Web hosting biz Linode broke the security in its customers’ virtual machines, allowing attackers to eavesdrop on SSH connections and hijack them.
Nodes that installed Linode’s Ubuntu 15.10 image between November 10, 2015, and February 4, 2016, all use the same SSH server key. Usually, a unique key is generated during installation of a Linux distro, but that doesn’t appear to have happened for months in this case.
With that key in hand, a man-in-the-middle attacker could set up a malicious server that masquerades as your vulnerable virtual machine, allowing the hacker to quietly intercept passwords, commands, and other sensitive data sent to and from you and your real server.
People who used the dodgy image received earlier today the following email from Linode’s Alex Fornuto, who urging them to regenerate their SSH server keys. Here’s an extract of the message:
It has come to our attention that there is an issue with the Ubuntu 15.10 image we offered from November 10th, 2015, through February 4th, 2016. Any Linodes deployed using this image within this time frame are using identical SSH server keys. If you’re receiving this ticket, you have a disk image currently affected by this issue.
For those unfamiliar with these terms, consider this fuller explanation: Each Linux server running the SSH daemon should have a set of unique keys, used to generate the encryption between client and server. While this traffic is still secure against an attempt to access data by “wire sniffing,” someone could use those keys to institute a “man in the middle” attack. The network rules on our infrastructure prevent such an attack from a neighboring Linode, but connections made from insecure wifi-networks or clients with compromised DNS could be vulnerable.
The steps required to resolve this issue are easy and few. First, from your Linode terminal, as root or with the sudo prefix, run:
rm -f /etc/ssh/ssh_host_*
service ssh restart
If you have any questions regarding this issue, please feel free to reply to this ticket. Furthermore, you can be confident that we have implemented new processes to ensure that this sort oversight doesn’t happen again.
Linode corrected its Ubuntu 15.10 image on February 4.
This blooper comes after the New Jersey-based Linux server hoster weathered a ten-day distributed denial-of-service attack on its data centers after Christmas, and reset its users’ account passwords after a hack attack scare in January. As it happens, Linode is advertising for Linux technical support workers… ®
Building secure multi-factor authentication