Linux安全:开源安全漏洞导致众多计算机系统面临威胁
近日,安全研究机构公布了Debian Linux操作系统发行套件中的两个重要漏洞,由于Ubuntu是基于Debian开发,因此也无法幸免.
研究人员称这一漏洞被“严重地低估”,它可以让上述两个Linux系统通过Secure Sockets Layer (SSL)被运行恶意代码.
这一漏洞还具有泄密特性,在在线交易时可能会被攻击者伪造密钥.并且这一问题已经存在了两年时间而没有得到妥善解决.
其实我们在这里并不是想重复这条就新闻,虽然这个漏洞和补丁内容已经在5.13号发布了,但是有多少系统管理员立即引起注意并且进行了安全防护。是不是在漏洞被公布之前就已经被恶意利用那个了,因为这个安全程序保证了全球数以万计的安全主机和用户进行交流,比如银行、保险等。
就算这样,那么还有多少这样的漏洞存在于开源软件系统中,没有暴露出来?就像前几天新闻里说的,BSD系统中也存在这一个漏洞,在和Samba系统交互的时候会出现非常严重的安全bug,这些是不是一个警示?
一个程序员偶尔犯下的小错误会不会导致一个巨大的灾难?
Back in May 2006, a few programmers working on an open-sourcesecurity project made a whopper of a mistake. Last week, the fullimpact of that mistake was just beginning to dawn on securityprofessionals around the world.
In technical terms, a programming error reduced the amount ofentropy used to create the cryptographic keys in a piece of code calledthe OpenSSL library, which is used by programs like the Apache Webserver, the SSH remote access program, the IPsec Virtual PrivateNetwork (VPN), secure e-mail programs, some software used foranonymously accessing the Internet, and so on.
In plainer language: after a week of analysis, we now know that twochanged lines of code have created profound security vulnerabilities inat least four different open-source operating systems, 25 differentapplication programs, and millions of individual computer systems onthe Internet. And even though the vulnerability was discovered on May13 and a patch has been distributed, installing the patch doesn'trepair the damage to the compromised systems. What's even more alarmingis that some computers may be compromised even though they aren'trunning the suspect code.
The reason that the patch doesn't fix the problem has to do with thespecifics of the programmers' error. Modern computer systems employlarge numbers to generate the keys that are used to encrypt and decryptinformation sent over a network. Authorized users know the right key,so they don't have to guess it. Malevolent hackers don't know the rightkey. Normally, it would simply take too long to guess it by trying allpossible keys--like, hundreds of billions of years too long.
But the security of the system turns upside down if the computer canonly use a limited number of a million different keys. For theauthorized user, the key looks good--the data gets encrypted. But thebad guy's software can quickly make and then try all possible keys fora specific computer. The error introduced two years ago makescryptographic keys easy to guess.
The error doesn't give every computer the same cryptographickey--that would have been caught before now. Instead, it reduces thenumber of different keys that these Linux computers can generate to32,767 different keys, depending on the computer's processorarchitecture, the size of the key, and the key type.
Less than a day after the vulnerability was announced, computer hacker HD Moore of the Metasploit project released a set of "toys"forcracking the keys of these poor Linux and Ubuntu computer systems. Asof Sunday, Moore's website had downloadable files of precomputed keys,just to make it easier to identify vulnerable computer systems.
Unlike the common buffer overflow bug, which can be fixed by loadingnew software, keys created with the buggy software don't get betterwhen the computer is patched: instead, new keys have to be generatedand installed. Complicating the process is the fact that keys also needto be certified and distributed: the process is time consuming,complex, and error prone.
Nobody knows just how many systems are impacted by this problem,because cryptographic keys are portable: vulnerable keys could havebeen generated on a Debian system in one office and then installed on aserver running Windows in another. Debian is a favored Linuxdistribution of many security professionals, and Ubuntu is one of themost popular Linux distributions for general use, so the reach of theproblem could be quite widespread.