In an email sent to customers, Linode has admitted to its blunder, saying that it deployed Ubuntu 15.10 images to some of its clients' servers that were using the same SSH key.
Linode says this happened from November 10, 2015, through February 4, 2016, but the problem has been fixed after the company updated its deployment configurations.
That means that, for about three months, Linode VPS servers hosted on Ubuntu machines would have been susceptible to the most trivial types of MitM (Man-in-the-Middle) attacks if an attacker had noticed the company's slip-up.
Linode customers were left open to MitM attacks
To Linode's credit, only MitM attacks coming from external connections would have been successful, since the company's internal firewalls would have prevented Linode customers from sniffing each other's traffic using other Linode servers. This doesn't make it less dangerous, but it contributed to narrowing down the attack surface.
The issue was discovered internally, and the company has taken the steps necessary to update the Ubuntu image at fault, making sure not to include any hard-coded SSH keys.
Clients that have deployed Linode VPS boxes don't need to reinstall but only reconfigure the SSH daemon. Linode's admins say that running the following shell commands should do the trick:
rm -f /etc/ssh/ssh_host_*
dpkg-reconfigure openssh-server
service ssh restart
Linode isn't going through its best phase right now, especially after a huge DDoS attack that lasted for about two weeks crippled the service since Christmas and eventually facilitated an unknown party to breach the company's servers. The company finally admitted that the DDoS attack was a screen, announced a data breach at the start of 2016, and also forced customers to change their account passwords.
After the huge downtime and the data breach incident, for some of Linode's customers, the SSH blunder may be the last drop in the bucket.
linode the Ubuntu 15.10 image with the identical SSH server keys – is that your fault or Canonical’s? pic.twitter.com/nLfc5VN8cf — AskMrSnowdon (@AskMrSnowdon) February 9, 2016
"Any Linodes deployed using this image within this time frame are using identical SSH server keys"Ok, that's it, I'm leaving @linode. — Marius Gundersen (@GundersenMarius) February 9, 2016
A copy of the Linode notification letter has been obtained by The Register, which you can read below.