Entrust Certificate Services Support Knowledge Base

Audience: General
Last Modified: 2008-06-09 12:02:01.0

TN 7468 - Debian Random Number Generator Vulnerability

Question

Can you tell me anything about the Debian/Ubuntu Random Number Generator Vulnerability?

Answer:

Summary:
On Tuesday May 13, 2008, the Debian Project announced a security vulnerability with its OpenSSL package making its random number generator predictable. See http://lists.debian.org/debian-security-announce/2008/msg00152.html.

A weakness was discovered in the random number generator used by OpenSSL on Debian and Ubuntu systems.  As a result of this weakness, certain keys are much more common than they should be, such that an attacker could guess the key through a brute-force attack given minimal knowledge of the system.

Customers using digital certificates with key pairs generated using versions of the Debian OS and its derivatives (such as Ubuntu) released between September 17, 2006 and May 12, 2008 are at risk.

Impact:
Entrust Certificate Services (ECS):
• The ECS service does not use affected software and is thus not vulnerable.
• The private keys used by the ECS Certification Authorities were not generated using the affected software.
• Individual certificates issued to customers are affected if the keys submitted by the customer were generated by the affected software.

Mitigating Factors:
• The problem can be resolved if the corrective action described below is followed immediately.

Patch Availability:
• Debian and Ubuntu have published patches.
• Customers should check with their vendor for specific patches.

Corrective Action:
Customers using third party software affected by this issue need to act quickly to generate new keys and replace certificates.
• Apply patches available from Debian and Ubuntu.
• Generate a new key pair using a software package that is not affected by the vulnerability.
• Replace and revoke the vulnerable digital certificate.
• Certificate Management Service customers, as always, can reissue certificates at any time with no incremental costs
• Affected customers who purchased certificates outside of the Certificate Management Service (known internally as 'single cert customers') and who are outside of the 30 day free reissuance window will be able to reissue at no cost until June 19, 2008.

Affected Products:

• Entrust Certificate Services 1 Year Advantage SSL Certificate Version Not Applicable Language Not Applicable Platform Not Applicable
• Entrust Certificate Services 1 Year Mutual SSL Certificate Version Not Applicable Language Not Applicable Platform Not Applicable
• Entrust Certificate Services 1 Year SSL Certificate Version Not Applicable Language Not Applicable Platform Not Applicable
• Entrust Certificate Services 2 Year Advantage SSL Certificate Version Not Applicable Language Not Applicable Platform Not Applicable
• Entrust Certificate Services 2 Year Mutual SSL Certificate Version Not Applicable Language Not Applicable Platform Not Applicable
• Entrust Certificate Services 2 Year SSL Certificate Version Not Applicable Language Not Applicable Platform Not Applicable
• Entrust Certificate Services 3 Year Advantage SSL Version Not Applicable Language Not Applicable Windows
• Entrust Certificate Services 3 Year SSL Certificate Version Not Applicable Language Not Applicable Platform Not Applicable
• Entrust Certificate Services Cert Admin Advantage Server Certificate 1 Year Version Not Applicable Language Not Applicable Platform Not Applicable
• Entrust Certificate Services Cert Admin Advantage Server Certificate 2 Year Version Not Applicable Language Not Applicable Platform Not Applicable
• Entrust Certificate Services Cert Admin UCC SSL - 1 Year Version Not Applicable English Windows
• Entrust Certificate Services Cert Admin UCC SSL - 2 Year Version Not Applicable English Windows
• Entrust Certificate Services Certificate Administrator 3 Year SSL Certificates Version Not Applicable Language Not Applicable Windows
• Entrust Certificate Services Certificate Administrator EV SSL - 1 Year Version Not Applicable Language Not Applicable Windows
• Entrust Certificate Services Certificate Administrator EV SSL - 2 Year Version Not Applicable Language Not Applicable Windows
• Entrust Certificate Services EV SSL - 1 Year Version Not Applicable English Windows
• Entrust Certificate Services EV SSL - 2 Year Version Not Applicable English Windows
• Entrust Certificate Services UCC Certificate - 1 and 2 year Version Not Applicable English Windows
• Entrust Certificate Services UCC SSL - 1 year Version Not Applicable English Windows
• Entrust Certificate Services UCC SSL - 2 year Version Not Applicable English Windows
• Entrust Certificate Services UCC SSL - 3 year Version Not Applicable English Windows
• Entrust Certificate Services Web Hoster Service Account Version Not Applicable English Platform Not Applicable