FreeBSD Security Advisories
2008-Nov-24 09:47 UTC
[FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-08:11.arc4random
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================FreeBSD-SA-08.11.arc4random Security Advisory The FreeBSD Project Topic: arc4random(9) predictable sequence vulnerability Category: core Module: sys Announced: 2008-11-24 Credits: Robert Woolley, Mark Murray, Maxim Dounin, Ruslan Ermilov Affects: All supported versions of FreeBSD. Corrected: 2008-11-24 17:39:39 UTC (RELENG_7, 7.1-PRERELEASE) 2008-11-24 17:39:39 UTC (RELENG_7_0, 7.0-RELEASE-p6) 2008-11-24 17:39:39 UTC (RELENG_6, 6.4-STABLE) 2008-11-24 17:39:39 UTC (RELENG_6_4, 6.4-RELEASE) 2008-11-24 17:39:39 UTC (RELENG_6_3, 6.3-RELEASE-p6) CVE Name: CVE-2008-5162 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:http://security.FreeBSD.org/>. I. Background arc4random(9) is a generic-purpose random number generator based on the key stream generator of the RC4 cipher. It is expected to be cryptographically strong, and used throughout the FreeBSD kernel for a variety of purposes, some of which rely on its cryptographic strength. arc4random(9) is periodically reseeded with entropy from the FreeBSD kernel's Yarrow random number generator, which gathers entropy from a variety of sources including hardware interrupts. During the boot process, additional entropy is provided to the Yarrow random number generator from userland, helping to ensure that adequate entropy is present for cryptographic purposes. II. Problem Description When the arc4random(9) random number generator is initialized, there may be inadequate entropy to meet the needs of kernel systems which rely on arc4random(9); and it may take up to 5 minutes before arc4random(9) is reseeded with secure entropy from the Yarrow random number generator. III. Impact All security-related kernel subsystems that rely on a quality random number generator are subject to a wide range of possible attacks for the 300 seconds after boot or until 64k of random data is consumed. The list includes: * GEOM ELI providers with onetime keys. When a provider is configured in a way so that it gets attached at the same time during boot (e.g. it uses the rc subsystem to initialize) it might be possible for an attacker to recover the encrypted data. * GEOM shsec providers. The GEOM shsec subsytem is used to split a shared secret between two providers so that it can be recovered when both of them are present. This is done by writing the random sequence to one of providers while appending the result of the random sequence on the other host to the original data. If the provider was created within the first 300 seconds after booting, it might be possible for an attacker to extract the original data with access to only one of the two providers between which the secret data is split. * System processes started early after boot may receive predictable IDs. * The 802.11 network stack uses arc4random(9) to generate initial vectors (IV) for WEP encryption when operating in client mode and WEP authentication challenges when operating in hostap mode, which may be insecure. * The IPv4, IPv6 and TCP/UDP protocol implementations rely on a quality random number generator to produce unpredictable IP packet identifiers, initial TCP sequence numbers and outgoing port numbers. During the first 300 seconds after booting, it may be easier for an attacker to execute IP session hijacking, OS fingerprinting, idle scanning, or in some cases DNS cache poisoning and blind TCP data injection attacks. * The kernel RPC code uses arc4random(9) to retrieve transaction identifiers, which might make RPC clients vulnerable to hijacking attacks. IV. Workaround No workaround is available for affected systems. V. Solution NOTE WELL: Any GEOM shsec providers which were created or written to during the first 300 seconds after booting should be re-created after applying this security update. Perform one of the following: 1) Upgrade your vulnerable system to 6-STABLE, or 7-STABLE, or to the RELENG_7_0, or RELENG_6_3 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 6.3 and 7.0 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 7.x] # fetch http://security.FreeBSD.org/patches/SA-08:11/arc4random.patch # fetch http://security.FreeBSD.org/patches/SA-08:11/arc4random.patch.asc [FreeBSD 6.x] # fetch http://security.FreeBSD.org/patches/SA-08:11/arc4random6x.patch # fetch http://security.FreeBSD.org/patches/SA-08:11/arc4random6x.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in <URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_6 src/sys/dev/random/randomdev.c 1.59.2.2 src/sys/dev/random/randomdev_soft.c 1.11.2.3 RELENG_6_4 src/UPDATING 1.416.2.40.2.2 src/sys/dev/random/randomdev.c 1.59.2.1.8.2 src/sys/dev/random/randomdev_soft.c 1.11.2.2.6.2 RELENG_6_3 src/UPDATING 1.416.2.37.2.11 src/sys/conf/newvers.sh 1.69.2.15.2.10 src/sys/dev/random/randomdev.c 1.59.2.1.6.1 src/sys/dev/random/randomdev_soft.c 1.11.2.2.4.1 RELENG_7 src/sys/dev/random/randomdev.c 1.61.2.1 src/sys/dev/random/randomdev_soft.c 1.15.2.1 RELENG_7_0 src/UPDATING 1.507.2.3.2.10 src/sys/conf/newvers.sh 1.72.2.5.2.10 src/sys/dev/random/randomdev.c 1.61.4.1 src/sys/dev/random/randomdev_soft.c 1.15.4.1 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5162 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-08:11.arc4random.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (FreeBSD) iEYEARECAAYFAkkq550ACgkQFdaIBMps37K3SwCfcj0iiFxH2tljR1N7/qhXWiW1 N/cAoIjgcsh6sZG/upobud4TVme9QJPf =SKuK -----END PGP SIGNATURE-----
FreeBSD Security Advisories
2008-Nov-24 09:47 UTC
FreeBSD Security Advisory FreeBSD-SA-08:11.arc4random
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================FreeBSD-SA-08.11.arc4random Security Advisory The FreeBSD Project Topic: arc4random(9) predictable sequence vulnerability Category: core Module: sys Announced: 2008-11-24 Credits: Robert Woolley, Mark Murray, Maxim Dounin, Ruslan Ermilov Affects: All supported versions of FreeBSD. Corrected: 2008-11-24 17:39:39 UTC (RELENG_7, 7.1-PRERELEASE) 2008-11-24 17:39:39 UTC (RELENG_7_0, 7.0-RELEASE-p6) 2008-11-24 17:39:39 UTC (RELENG_6, 6.4-STABLE) 2008-11-24 17:39:39 UTC (RELENG_6_4, 6.4-RELEASE) 2008-11-24 17:39:39 UTC (RELENG_6_3, 6.3-RELEASE-p6) CVE Name: CVE-2008-5162 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:http://security.FreeBSD.org/>. I. Background arc4random(9) is a generic-purpose random number generator based on the key stream generator of the RC4 cipher. It is expected to be cryptographically strong, and used throughout the FreeBSD kernel for a variety of purposes, some of which rely on its cryptographic strength. arc4random(9) is periodically reseeded with entropy from the FreeBSD kernel's Yarrow random number generator, which gathers entropy from a variety of sources including hardware interrupts. During the boot process, additional entropy is provided to the Yarrow random number generator from userland, helping to ensure that adequate entropy is present for cryptographic purposes. II. Problem Description When the arc4random(9) random number generator is initialized, there may be inadequate entropy to meet the needs of kernel systems which rely on arc4random(9); and it may take up to 5 minutes before arc4random(9) is reseeded with secure entropy from the Yarrow random number generator. III. Impact All security-related kernel subsystems that rely on a quality random number generator are subject to a wide range of possible attacks for the 300 seconds after boot or until 64k of random data is consumed. The list includes: * GEOM ELI providers with onetime keys. When a provider is configured in a way so that it gets attached at the same time during boot (e.g. it uses the rc subsystem to initialize) it might be possible for an attacker to recover the encrypted data. * GEOM shsec providers. The GEOM shsec subsytem is used to split a shared secret between two providers so that it can be recovered when both of them are present. This is done by writing the random sequence to one of providers while appending the result of the random sequence on the other host to the original data. If the provider was created within the first 300 seconds after booting, it might be possible for an attacker to extract the original data with access to only one of the two providers between which the secret data is split. * System processes started early after boot may receive predictable IDs. * The 802.11 network stack uses arc4random(9) to generate initial vectors (IV) for WEP encryption when operating in client mode and WEP authentication challenges when operating in hostap mode, which may be insecure. * The IPv4, IPv6 and TCP/UDP protocol implementations rely on a quality random number generator to produce unpredictable IP packet identifiers, initial TCP sequence numbers and outgoing port numbers. During the first 300 seconds after booting, it may be easier for an attacker to execute IP session hijacking, OS fingerprinting, idle scanning, or in some cases DNS cache poisoning and blind TCP data injection attacks. * The kernel RPC code uses arc4random(9) to retrieve transaction identifiers, which might make RPC clients vulnerable to hijacking attacks. IV. Workaround No workaround is available for affected systems. V. Solution NOTE WELL: Any GEOM shsec providers which were created or written to during the first 300 seconds after booting should be re-created after applying this security update. Perform one of the following: 1) Upgrade your vulnerable system to 6-STABLE, or 7-STABLE, or to the RELENG_7_0, or RELENG_6_3 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 6.3 and 7.0 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 7.x] # fetch http://security.FreeBSD.org/patches/SA-08:11/arc4random.patch # fetch http://security.FreeBSD.org/patches/SA-08:11/arc4random.patch.asc [FreeBSD 6.x] # fetch http://security.FreeBSD.org/patches/SA-08:11/arc4random6x.patch # fetch http://security.FreeBSD.org/patches/SA-08:11/arc4random6x.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in <URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_6 src/sys/dev/random/randomdev.c 1.59.2.2 src/sys/dev/random/randomdev_soft.c 1.11.2.3 RELENG_6_4 src/UPDATING 1.416.2.40.2.2 src/sys/dev/random/randomdev.c 1.59.2.1.8.2 src/sys/dev/random/randomdev_soft.c 1.11.2.2.6.2 RELENG_6_3 src/UPDATING 1.416.2.37.2.11 src/sys/conf/newvers.sh 1.69.2.15.2.10 src/sys/dev/random/randomdev.c 1.59.2.1.6.1 src/sys/dev/random/randomdev_soft.c 1.11.2.2.4.1 RELENG_7 src/sys/dev/random/randomdev.c 1.61.2.1 src/sys/dev/random/randomdev_soft.c 1.15.2.1 RELENG_7_0 src/UPDATING 1.507.2.3.2.10 src/sys/conf/newvers.sh 1.72.2.5.2.10 src/sys/dev/random/randomdev.c 1.61.4.1 src/sys/dev/random/randomdev_soft.c 1.15.4.1 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5162 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-08:11.arc4random.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (FreeBSD) iEYEARECAAYFAkkq550ACgkQFdaIBMps37K3SwCfcj0iiFxH2tljR1N7/qhXWiW1 N/cAoIjgcsh6sZG/upobud4TVme9QJPf =SKuK -----END PGP SIGNATURE-----
Aragon Gouveia
2008-Nov-24 10:28 UTC
[FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-08:11.arc4random
| By FreeBSD Security Advisories <security-advisories@freebsd.org> | [ 2008-11-24 19:48 +0200 ]> III. Impact > > All security-related kernel subsystems that rely on a quality random > number generator are subject to a wide range of possible attacks for the > 300 seconds after boot or until 64k of random data is consumed. The list > includes:I suppose this would affect the quality of SSH host keys generated at boot time by RC? Thanks, Aragon
Nate Eldredge
2008-Nov-24 10:32 UTC
[FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-08:11.arc4random
Upon reading this, my first question was whether the weakness applies to the random numbers supplied by /dev/random. If it does, then userspace has been getting non-random values, and things like PGP and SSH keys could be compromised. It might be good for secteam to clarify this, IMHO. On Mon, 24 Nov 2008, FreeBSD Security Advisories wrote:> FreeBSD-SA-08.11.arc4random Security Advisory > The FreeBSD Project... -- Nate Eldredge neldredge@math.ucsd.edu
Stanislav Sedov
2008-Nov-24 14:17 UTC
[FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-08:11.arc4random
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 24 Nov 2008 10:07:18 -0800 (PST) Nate Eldredge <neldredge@math.ucsd.edu> mentioned:> Upon reading this, my first question was whether the weakness applies to > the random numbers supplied by /dev/random. If it does, then userspace has > been getting non-random values, and things like PGP and SSH keys could be > compromised. It might be good for secteam to clarify this, IMHO. >Userland applications are unaffected ssh keys included. /dev/[u]?random receives entropy from Yarrow, not from arc4random and feeded with saved entropy upon boot by /etc/rc.d/initrandom. Only kernel services that rely on arc4random(9) is vulnerable. - -- Stanislav Sedov ST4096-RIPE -----BEGIN PGP SIGNATURE----- iEYEARECAAYFAkkrI2cACgkQK/VZk+smlYGvrwCfTEuy+4AIk/b6l6bxRX0tcVs0 PZMAniLO3ltjq5232cErhAtB7u5SJI4J =UmVN -----END PGP SIGNATURE-----
Stanislav Sedov
2008-Nov-24 14:17 UTC
[FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-08:11.arc4random
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 24 Nov 2008 20:08:59 +0200 Aragon Gouveia <aragon@phat.za.net> mentioned:> | By FreeBSD Security Advisories <security-advisories@freebsd.org> > | [ 2008-11-24 19:48 +0200 ] > > III. Impact > > > > All security-related kernel subsystems that rely on a quality random > > number generator are subject to a wide range of possible attacks for the > > 300 seconds after boot or until 64k of random data is consumed. The list > > includes: > > I suppose this would affect the quality of SSH host keys generated at boot > time by RC? >Nope, userland is unaffected. - -- Stanislav Sedov ST4096-RIPE -----BEGIN PGP SIGNATURE----- iEUEARECAAYFAkkrI3gACgkQK/VZk+smlYFwWQCXSwYxHbUizxmriBT3pO1Ei8W7 GACff74X/J3b4c01zRkXmsYxE981hwk=v+Xl -----END PGP SIGNATURE-----
Seemingly Similar Threads
- FreeBSD Security Advisory FreeBSD-SA-08:11.arc4random
- openssh portable and libressl portable cause recursion between arc4random and RAND_bytes
- Maybe problem in openbsd-compat/bsd-arc4random.c
- Collecting entropy from device_attach() times.
- klibc 1.5.21-1 and mksh