Debian and Ubuntu users: fix your keys/certificates NOW

Published: 2008-05-15
Last Updated: 2008-05-15 12:02:47 UTC
by Bojan Zdrnja (Version: 2)
4 comment(s)

Couple of days ago Swa posted a diary about a critical Debian/Ubuntu PRNG security vulnerability.

Today Matt wrote in to let us know that H D Moore posted a web page containing all SSH 1024, 2048 and 4096-bit RSA keys he brute forced.

It is obvious that this is highly critical – if you are running a Debian or Ubuntu system, and you are using keys for SSH authentication (ironically, that's something we've been recommending for a long time), and those keys were generated between September 2006 and May 13th 2008 then you are vulnerable. In other words, those secure systems can be very easily brute forced. What's even worse, H D Moore said that he will soon release  a brute force tool that will allow an attacker easy access to any SSH account that uses public key authentication.

But this is not all – keep in mind that ANY cryptographic material created on vulnerable systems can be compromised. If you generated SSL keys on such Debian or Ubuntu systems, you will have to recreate the certificates and get them signed again. An attacker can even decrypt old SSH sessions now.

The Debian project guys released a tool that can detect weak keys (it is not 100% correct though as the blocklist in the tool can be incomplete). You can download the tool from

The bottom line is: this is very, very, very serious and scary. Please check your systems and make sure that you are both patched, and that you regenerated any potentially weak cryptographic material.



There have been some questions if this is related to the increase of SSH attacks we reported about couple of days ago (see At this point in time we think it is just a coincidence. In any case, you can help us by checking your logs – if the attackers are brute forcing password logins then the attack has nothing to do with this, but if you are seeing key authentication attempts then it is red alert.

The situation with web certificates is even worse – the public key is really that: public. So, for a weak key generated on Debian, an attacker could derive the private key and construct a Man-In-The-Middle attack without any problems in the browser! Very very scary. Makes one wonder how many people used Debian to generate their SSL keys.

As Swa said, there are basically 2 scenarios:

  • the public key is known publicly -> no brute force needed, the attackers walk in private key in hand
  • the public key isn't found -> brute force of some 260K keys needed.



Keywords: openssl prng ssh
4 comment(s)


Are we certain that only Debian and Ubuntu are affected? SSH key generation happens in many different systems, and who knows what they may be using to generate those keys or how (in)secure they may be...
For this particular bug we know that it was introduced in Debian's PRNG. Since other distributions don't use Debian's PRNG they are not affected, at least not by this vulnerability.
From what I can find, puTTy and its various utilities use the vulnerable Debian PRNG to generate SSH keys. Is this related?

I didn't know the putty tools were included in Debian (what's the point really?), but I would assume they are safe since they do not depend on the libssl package which contains the libraries of OpenSSL, where the original bug was. See:

Diary Archives