Openssl Vulnerability: Debian, Related Distributions and Everyone (CVE-2008-0166)

If CAcert clients have used openssl on a vulnerable platform to generate their private key, and this private key was used to generate a CSR that CAcert has issued, the following vulnerabilities apply:

Vulnerable key is used


in a server e.g. http(s) smtp(tls)

passive interception of network traffic from the server can be decrypted

in combination with a traffic redirection, like DNS spoofing or routing, a man-in-the-middle attack is possible

as a client certificate for authentication

passive interception of network traffic from the client can be decrypted

in combination with a traffic redirection, like DNS spoofing or routing, a man-in-the-middle attack is possible

If a client public certificate is available, e.g. S/MIME certs, then an attacker can forge your private key and obtain access to client certificate authenticated services.

S/MIME encryption

can to be decrypted without private key

S/MIME signatures

signatures can be forged for arbitrary documents

If you have one of these keys, follow the certificate generation instructions to regenerate a key for your application (Debian Key-roller application guide or Debian Wiki SSLkeys as a guide). Once you have been issued with a new certificate, and it is operational, revoke your old certificate.

Is the key for my X509 affected?

At the moment there is no automated self-contained tool to determine if your key is vulnerable. Please submit your certificate to our HashServer (under development). Depending on your risk profile, you many want to generate a new key, if you suspect it to have been generated on a vulnerable platform, to avert even the potential risk.

For System administrators with vulnerable keys:

If you have used a Linux based distribution based off Debian (those that use apt as a package manager), then check the security announcement of your distribution for advice (for example DSA-1571, USN-612-1).

Refer to your distribution security advice for the latest packages. Use a non-vulnerable version of Openssl (or another product) to regenerate certificates and revoke any certificates associated with vulnerable keys.

For System Administrators not using vulnerable keys:

Keep in mind that if you have kept keys from a previously installed vulnerable distribution then your keys are vulnerable.

If you are performing client verification using certificates derived from vulnerable keys you may be susceptible to remote unauthorized access. Actions you may wish to take are to deploy a mechanism to mitigate brute force attempts like fail2ban. Server applications that support OCSP should enable this feature to prevent unauthorised access for the case when a user has revoked their certificate.

For users that generated vulnerable keys:

For X.509, regenerate your private key, redo a Certificate Signing Request (CSR), get a new certificate, install into any active services, and revoke previous certificates. Do not use the "renew" feature of CAcert of an application, since this only renews the certificate, but not the key!

For all users:

As there are a number of man-in-the-middle attacks against services that have certificates we recommend you enable OCSP in your web browser (Firefox, IE6 + XP) and other X509 based client applications.

How CAcert is helping you:

The impact of non-random keys is significant. As all Certificate Authorities have significant holdings of public keys, CA's are in a position to determine if a number of user's have identical public keys. CAcert has developed as a public service to all users and CA's so that the non-random keys can be detected earlier.

CAcert will be scanning all certificate issues to identify weak keys and advising users if they have keys identical to another user.

See also ...

DebianVulnerabilityHandling (last edited 2011-03-24 12:47:39 by UlrichSchroeter)