[IS&T Security-FYI] Newsletter, May 16, 2008

Monique Yeaton myeaton at MIT.EDU
Fri May 16 14:00:10 EDT 2008 

In this issue:

1. Debian Security Advisory
2. May 2008 Security Updates


-----------------------------------
1. Debian Security Advisory
-----------------------------------

This week a vulnerability was discovered in Debian's OpenSSL package.  
As a result of a Debian-specific change to the OpenSSL package, the  
cryptographic key material may be guessable.

A remote, unauthenticated attacker with minimal knowledge of the  
vulnerable system and the ability to conduct a brute force attack  
against an affected application may be able to guess secret key  
material. Secondary impacts include authenticated access to the system  
through the affected service or the ability to perform man-in-the- 
middle attacks.

Systems affected:

  * Debian GNU/Linux based operating systems
  * Other operating systems can be indirectly affected if weak keys  
are imported to them.

Affected keys include SSH keys, OpenVPN keys, DNSSEC keys, and key  
material for use in X.509 certificates and session keys used in SSL/ 
TLS connections. *MIT Personal Certificates are not risk.* All SSL and  
SSH keys generated on Debian-based systems (Ubuntu, Kubuntu, etc)  
between September 2006 and May 13th, 2008 may be affected. Keys  
generated with GnuPG or GNUTLS are not affected.

Recommended action:

MIT will be scanning the network for any compromised hosts, however it  
can not block intruders from exploiting this vulnerability on our  
network, therefore user education and awareness is the best defense.

MIT recommends that maintainers of Debian-based systems apply the  
packages and regenerate keys; the IS&T department will apply patches  
to any affected systems that it maintains.

It is strongly recommended that all cryptographic key material which  
has been generated by OpenSSL versions starting with 0.9.8c-1 on  
Debian systems is recreated from scratch. All DSA keys ever used on  
affected Debian systems for signing or authentication purposes should  
be considered compromised; the Digital Signature Algorithm relies on a  
secret random value used during signature generation.

Patches have been release by the affected vendors. For more  
information on this vulnerability and for instructions on applying  
updates and regenerating key material see:

Debian: <http://www.debian.org/security/2008/dsa-1571> and <http://www.debian.org/security/2008/dsa-1576 
 >
US-CERT: <http://www.kb.cert.org/vuls/id/925211>
Metasploit: <http://metasploit.com/users/hdm/tools/debian-openssl/>


--------------------------------------
2. May 2008 Security Updates
--------------------------------------

Microsoft and Apple have released updates this month. Below is a list  
of items affected:

-----Microsoft-----

  * Microsoft Windows
  * Microsoft Office
  * Microsoft Jet Database Engine
  * Microsoft Windows Live OneCare
  * Microsoft Antigen
  * Microsoft Windows Defender
  * Microsoft Forefront Security

The Security Bulletin from Microsoft released on May 13 included three  
critical patches for the Windows operating system and Office products.  
These patches are now approved for deployment via MIT WAUS.

The most severe vulnerabilities could allow a remote, unauthenticated  
attacker to execute arbitrary code, gain elevated privileges, or cause  
a denial of service.

For more information about these updates see:
<http://www.microsoft.com/technet/security/bulletin/ms08-may.mspx>


-----Apple-----

  * Systems running OS X 10.5 or 10.5.1 (Leopard)

The Mac OS X 10.5.2 update includes general operating system  
improvements that enhance the stability, compatibility, and security  
of your Mac. Included in this update are improvements to, among  
others, Airport, Dashboard, Desktop, iCal, and iChat. The update can  
be downloaded through Software Update.

For more information about this update see:
<http://docs.info.apple.com/article.html?artnum=307109>


Thanks,

Monique

=========================
Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://web.mit.edu/ist/security

More information about the ist-security-fyi mailing list