Company fixes issue with Ubuntu 15.10 server images

Feb 10, 2016 08:57 GMT  ·  By

In an email sent to customers, Linode has admitted to its blunder, saying that it deployed Ubuntu 15.10 images to some of its clients' servers that were using the same SSH key.

Linode says this happened from November 10, 2015, through February 4, 2016, but the problem has been fixed after the company updated its deployment configurations.

That means that, for about three months, Linode VPS servers hosted on Ubuntu machines would have been susceptible to the most trivial types of MitM (Man-in-the-Middle) attacks if an attacker had noticed the company's slip-up.

Linode customers were left open to MitM attacks

To Linode's credit, only MitM attacks coming from external connections would have been successful, since the company's internal firewalls would have prevented Linode customers from sniffing each other's traffic using other Linode servers. This doesn't make it less dangerous, but it contributed to narrowing down the attack surface.

The issue was discovered internally, and the company has taken the steps necessary to update the Ubuntu image at fault, making sure not to include any hard-coded SSH keys.

Clients that have deployed Linode VPS boxes don't need to reinstall but only reconfigure the SSH daemon. Linode's admins say that running the following shell commands should do the trick:

rm -f /etc/ssh/ssh_host_*
dpkg-reconfigure openssh-server
service ssh restart
Linode isn't going through its best phase right now, especially after a huge DDoS attack that lasted for about two weeks crippled the service since Christmas and eventually facilitated an unknown party to breach the company's servers. The company finally admitted that the DDoS attack was a screen, announced a data breach at the start of 2016, and also forced customers to change their account passwords.

After the huge downtime and the data breach incident, for some of Linode's customers, the SSH blunder may be the last drop in the bucket.  

A copy of the Linode notification letter has been obtained by The Register, which you can read below.

Linode Notification