Ubuntu
Ubuntu is among the affected Linux distributions

Critical Linux vulnerability exposed

Debian and Ubuntu affected by 'insecure randomness' flaw

Written by Clement James

vnunet.com, 21 May 2008

This flaw has been available to hackers for more than two years

Fredrick Lee Fortify Software

Security experts have warned of a suspected vulnerability in the Debian and Ubuntu Linux operating systems.

Fortify Software confirmed the findings of a posting to the Debian security list last week, which detailed a critical vulnerability in the Open Secure Sockets Layer (SSL) packages within Debian and Ubuntu.

Fredrick Lee, a researcher at Fortify, claimed that the posting actually understates the potential seriousness of the flaw.

"We are calling this vulnerability 'insecure randomness' since it allows an attacker to predict the SSL cryptographic keys used for supposedly secure online transactions," he said.

Lee explained that a malicious user could intercept an ostensibly secure online banking session between a customer and their bank.

"What's worse is that our researchers calculate this flaw has been available to hackers for more than two years," he said.

The problem stems from a bug fix issued by Debian programmers that effectively "emasculates" the randomness engine required to ensure true security within the SSL module.

"Had we been contacted as part of the release strategy, as a number of other developers do, the flaw would have been immediately identified by our research team before the insecure update was released to the public," said Lee.

See also:

reader comments

related articles

LinuxOpen Source

Open source security improving rapidly

Two-year quality analysis studied 250 popular applications 20 May 2008

 
Olpc

OLPC Sugar software goes independent

Walter Bender launches Sugar Labs 19 May 2008

Asus

Asus to offer Linux on all motherboards

Taiwanese manufacturer will embed open source OS across entire range 16 May 2008

Innovation

OpenSuse joins Google Summer of Code

Novell-sponsored open source project gets 10 slots 16 May 2008

Linux

Debian flaw exposes communications breakdown

A wake up call for open source developers, Gartner warns 28 May 2008

Software

Ubuntu gets major security fix

Update patches kernel flaws 26 Aug 2008

Security expert slams PCI auditing

PCI compliance does not guarantee security 04 Apr 2008

latest news

Resellers hit by delivery disruption as Amtrak fails

UK courier company Amtrak has entered receivership due to financial difficulty 29 Aug 2008

Dell’s profits plunge 17 per cent

PC vendor's net profit takes a tumble as turf war with HP in EMEA hurts bottom line 29 Aug 2008

Avnet upgrades and expands Bracknell demo centre

Distributor refurbishes five-year-old centre to provide vastly expanded proof-of-concept opportunities 29 Aug 2008

More news

poll

A new Linksys era?

A new Linksys era?

Will the Linksys brand fizzle out when Cisco folds it into its SME operation?

Previous poll results

In The Studio With CRN: Josh Claman, Dell

In an editorial coup for CRN, Josh Claman, vice president of EMEA channels at Dell, talks to CRN TV about the vendor's channel plans

CRN Fight Night bouts are LIVE!

ALL the bouts from CRN's first ever white collar boxing event at The Brewery in Chiswell Street, are now online in their full glory for CRN readers to watch.

More CRN TV

events

CRN Golf Challenge 2008

CRN Channel Golf Challenge 2008

CRN's annual golfing day will this year be held on 16 September at a championship course in East Sussex

CRN Reseller Leadership Forum logo

CRN Reseller Leadership Forum

An exclusive channel conference from CRN, to be held over one action-packed day in September 2008

More Events

Newsletter signup

Sign up for our range of FREE newsletters:

Existing User

Newsletter user login:

Advertisement

White papers

Search white papers

Top categories