Debian and Ubuntu affected by 'insecure randomness' flaw
vnunet.com, 21 May 2008
Security experts have warned of a suspected vulnerability in the Debian and Ubuntu Linux operating systems.
Fortify Software confirmed the findings of a posting to the Debian security list last week, which detailed a critical vulnerability in the Open Secure Sockets Layer (SSL) packages within Debian and Ubuntu.
Fredrick Lee, a researcher at Fortify, claimed that the posting actually understates the potential seriousness of the flaw.
"We are calling this vulnerability 'insecure randomness' since it allows an attacker to predict the SSL cryptographic keys used for supposedly secure online transactions," he said.
Lee explained that a malicious user could intercept an ostensibly secure online banking session between a customer and their bank.
"What's worse is that our researchers calculate this flaw has been available to hackers for more than two years," he said.
This flaw has been available to hackers for more than two years
Fredrick Lee Fortify Software
The problem stems from a bug fix issued by Debian programmers that effectively "emasculates" the randomness engine required to ensure true security within the SSL module.
"Had we been contacted as part of the release strategy, as a number of other developers do, the flaw would have been immediately identified by our research team before the insecure update was released to the public," said Lee.
Taiwanese manufacturer will embed open source OS across entire range
Novell-sponsored open source project gets 10 slots
First Looks Editor Ian Williams gets hands on with the Sony Ericsson Xperia X1
Over a third insist the service should remain free for...
Kernel-based Virtual Machine virtualisation added to latest Enterprise Linux beta
Do you agree?
Have your say on this article