Draft:Debian OpenSSL vulnerability

The patch, which was responsible for the vulnerability, was introduced to the Debian bug team in April 2006. It was accepted a month later, and the first version of the libssl package containing its code (0.9.8c-1) came out on 17 September 2006.

At the time, the patch was viewed as a fix for the warnings from the Valgrind memory debugger about the use of uninitialized memory by OpenSSL, which, unbeknownst to the bug team, served as a source entropy for its random number generator (RNG). As a result, the RNG lost practically all sources of randomness, with the exception of the PID of the process that requested its output.{{cite web |last1=Cox |first1=Russ |title=Lessons from the Debian/OpenSSL Fiasco |url=https://research.swtch.com/openssl |website=research!rsc |access-date=6 October 2024 |date=21 May 2008}}

As the maximum number of PIDs was restricted to 32768, only 32767{{efn|In Unix-based operating systems, PID 0 is reserved for the init and cannot be used by ordinary proccesses.}} (2¹⁵ − 1) unique keys of every type and size could be generated on the affected systems.{{cite web |last1=Moore |first1=H. D. |title=Debian OpenSSL Predictable PRNG Toys |url=http://metasploit.com/users/hdm/tools/debian-openssl/ |website=Metasploit.com |access-date=9 October 2024 |archive-url=https://web.archive.org/web/20090608083128/http://metasploit.com/users/hdm/tools/debian-openssl/ |archive-date=8 June 2009 |url-status=dead}}

The vulnerability was discovered by Debian developer Luciano Bello and disclosed on 13 May 2008, the security patches correcting it were released on the same day. The patches only fixed the RNG, they would not fix the already existing vulnerable keys, which all had to be replaced or regenerated.{{cite web |title=Key Rollover |url=http://www.debian.org/security/key-rollover/ |website=Debian Security |access-date=6 October 2024 |archive-url=https://web.archive.org/web/20081122053555/http://www.debian.org/security/key-rollover/ |archive-date=22 November 2008 |url-status=dead}}

Even though other operating systems were not directly affected, the import of a vulnerable key could also put them at risk.{{cite web |title=USN-612-1: OpenSSL vulnerability |url=https://ubuntu.com/security/notices/USN-612-1 |website=Ubuntu Security |access-date=6 October 2024 |date=13 May 2008}}

Operating systems

Debian-based Linux distributions using libssl versions 0.9.8c-1 through 0.9.8g-9{{cite web |title=CVE-2008-0166 |url=https://security-tracker.debian.org/tracker/CVE-2008-0166 |website=Debian security tracker |access-date=6 October 2024}}, confirmed examples are:

• Debian version 4.0 (Etch)
• Ubuntu versions 7.04, 7.10 and 8.04

Notable packages

• OpenSSL
• OpenSSH{{cite web |title=USN-612-2: OpenSSH vulnerability |url=https://ubuntu.com/security/notices/USN-612-2 |website=Ubuntu Security |access-date=6 October 2024 |date=13 May 2008}}
• OpenVPN{{cite web |title=USN-612-3: OpenVPN vulnerability |url=https://ubuntu.com/security/notices/USN-612-3 |website=Ubuntu Security |access-date=6 October 2024 |date=13 May 2008}}
• Tor network{{cite web |title=Tor security advisory: Debian flaw causes weak identity keys |url=https://archives.seul.org/or/announce/May-2008/msg00000.html |access-date=6 October 2024 |date=13 May 2008}}

A day before the 20th anniversary of the vulnerability's introduction, security researcher Hanno Böck disclosed that multiple websites were actively using keys affected by it to produce DKIM signatures for their emails.{{cite web |last1=Böck |first1=Hanno |title=16 years of CVE-2008-0166 Debian OpenSSL Bug - Breaking DKIM and BIMI in 2024 |url=https://16years.secvuln.info/ |access-date=6 October 2024 |date=12 May 2024}}

{{Notelist}}

{{Reflist}}

:Category:Computer security exploits

:Category:2008 in computing