Computerworld: Tools Circulate that Crack Debian, Ubuntu
Keys
“A recently disclosed vulnerability in widely used Linux
distributions can be exploited by attackers to guess cryptographic
keys, possibly leading to the forgery of digital signatures and
theft of confidential information, a noted security researcher said
today.“HD Moore, best known as the exploit researcher who created the
Metasploit penetration testing framework, called the vulnerability
in Debian and Ubuntu systems ‘ugly’ and said it will be a big job
for administrators to find every flawed key, then reissue
them…”
Computerworld Australia: How to Avoid the Debian SSH Key
Attacks
“This means that there are only 32,767 possible keys for each
key length and there are a number of resources starting to appear
that are targeting the weak key issue. One of the tools, developed
by Markus Mueller, claims to defeat a 2048 bit RSA SSH key in less
than 20 minutes.“HD Moore, the founder of Metasploit, points out that there are
several features of Debian that make the process of brute forcing a
key even simpler, given that a lot of Debian systems use sequential
pid allocation and most keys are likely to have been user generated
with a pid between 500 and 10,000 (which effectively reduces the
keyspace to 9,500 keys)…”