Overclock.net › Forums › Industry News › Software News › [DT] Huge Hole in Open Source Software Found, Leaves Millions Vulnerable
New Posts  All Forums:Forum Nav:

[DT] Huge Hole in Open Source Software Found, Leaves Millions Vulnerable  

post #1 of 33
Thread Starter 
Quote:
It is incredible just how big the effects of the newly discovered error in open source key generation is


For all the criticism of Microsoft and its security flaws, the software giant has made an impressive turnaround. While Vista has been derided for a variety of reasons, most would agree that it’s much more secure than Windows XP. Recently, a hacker conference showed just how vulnerable systems running Mac OS X are, due to their slow rate of patches. The Mac machine was hijacked within 10 minutes, while the Linux and Windows boxes survived the day.

Now an even worse security flaw has been found in some of the basic code used by a wide variety of Linux security programs. The error originated back in May 2006 when workers on the open-source security project committed a grave and unrealized error.

A simple programming error reduced the entropy in the generated program keys created by the OpenSSL library. Why does this matter? The OpenSSL library's key generation and other routines are used by the SSH remote access program, the IPsec Virtual Private Network (VPN), the Apache Web server, secure email clients, programs that offer secure internet portals and more.

Just two lines of code created crippling security holes in four different open source operating systems, 25 application programs, and millions of internet-attached computer systems. The vulnerability was publicly discovered for the first time May 13, after having left the door open nearly two years. A patch has been distributed, but that can do nothing to repair the damage that has occurred to compromise systems. Worse yet, it appears that through the installation of compromised keys on other systems, numerous systems not even running the code have likely been compromised.

To understand the error fully, a basic discussion on cryptography is essential. On a network anyone can peek at traffic, which is bad news for anyone sharing personal information. However, by using keys, information can be encrypted and then decrypted on the other side by a friendly computer with the proper key. As a "secure key" is typically 128 bits, which is 2128 or about 3.4*1038, the possibility of breaking the key by merely by a brute force attack is out of the realm of modern computing power. A brute force attack simply involves guessing every single number, but to try to do this on a number of this size would take many years.

However, the system falls apart if the computer can only make a small set of keys, despite the large key size. To a normal user the key looks fine, it’s the right size, and the data is being encrypted as it’s sent out. However, to the malicious user they can now use brute force attacks to guess the key and monitor your activity, opening the door to surveillance and exploitation. This is exactly what has resulted based on the newly discovered error.

The error reduced the number of keys that Linux can generate from 2128 to approximately 215. The error was not caught until now because the keys were still 128 bits and to the human eye looked random. If the system had consistently produced one key, this problem would have been caught, but instead it produced a variety of keys, but a much smaller variety. The number of keys the system can generate varies with processor architecture, the size of the key, and the type of the key, but all keys using the flawed code will be greatly reduced in their number of possibilities.

Now that the floodgates are opened, a hacker HD Moore of the Metasploit project has released "toys" to help malicious users crack the poor defenseless Linux and Ubuntu boxes. Moore's website provides lists of precalculated keys based on the bug, to allow malicious users to easily identify vulnerable systems.

Fixing the key problem is not as simple as fixing a buffer overflow vulnerability, another typical security flaw. As the keys generated our actual files, merely patching the system will not change these files. Every single key will need to be replaced in a difficult and time consuming process. Further keys need to be certified and distributed, which takes more time and is error prone.

Debian, the Linux variant used largely by security professionals, and Ubuntu, the variant most commonly used by home users are both affected. Furthermore, Windows servers may be compromised as well if they are using keys generated on Linux systems.

Ironically the bug originated from an automated tool known as Valgrind which is supposed to reduce programming bugs which lead to security vulnerabilities. It found that a block memory was not being properly initialized, meaning that it would contain random information. The automated tool politely inserted code to clean up the block of memory making it all zeros. The only problem was that the system was intentionally using the block's unknown to get randomness to generate the keys. The library also gets randomness from mouse movements, keystroke timings, network packet arrival timings, and even microvariations in hard drive speed.

The Valgrind code caused errors, so the programmers simply commented out all the code, including the other methods of generating randomness on accident. Only the code which utilized the process ID, an integer ranging from 0 to 32,767, remained to provide randomness. It turns out the "fix" turned grievous error was not the work of the OpenSSL programmers themselves, but of the Debian team, known for their security expertise.

OpenSSL developer Ben Laurie raged, "Never fix a bug you don't understand! Had Debian [sent the bug to us] in this case, we (the OpenSSL Team) would have fallen about laughing, and once we had got our breath back, told them what a terrible idea this was. But no, it seems that every vendor wants to 'add value' by getting in between the user of the software and its author."

One developer more alarmingly points out that the vulnerability has showed a perhaps fatal flaw in the state of the open source industry and in the computer security in general. One programmer can make a major change which can be blindly accepted by other developers with little understanding of the implications. This reckons back to controversial statements made by Steve Gibson, a highly respected security consultant, when a major bug was found in Windows. Gibson suggested that rather than dumb error, it was an intentional attempt to create an open back door. While hopefully the Linux vulnerability was not maliciously created, the possibility of such a development remains.

Like Alice in Wonderland, it is often amazing to see just far down the rabbit hole goes in terms of the breadth of these kinds of problems. And this problem is clearly illustrative that unless a more comprehensive methodology of security development is adopted, these problems will only persist and multiply with time.
DT
ElRigTheRig
(13 items)
 
  
CPUMotherboardGraphicsRAM
Q6600 G0 @ 2.4 GHz Asus Maximus Formula Asus EN8800GT 512MB 4GB G.Skill DDR2-1000 
Hard DriveOptical DriveOSMonitor
1.858TB (3x JBOD) HP 16x DVD Burner Vista Ultimate x64 SP2 24" FPD2485 Gateway LCD 
KeyboardPowerCaseMouse
Razer Lycosa Ultra X3 1000w Antec P182 Logitech G5 
Mouse Pad
Razer Xact Mat 
  hide details  
ElRigTheRig
(13 items)
 
  
CPUMotherboardGraphicsRAM
Q6600 G0 @ 2.4 GHz Asus Maximus Formula Asus EN8800GT 512MB 4GB G.Skill DDR2-1000 
Hard DriveOptical DriveOSMonitor
1.858TB (3x JBOD) HP 16x DVD Burner Vista Ultimate x64 SP2 24" FPD2485 Gateway LCD 
KeyboardPowerCaseMouse
Razer Lycosa Ultra X3 1000w Antec P182 Logitech G5 
Mouse Pad
Razer Xact Mat 
  hide details  
post #2 of 33
MS should make a comercial of pc vs mac where pc's fighting off like hijackers at a bank or something.. With an awesome karate kid headband.. while macs being taken hostage w/ a gun to his head.. That'd be fun
Das Boot
(13 items)
 
  
CPUMotherboardGraphicsRAM
Athlon II X4 630 3.5ghz Gigabyte GA-880GM-UD2H nVidia 9600GT 512mb 4GB Patriot DDR3 1333MHZ 
Hard DriveOptical DriveOSMonitor
Western Digital 320 GB Samsung DVD/RW Windows 10 Acer 19" WS 1440x900 
KeyboardPowerCaseMouse
USB Keyboard Antec Earthwatts 500 Watts Antec Sonata Logitech usb 
Mouse Pad
None 
  hide details  
Das Boot
(13 items)
 
  
CPUMotherboardGraphicsRAM
Athlon II X4 630 3.5ghz Gigabyte GA-880GM-UD2H nVidia 9600GT 512mb 4GB Patriot DDR3 1333MHZ 
Hard DriveOptical DriveOSMonitor
Western Digital 320 GB Samsung DVD/RW Windows 10 Acer 19" WS 1440x900 
KeyboardPowerCaseMouse
USB Keyboard Antec Earthwatts 500 Watts Antec Sonata Logitech usb 
Mouse Pad
None 
  hide details  
post #3 of 33
Quote:
Originally Posted by Vegnagun666 View Post
MS should make a comercial of pc vs mac where pc's fighting off like hijackers at a bank or something.. With an awesome karate kid headband.. while macs being taken hostage w/ a gun to his head.. That'd be fun
Yeah those Mac commercials are starting to get very annoying, since no single OS is so amazing that the others can't compete. I feel that's how it's being advertised.
post #4 of 33
Wow - that is one of the most blatantly sensationalist "news articles" I've seen posted on this site.
It goes to eleven
(13 items)
 
  
CPUMotherboardGraphicsRAM
E6300 DS3 EVGA 8600GTS 2GB XMS2 DDR2-800 
Hard DriveOSMonitorKeyboard
1.294 TB Arch Linux/XP Samsung 226bw Eclipse II 
PowerCaseMouse
Corsair 520HX Lian-Li v1000B Plus G7 
  hide details  
It goes to eleven
(13 items)
 
  
CPUMotherboardGraphicsRAM
E6300 DS3 EVGA 8600GTS 2GB XMS2 DDR2-800 
Hard DriveOSMonitorKeyboard
1.294 TB Arch Linux/XP Samsung 226bw Eclipse II 
PowerCaseMouse
Corsair 520HX Lian-Li v1000B Plus G7 
  hide details  
post #5 of 33
Quote:
Originally Posted by jigglylizard View Post
Yeah those Mac commercials are starting to get very annoying, since no single OS is so amazing that the others can't compete. I feel that's how it's being advertised.
I think it's sad that there aren't enough upsides to a Mac, so in their commercials they have to bash Windows rather than saying why Macs "are the better buy".

Hmm, sounds like politicians doesn't it?
Cataclysm
(20 items)
 
  
CPUMotherboardGraphicsRAM
Q6600 G0 GA-EP45-UD3P Rev. 1.0 Sapphire 4850 4x 2GB DDR2-1066 
Hard DriveHard DriveOptical DriveCooling
WD1600AAJS Random IDE Sony DVD Burner Tuniq Tower 120 
CoolingCoolingCoolingOS
6x 120mm Scythe SY1225SL12SH Fans Thermalright T-RAD2 2x 92mm Scythe DFS922512M-PWM Fans Windows 7 Ultimate x64 SP1 
MonitorMonitorKeyboardPower
Acer 19" @ 1400x900 Sceptre 19" @ 1280x1024 Cherry G81-7000LPAUS-2 (MY Switches) Corsair 650TX 
CaseMouseMouse PadAudio
Antec 900 Razer Diamondback 3G A black one with a cat in a hammock Asus Xonar D1 
  hide details  
Cataclysm
(20 items)
 
  
CPUMotherboardGraphicsRAM
Q6600 G0 GA-EP45-UD3P Rev. 1.0 Sapphire 4850 4x 2GB DDR2-1066 
Hard DriveHard DriveOptical DriveCooling
WD1600AAJS Random IDE Sony DVD Burner Tuniq Tower 120 
CoolingCoolingCoolingOS
6x 120mm Scythe SY1225SL12SH Fans Thermalright T-RAD2 2x 92mm Scythe DFS922512M-PWM Fans Windows 7 Ultimate x64 SP1 
MonitorMonitorKeyboardPower
Acer 19" @ 1400x900 Sceptre 19" @ 1280x1024 Cherry G81-7000LPAUS-2 (MY Switches) Corsair 650TX 
CaseMouseMouse PadAudio
Antec 900 Razer Diamondback 3G A black one with a cat in a hammock Asus Xonar D1 
  hide details  
post #6 of 33
Come on guys, this is a little late for an April Fools joke! Besides, no one is going to believe this, we all know that Linux, like the Titanic, is impervious to attack (and sinking).
System
(13 items)
 
  
CPUMotherboardGraphicsRAM
Core i7 2500k ASRock P67 Extreme4 Gen 3 AMD 7970 16GB DDR3 
Hard DriveOptical DriveOSMonitor
Intel 520 256GB SATA DVD Burner Windows 7 64 bit Deal U2410 
KeyboardPowerMouse
Adesso Mechanical Silverstone OP650 Logitech G700 
  hide details  
System
(13 items)
 
  
CPUMotherboardGraphicsRAM
Core i7 2500k ASRock P67 Extreme4 Gen 3 AMD 7970 16GB DDR3 
Hard DriveOptical DriveOSMonitor
Intel 520 256GB SATA DVD Burner Windows 7 64 bit Deal U2410 
KeyboardPowerMouse
Adesso Mechanical Silverstone OP650 Logitech G700 
  hide details  
post #7 of 33
Wow I guess all of the linux fanboys are too stunned to respond...


Closed Source: 0, Open Source: -1


This is why I hate all of this library and dependency and compile before you install crap, because if someone who has no idea your project exists and just happens to be working on one of the dozens of dependencies you're using screws up you're screwed too. Its like trying to build an upside down pyramid.
    
CPUMotherboardGraphicsRAM
Core i5 4670k ASUS Maximus VI Gene Gigabyte GTX 460 1GB Kingston Hyper-X 
Hard DriveHard DriveHard DriveHard Drive
Samsung 830 OCZ Vertex 3 WD6401AALS WD5000AAKS 
CoolingOSMonitorMonitor
Noctua NH-D14 elementary OS Dell Ultrasharp U2312HM LG W2442PA-BF 
KeyboardPowerCaseMouse
Microsoft Sidewinder X4 Corsair HX750W Corsair Graphite 600T Logitech G700 
Audio
ASUS Xonar DG 
  hide details  
    
CPUMotherboardGraphicsRAM
Core i5 4670k ASUS Maximus VI Gene Gigabyte GTX 460 1GB Kingston Hyper-X 
Hard DriveHard DriveHard DriveHard Drive
Samsung 830 OCZ Vertex 3 WD6401AALS WD5000AAKS 
CoolingOSMonitorMonitor
Noctua NH-D14 elementary OS Dell Ultrasharp U2312HM LG W2442PA-BF 
KeyboardPowerCaseMouse
Microsoft Sidewinder X4 Corsair HX750W Corsair Graphite 600T Logitech G700 
Audio
ASUS Xonar DG 
  hide details  
post #8 of 33
He saw that, and then he RAGED.
Akiyama Mio
(13 items)
 
  
CPUMotherboardGraphicsRAM
E6420 @ stock, 0.98v Asus P5N-E SLI Gainward GTX 460 1GB @ 800/1600/1900 2x2GB Kingston @ 800MHz 5-5-5-15 2T 
Hard DriveOptical DriveOSMonitor
WD 250GB, 320GB SATA/3, 16MB Cache, Seagate 1TB LG GSA-H62N 18x SATA Ubuntu 9.10 x86 & Win7 x86 Asus VW222U 
KeyboardPowerCase
Logitech Classic Corsair 650HX NZXT Apollo Black 
  hide details  
Akiyama Mio
(13 items)
 
  
CPUMotherboardGraphicsRAM
E6420 @ stock, 0.98v Asus P5N-E SLI Gainward GTX 460 1GB @ 800/1600/1900 2x2GB Kingston @ 800MHz 5-5-5-15 2T 
Hard DriveOptical DriveOSMonitor
WD 250GB, 320GB SATA/3, 16MB Cache, Seagate 1TB LG GSA-H62N 18x SATA Ubuntu 9.10 x86 & Win7 x86 Asus VW222U 
KeyboardPowerCase
Logitech Classic Corsair 650HX NZXT Apollo Black 
  hide details  
post #9 of 33
Please, don't believe this rubbish.

If anything, this proves Linux is more secure. How long after discovery did it get patched? Almost instantly.

If no one knew about this, then it wasn't a problem. What matters is the time the flaw is in the wild, ready to be abused.

Every piece of software has bugs. In FOSS, they get fixed fast.
Shinobu
(16 items)
 
Nodoka
(16 items)
 
Index
(4 items)
 
CPUMotherboardGraphicsRAM
Intel Core i5-3570K Asus P8Z77-I Deluxe HD6450 Flex Crucial 16GB (2x 8GB) Ballistix Elite 
Hard DriveHard DriveOSMonitor
Samsung SSD 840 EVO 250GB TOSHIBA DT01ACA300 Arch Linux Dell UltraSharp U2713HM 
MonitorMonitorKeyboardPower
Dell U2410 Dell 2407WFP Cherry - Cherry Blue Switches (Unlabeled keys) Seasonic X-650 
CaseMouseAudioAudio
BitFenix Prodigy Black Logitech M570 Trackball Sennheiser HD595 Creative GigaWorks T20 
CPUMotherboardGraphicsRAM
Intel Core i5 3570K Zotac Z77-ITX WiFi EVGA 680 GTX Samsung 
Hard DriveHard DriveOSMonitor
Samsung 256GB 830 Samsung SpinPoint HD501LJ Windows 7 Dell U2410 
MonitorMonitorKeyboardCase
Dell 2407WFP Dell E248WFP Cherry Black (MX Blue Switches, Blank Keys) Silverstone Sugi SG08B 
MouseAudioAudio
Logitech Trackman Logitech Z-5500 Sennheiser HD595s 
CPUMotherboardRAMHard Drive
AMD Athlon II X2 240e Asus M5A78L-M/USB3 Crucial 8GB (2x4GB) DDR3 1600Mhz Ballistix Sport 1.5TB Hard Drives 
  hide details  
Shinobu
(16 items)
 
Nodoka
(16 items)
 
Index
(4 items)
 
CPUMotherboardGraphicsRAM
Intel Core i5-3570K Asus P8Z77-I Deluxe HD6450 Flex Crucial 16GB (2x 8GB) Ballistix Elite 
Hard DriveHard DriveOSMonitor
Samsung SSD 840 EVO 250GB TOSHIBA DT01ACA300 Arch Linux Dell UltraSharp U2713HM 
MonitorMonitorKeyboardPower
Dell U2410 Dell 2407WFP Cherry - Cherry Blue Switches (Unlabeled keys) Seasonic X-650 
CaseMouseAudioAudio
BitFenix Prodigy Black Logitech M570 Trackball Sennheiser HD595 Creative GigaWorks T20 
CPUMotherboardGraphicsRAM
Intel Core i5 3570K Zotac Z77-ITX WiFi EVGA 680 GTX Samsung 
Hard DriveHard DriveOSMonitor
Samsung 256GB 830 Samsung SpinPoint HD501LJ Windows 7 Dell U2410 
MonitorMonitorKeyboardCase
Dell 2407WFP Dell E248WFP Cherry Black (MX Blue Switches, Blank Keys) Silverstone Sugi SG08B 
MouseAudioAudio
Logitech Trackman Logitech Z-5500 Sennheiser HD595s 
CPUMotherboardRAMHard Drive
AMD Athlon II X2 240e Asus M5A78L-M/USB3 Crucial 8GB (2x4GB) DDR3 1600Mhz Ballistix Sport 1.5TB Hard Drives 
  hide details  
post #10 of 33
Quote:
Originally Posted by lattyware View Post
Please, don't believe this rubbish.

If anything, this proves Linux is more secure. How long after discovery did it get patched? Almost instantly.

If no one knew about this, then it wasn't a problem. What matters is the time the flaw is in the wild, ready to be abused.

Every piece of software has bugs. In FOSS, they get fixed fast.
Don't even try to convince these people. It's not worth it.

I lack understanding on how there can be a forum that's a giant circle-jerk about Microsoft. It just doesn't make any sense.
FX Rig
(13 items)
 
  
CPUMotherboardGraphicsRAM
AMD FX-8320e Gigabyte GA-970A-UD3P Sapphire R9 380 4GB 2x8GB Crucial Ballistix DDR3-1600 
Hard DriveHard DriveOptical DriveCooling
Intel 240GB SSD HGST 4TB Storage DVD-RW Cooler Master Hyper 212 EVO 
OSMonitorPowerCase
Windows 7 x64 AOC 27" 1080p Corsair CX750m Corsair 200R 
Audio
Asus Xonar DS 
  hide details  
FX Rig
(13 items)
 
  
CPUMotherboardGraphicsRAM
AMD FX-8320e Gigabyte GA-970A-UD3P Sapphire R9 380 4GB 2x8GB Crucial Ballistix DDR3-1600 
Hard DriveHard DriveOptical DriveCooling
Intel 240GB SSD HGST 4TB Storage DVD-RW Cooler Master Hyper 212 EVO 
OSMonitorPowerCase
Windows 7 x64 AOC 27" 1080p Corsair CX750m Corsair 200R 
Audio
Asus Xonar DS 
  hide details  
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Software News
This thread is locked  
Overclock.net › Forums › Industry News › Software News › [DT] Huge Hole in Open Source Software Found, Leaves Millions Vulnerable