A major security bug was announced on May 13, 2008 in the pseudorandom number generator (PRNG) of the Debian version of OpenSSL, one of the most used cryptographic programming library.
The problem affects all the Debian-based GNU/Linux distributions, like Ubuntu and Knoppix, that was used to create SSL/TLS keys since September 17, 2006. The bug was discovered by Luciano Bello, a Debian package maintainer.
This vulnerability was caused by the removal of two lines of code from the original version of the OpenSSL. These lines was used to gather some entropy data by the library to seed the PRNG used to create private keys. Without this, the only dynamic data used was the PID of the software. Under Linux the PID can be a number between 1 and 32,768, that is a too small range of values if used to seed the PRNG and will cause the generation of predictable numbers and therefore any key generated can be predictable, with only 32,767 possible keys for a given architecture.
These lines were removed as “suggested” by two audit tools (Valgrind and Purify) used to find vulnerabilities in the software distributed by Debian. These tools warned the Debian maintainers that some data was used before its initialization, that normally can lead to a security bug, but this time it was not the case, as the OpenSSL developers replied on March 13, 2003. Anyway this change was applied the September 17, 2006, when the OpenSSL Debian version 0.9.8c-1 was released to the public.
Even if the Debian maintainer responsible for this software released a patch to fix it on May 8, 2008, the impact may be severe. OpenSSL is commonly used in software to protect the passwords and to offer privacy. Any private key created with this version of OpenSSL is weak, that includes session keys that are created and used only temporary. This means that any data encrypted with these keys can be decrypted without a big deal, even if that keys are used (but not created) with a version of the library not affected, like the ones included in other operating systems.
For example any web server running under any operating system may use a weak key created on a vulnerable Debian-based system. Any encrypted connection to this web server (HTTPS) established by any browser can be decrypted.
This may be a serious problem for sites that requires a secure connection, like banks or private web sites. Also, if some encrypted connection was recorded in the past, it can be decrypted in the same way.
Another serious problem is for the network security software, like OpenSSH and OpenVPN, that are used to encrypt the traffic to protect passwords and grant the access to an administrative console or a private network protected by firewalls. This may allows hackers to gain illegal access to your computer, network or private data traveled over the network, even if you don’t have an affected version of OpenSSL.
The same behavior can be applied to any software or protocol that use SSL, like POP3S, SSMTP, FTPS, if used with a weak key. This is the case of Tor, software used to offer strong anonymity on the TCP/IP, where about 300 of 1,500-2,000 nodes used a weak key. With 15-20% of weak Tor nodes, there is a probability of 0.34-0.8% circa to build a circuit that has all tree nodes weak, resulting a full lost of anonymity. The problem may also affect anonymous remailers like Mixmaster that use OpenSSL to create private keys, even if currently there is no official announce.