Debian flaw exposes communications breakdown

A Gartner analyst has highlighted the risks of using software products that incorporate open source modules

The recent discovery of a potentially serious Secure Socket Layer (SSL) flaw affecting a popular Linux distribution should act as a wake up call to the open source community, experts warn.

John Pescatore, vice president and distinguished analyst at Gartner, called for open source developers and their vendor counterparts to improve communications processes to address the flaw that could lead to the exposure of encrypted data.

The Sans Institute issued a 'yellow alert' on 16 May over the SSL vulnerability in some Debian distros.

The vulnerability affects encryption key pairs used by the Debian OpenSSL package and could enable hackers to access encrypted transaction data, passwords, financial information and other sensitive data.

A Debian advisory offers recommendations for patching the software.

"This vulnerability, which was apparently introduced by Debian's developers, not open source OpenSSL developers, highlights one of the risks of using software products that incorporate open source modules," said Pescatore.

"In May 2006, the Debian developers chose to make changes to the OpenSSL package used in Debian to fix what appeared to be a memory leak, rather than wait for the OpenSSL developer community to investigate and address the issue."

Pescatore claimed that the Debian "fix" resulted in a serious weakness in the OpenSSL random number generator that made it easy for attackers to discover encryption keys.

"In general, encryption code should not be modified without a very thorough process designed to determine the impact of the modifications on the proper functioning of the code and on Federal Information Processing Standards compliance status," he said.

Pescatore noted that the OpenSSL developers' mailing list shows that Debian developers tried to communicate with the OpenSSL development community, but that the informal communication processes "were clearly inadequate in this instance" .

"We believe this experience confirms our view that open source process communications require significant improvements," he said.

"In many other cases, product vendors have made changes to open source packages without even attempting to contact the 'upstream' developers.

"This approach significantly increases the risk that new vulnerabilities will be introduced into open source code and the likelihood that upstream fixes for other vulnerabilities will cause later problems with the vendor-modified modules.

"Commercial and open source vendors frequently incorporate third-party open source modules in their code, so enterprises need to be aware of the potential issues that can result."