Initial release: May 15, 2008
On Monday, May 13th a vulnerability in Debian's implementation of OpenSSL was announced. Luciano Bello discovered a flaw in the random number generator that allows cryptographic keys generated by Debian's package of OpenSSL to be guessed.
Any system using cryptographic keys generated by an affected Debian version of OpenSSL is vulnerable. This includes keys generated on a vulnerable system and then used on a non-vulnerable system.
The vulnerable code first appeared in version 0.9.8c-1 and was uploaded to "Debian unstable" on September 17th, 2006.
Several types of cryptographic keys are affected including SSH keys, OpenVPN keys, DNSSEC keys, key material for use in X.509 certificates and session keys used in SSL/TLS connectins. See the Debian wiki for a complete list.
Keys generated with GnuPG or GNUTLS are not believed to be affected.
The ITSO has not seen exploitation of this vulnerability on the University network but is aware of exploit code and tools being distributed.
The ITSO recommends that administrators of Debian based systems immediately apply the appropriate patches and replace any affected cryptographic keys. Further, any SSH DSA keys used on affected systems should be replaced regardless of where they were originally generated.
Debian has released this tool to assist in identifying affected keys.
No workarounds are known to exist at this time.