16 years of CVE-2008-0166

Debian OpenSSL Bug

Breaking DKIM and BIMI in 2024

https://16years.secvuln.info/

badkeys.info

Tool and website to easily check cryptographic public keys for known vulnerabilities

badkeys detects

Known common prime factors ("Mining Ps and Qs")
Return of Coopersmith's attack (ROCA)
keypair / Gitkraken bug
Fermat Attack
Debian OpenSSL bug

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1571-1                  security@debian.org
http://www.debian.org/security/                           Florian Weimer
May 13, 2008                          http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package        : openssl
Vulnerability  : predictable random number generator
Problem type   : remote
Debian-specific: yes
CVE Id(s)      : CVE-2008-0166

Luciano Bello discovered that the random number generator in Debian's
openssl package is predictable.  This is caused by an incorrect
Debian-specific change to the openssl package (CVE-2008-0166).  As a
result, cryptographic key material may be guessable.

Keys depended on a limited number of factors like the PID and the architecture, limiting the number of possible keys to a few ten thousand

Old bugs never die

Earlier this year

"I should test DKIM keys with badkeys"

DKIM

Signature for emails with a corresponding cryptographic key published in a DNS record

Scanning Tranco 1 Top Million list

Around 350,000 TXT records with a valid RSA key.

855 vulnerable to Debian OpenSSL bug (0.24%).

Domains with vulnerable keys

@partner.crowdstrike.com, @cisco.com, @oracle.com, @skype.net, @github.partners @partners.dropbox.com, @1password.com, @seznam.cz

Why?

2006: Debian OpenSSL bug was introduced
2007: DKIM was published (RFC 4870)
2008: Debian OpenSSL bug was found

Most affected keys were configured as a CNAME to a host belonging to the company Cakemail

Trying to disclose a security issue to security@cakemail.com

We're writing to let you know that the group you tried to contact (security) may not exist, or you may not have permission to post messages to the group.

Breaking DKIM means breaking BIMI

Gmail with email logos

This made me look into BIMI, it's a horrible spec with inherent security flaws

If you enjoyed this lightning talk, I presented a longer version at MiniDebConf, there's a recording.

16 years of CVE-2008-0166

Debian OpenSSL Bug

Breaking DKIM and BIMI in 2024

https://16years.secvuln.info/

badkeys.info

Tool and website to easily check cryptographic public keys for known vulnerabilities

badkeys detects

Keys depended on a limited number of factors like the PID and the architecture, limiting the number of possible keys to a few ten thousand

Old bugs never die

Earlier this year

"I should test DKIM keys with badkeys"

DKIM

Signature for emails with a corresponding cryptographic key published in a DNS record

Scanning Tranco 1 Top Million list

Around 350,000 TXT records with a valid RSA key.

855 vulnerable to Debian OpenSSL bug (0.24%).

Domains with vulnerable keys

@partner.crowdstrike.com, @cisco.com, @oracle.com, @skype.net, @github.partners @partners.dropbox.com, @1password.com, @seznam.cz

Why?

2006: Debian OpenSSL bug was introduced

2007: DKIM was published (RFC 4870)

2008: Debian OpenSSL bug was found

Most affected keys were configured as a CNAME to a host belonging to the company Cakemail

Trying to disclose a security issue to security@cakemail.com

We're writing to let you know that the group you tried to contact (security) may not exist, or you may not have permission to post messages to the group.

Breaking DKIM means breaking BIMI

This made me look into BIMI, it's a horrible spec with inherent security flaws

https://16years.secvuln.info/
https://badkeys.info/

Thanks for listening!

Hanno Böck, https://hboeck.de/

16 years of CVE-2008-0166

Debian OpenSSL Bug

Breaking DKIM and BIMI in 2024

https://16years.secvuln.info/

badkeys.info

Tool and website to easily check cryptographic public keys for known vulnerabilities

badkeys detects

Keys depended on a limited number of factors like the PID and the architecture, limiting the number of possible keys to a few ten thousand

Old bugs never die

Earlier this year

"I should test DKIM keys with badkeys"

DKIM

Signature for emails with a corresponding cryptographic key published in a DNS record

Scanning Tranco 1 Top Million list

Around 350,000 TXT records with a valid RSA key.

855 vulnerable to Debian OpenSSL bug (0.24%).

Domains with vulnerable keys

@partner.crowdstrike.com, @cisco.com, @oracle.com, @skype.net, @github.partners @partners.dropbox.com, @1password.com, @seznam.cz

Why?

2006: Debian OpenSSL bug was introduced

2007: DKIM was published (RFC 4870)

2008: Debian OpenSSL bug was found

Most affected keys were configured as a CNAME to a host belonging to the company Cakemail

Trying to disclose a security issue to security@cakemail.com

We're writing to let you know that the group you tried to contact (security) may not exist, or you may not have permission to post messages to the group.

Breaking DKIM means breaking BIMI

This made me look into BIMI, it's a horrible spec with inherent security flaws

https://16years.secvuln.info/ https://badkeys.info/

Thanks for listening!

Hanno Böck, https://hboeck.de/

https://16years.secvuln.info/
https://badkeys.info/