Weak keys in NetBSD
A serious random number generator issue has been found in the free NetBSD Unix derivative that recently celebrated its 20th anniversary. The flaw potentially causes systems to generate weak, crackable cryptographic keys. Apparently, the culprit is a misplaced parenthesis in the NetBSD kernel's source code. The developers have released a kernel update to fix the issue. They also recommend that users urgently replace any keys that were generated with NetBSD 6.0 or NetBSD-Current. The error will be fixed in NetBSD 6.1.
The programming flaw can cause a system to generate random numbers that aren't particularly random. The risk is especially high when a system is booting because during that time, the system has very little entropy at its disposal. The issue also has a particularly serious effect on 32-bit platforms, where only cryptographic keys with 32 bits of potential entropy can be generated. Brute forcing the resulting 4 billion possibilities is technically feasible.
SSH server keys are particularly in danger as they are usually generated while the system is booting. All SSH server keys that were generated on NetBSD 6 systems should be replaced immediately. Since the ECDSA algorithm was only introduced with the affected version 6, it is very likely that the systems will have newly generated keys which will have been heavily weakened by the "lack of actual randomness".
The incident is reminiscent of the Debian debacle in 2008, although the Debian issue affected a far greater number of systems. That was caused by a flawed patch in Debian's OpenSSL package which allowed potential attackers to crack any keys that were generated with OpenSSL under Debian in a short time.