OpenSSL 0.9.8c-1 up to 0.9.8g-9 on Debian-based operating systems uses a random number generator that generates predictable numbers, which makes it easier for remote attackers to conduct brute force guessing attacks against cryptographic keys.

Hubert Seiwert, Internet Security Specialist at Westpoint Ltd., released debian_ssh_scan.py on May 16th. The code does remote check for weak Debian sshd host keys as identified in CVE-2008-0166. The fingerprints are taken from keys generated by HD Moore’s common and uncommon keys. Mr. Seiwert also used Justin Azoff’s multi-threading code. While it is not the only scanner, Mr. Seiwert did a very nice job.

For those who might be less familiar with Python, I thought I would walk through getting debian_ssh_scan.py installed. Most distributions of Linux and Unix have Python installed and with a few additional steps you will be ready to scan your hosts for vulnerabilities.

Set HTTP_PROXY

If you need to access the Internet through a proxy server, the HTTP_PROXY environment variables should be set. This will allow wget, Python’s urllib module, and other applications (yum, apt-get etc) to use this environment variable to access http/https through the proxy server.

# export HTTP_PROXY="http://<proxy-server-ip>:<port>"

Replace “<proxy-server-ip>” with your proxy server name/ip and “<port>” with the proxy’s port.

Install setuptools

The setuptools module is a way to allow developers an easy way to build and distribute Python packages in a single-file archive called an “egg.” The steps to get setuptools installed are:

1. Download the appropriate egg for your version of Python (e.g. setuptools-0.6c8-py2.3.egg). Do NOT rename it.
2. Run it. Setuptools will install itself using the matching version of Python (e.g. python2.3), and will place the easy_install executable in the default location for installing Python scripts (as determined by the standard distutils configuration files, or by the Python installation).

To install:

# cd /home/ger/software
# wget http://pypi.python.org/packages/2.3/s/setuptools/setuptools-0.6c8-py2.3.egg
# sh setuptools-0.6c8-py2.3.egg

Install paramiko

The python module paramiko implements SSH2 protocol for secure (encrypted and authenticated) connections to remote machines. Below, the easy_install executable is used. The Python module easy_install is bundled with setuptools and allows for automatically download, build, install, and management of Python packages.

# cd /home/ger/software
# wget http://www.lag.net/paramiko/download/paramiko-1.7.3.tar.gz
# tar xzf paramiko-1.7.3.tar.gz
# cd paramiko-1.7.3
# easy_install ./

Pull Down debian_ssh_scan_v4

The python script debian_ssh_scan_v4 can now be installed.

# cd /home/ger/software
# wget http://itsecurity.net/debian_ssh_scan_v4.tar.bz2
# bzip2 -cd debian_ssh_scan_v4.tar.bz2 | tar xvf -
 # cd debian_ssh_scan_v4

Start Scanning

You are now ready to start scanning. The below IP is used only for demonstration purposes. Use your own site’s IPs.

#  ./debian_ssh_scan_v4.py 127.0.0.1:22
201691 fingerprints loaded.
127.0.0.1:22 sshd fingerprint 97382c98fe3d45fa779abd34bb65fb73 VULNERABLE (RSA 2048 bit key, pid 5214)

Modify targets.txt, if you want to create a file of IPs. Run the file of IPs through the scan program using the command:

# cat targets.txt | ./debian_ssh_scan_v4.py

Final Words

Debian has issued an update for OpenSSL. For affected systems, the software packages need to be updated and all cryptographic key material must be recreated. Please see Security Focus references for more details.