“We’ll keep seeing buggy SSL and SSH keys,” H.D. Moore, director of security research for BreakingPoint Systems and creator of the Metasploit framework, told SCMagazineUS.com. “It’s hard to [fix] every single list of keys on every single box.”
The bug is caused by a weakness in the random number generator used to create SSL and SSH public and private cryptographic keys, used to secure website traffic.
The random generator only results in about 32.767 possible keys, which could be cracked using a tactic known as brute force, in which every possible password is tried, said Moore, who has released an automated tool for cracking the keys.
Exploiting the hole could result in an attacker intercepting customer traffic without them knowing, experts said.
“As a result of the vulnerability, the keys generated using the flawed OpenSSL package may be weak,” a US-CERT advisory said last week. “Exploitation of these vulnerabilities may allow a remote, unauthenticated attacker to conduct brute force attacks and obtain sensitive information.”
Moore said administrators should use a scanning tool to look for vulnerable keys that make up a blacklist, published by the Debian Project.
Meanwhile, SSL certificate provider VeriSign said Monday that it is launching a free program that will revoke and replace any SSL, code signing or client certificate. The offer runs through June 30.