Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Evorack Security Advisory (2012-07-21)
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Evorack Security Advisory (2012-07-21)

AsimAsim Member
edited July 2012 in General

Dear Customers,

We would like to report the following security advisory that requires your immediate attention.

Who This Affects

All Evorack customers using any version of Debian or Ubuntu. All other customers (CentOS, Fedora, NetBSD, Slackware, Arch Linux) remain unaffected.

Description

The Debian and Ubuntu templates used by Evorack contain a set of default SSH host keys. While Evorack does have filtering rules in place to prevent "Man In The Middle (MITM)" attacks from other Evorack VPSs, there may be other vectors outside of the Evorack network that could potentially leave your VPS vunerable to MITM attacks.

Steps that require immediate action

Each affected customer should issue the following commands on their VPS:

/bin/rm /etc/ssh/ssh_host_*
dpkg-reconfigure openssh-server

The first command will remove all of your current SSH host keys. The second command will generate a new set.

Upon next log in to your Evorack VPS, you should get a warning that states that something bad may be going on. If you are using Putty on Windows, you can safely ignore this prompt and proceed to cache the new fingerprint. If you are using Linux/Mac to log into your VPS via SSH, then issue the following command to remove the old host fingerprint:

ssh-keygen -R

If you do not get a warning, please try again. If you still don't get a warning, please contact us.

Evorack would like to apologise for any inconvenience these steps may cause.

If anyone has any questions, please feel free to contact us.

Regards,

Evorack Customer Services

Comments

  • same like in virtualizor previous version. right @breton? :D

    Thanked by 1qenox
  • I'd like to stress that we do have filtering rules in place to prevent MITM attacks from occurring from within the Evorack network.

    Thanked by 1qenox
  • Additionally, I can confirm that this issue was caused by our upstream template provider. We obtain our templates from a very reputable source of Virtualisation Templates who unfortunately, in this case, has let us down.

    Please be rest assured that Evorack has implemented scripts into the images on our template server to make sure that no SSH host keys exist and that they are automatically generated on first boot of the Evorack VPS

    Thanked by 1qenox
  • flyfly Member

    that's why you make your own....

    Thanked by 1qenox
  • bretonbreton Member

    @Mon5t3r said:

    same like in virtualizor previous version. right @breton? :D

    Right :) Damn, I even wrote about that to the WHT. It was, like, 3 months ago.

    I also wonder why Virtualizor guys didn't announce it as a security advisory themselves.

    Thanked by 1qenox
  • @kbar, you will find that it is very common for providers to obtain images from a trusted third party due to the sheer number of images available. We like to give our customers choice :)

    In any case, security advisories are, unfortunately, a regular occurrence of life. Even if we were to compile our own kernel, make our own filesystem with buildroot (or compile glibc and all userspace tools from scratch), there would still be security issues with the final build. I'm not trying to say that this reported issue isn't important, just trying to say that you always have to give you trust to someone else at some point :)

    I'd like to stress that we had guys working on this issue immediately once it was discovered and a notice was sent to customers within 2 hours (after updating all Debian/Ubuntu images on our template server)

    @breton, can you enlighten me on this? I'm guessing you guys has this issue before yourselves?

    Thanks

    Thanked by 1qenox
  • AsimAsim Member

    The idea for posting this topic was not provider-bashing etc but to get your VPSes fixed as per the email instructions. Now that we all have it done, we can even put this as a way to "strengthen" new VPSes from any provider just in case.

    Thanks all for your comments

    @Jonny_Evorack thanks for the notice in time

    Thanked by 1qenox
  • bretonbreton Member

    @Jonny_Evorack said:

    @breton, can you enlighten me on this? I'm guessing you guys has this issue before yourselves?

    Yep, I found this issue on @Mon5t3r 's server. And made a post on the WHT - http://www.webhostingtalk.com/showthread.php?t=1120305. Virtualizor guys released an update and we forgot about the problem.

  • @Asim, I completely understand :) It's good to make as many people aware of this as possible I guess. It mite even be a good idea to add some key regeneration to the LEB scripts here? It could go something like this:

    /bin/rm /etc/ssh/ssh_host_*

    ssh-keygen -f /etc/ssh/ssh_host_rsa_key -t rsa -N ''
    ssh-keygen -f /etc/ssh/ssh_host_dsa_key -t dsa -N ''

    Note that the above comands are from my head, not sure if they are 100% correct. They are different commands from the Evorack advisory as those were just specific to Debian/Ubuntu while the above should work for any OS.

    @breton, that's very interesting. I've submitted a ticket to the company that does our images so hopefully they will get this fixed. Nonetheless, we'll we adding our script to every template that makes sure that these SSH host keys do not exist prior to first boot.

Sign In or Register to comment.