Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2000.148 -- NetBSD Security Advisory 2000-007 bad key generation in libdes if no /dev/urandom 22 June 2000 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: libdes Vendor: NetBSD Operating System: NetBSD-current Platform: N/A Impact: Reduced Security Provide Misleading Information Access Required: Local, Remote Ref: ESB-2000.134 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- NetBSD Security Advisory 2000-007 ================================= Topic: bad key generation in libdes if no /dev/urandom Version: Domestic US NetBSD-current between 19990624 and 20000622. No formal releases of NetBSD are vulnerable. Severity: high only if kerberos is in use and /dev/urandom is not present; none otherwise Abstract ======== On June 24, 1999, a new version of "libdes" was imported into NetBSD-current. This version was derived from version 4 of Eric Young's libdes, and replaced the previous version, which was derived from version 2 of Eric Young's libdes. Certain functions required for compatibility with the DES library included with MIT's Kerberos v4 distribution were not included in the new version of Eric Young's libdes (which is also the version included in SSLeay and OpenSSL). Unfortunately, the replacement versions of these functions written during the integration process have a serious bug. If /dev/urandom is not present and functioning correctly, des_init_random_number_generator seeds the random number generator with constant data, causing the generation of keys which are easy to determine. The following programs which are included in the NetBSD distribution are impacted by this bug: /usr/bin/telnet /usr/libexec/telnetd /usr/sbin/kadmin /usr/sbin/kdb_edit /usr/sbin/kdb_init /usr/sbin/kerberos /usr/sbin/ksrvutil Other programs which use the des_init_random_number_generator function, such as some programs which use Kerberos version 4, are also impacted. Kerberos service keys which were generated on a system exhibiting this bug *must* be regenerated, or the Kerberos service principals in question will have no security. Technical Details ================= The functions reimplemented for the integration were des_set_random_generator_seed, des_new_random_key, and des_init_random_number_generator. The API used by many Kerberos version 4 programs to obtain random DES keys is relatively simple. des_init_random_number_generator is called to initialize the random number generator with a secret seed, such as a key obtained from the KDC. Environmental data is used to permute the secret seed so that multiple callers with the same seed will get different output streams from the random number generator. After an initial use of des_init_random_number_generator, des_new_random_key is called to get 64 bits at a time of random data. Unfortunately, in the implementation present in NetBSD from 19990624 until 20000622, a misplaced "memset" call in the body of des_init_random_number_generator zeroes the seed data before, rather than after, use. While a small amount of environmental data is mixed in on each call to des_new_random_key, the output will not be sufficiently random to provide reasonable levels of security. Fortunately, if /dev/urandom is present and can be read, des_new_random_key will use it instead of the DES-based random number generator, and is thus not vulnerable. Solutions and Workarounds ========================= NetBSD-current since 20000622 is not vulnerable. Systems running NetBSD-current should be upgraded to a source tree later than 20000622. You should ensure that you are building libdes as a symlink to libcrypto, from the "lib/libdes" directory in the source tree rather than from "domestic" or "crypto-us", which are obsolete. If an upgrade is not possible, a very quick workaround is to ensure that /dev/urandom is present and functioning on your system. It is important to confirm not just that the /dev/urandom device node exists, but is also readable by all users and kernel random number driver is in fact present in the running kernel. To verify, as an unprivileged user, type: dd if=/dev/urandom of=/dev/null bs=64 count=1 at a shell prompt. If the output of dd starts with the following, your system is not vulnerable: 1+0 records in 1+0 records out If it is not possible to patch your source tree, it is imperative that you ensure that future kernels always include the random number generator, or your system will become vulnerable; make sure that pseudo-device rnd is present and not commented out in your kernel configuration file. You then need to rebuild, install the newly built kernel, and reboot. For more information on how to do this, see: http://www.netbsd.org/Documentation/kernel/#building_a_kernel If neither approach is feasible, the following patch can be applied to src/crypto-us/lib/libdes/rnd_keys.c in a vulnerable source distribution of NetBSD to correct the problem: - - --- rnd_keys.c 1999/07/30 19:41:06 1.5 +++ rnd_keys.c 2000/06/22 00:01:26 @@ -75,12 +75,12 @@ snprintf(accum, 512, "%ld%ld%d%s%d%qd", when.tv_sec, when.tv_usec, getpid(), hname, getuid(), *seed); - - - memset(accum, 0, 512); - - - SHA1Update(&sha, (u_char *)accum, strlen(accum)); SHA1Final(results, &sha); + memset(accum, 0, 512); + des_random_seed(results); /* XXX uses only first 8 bytes! */ memset(results, 0, 20); Once the patch is applied, build and install a new version of libdes. If the system in question is a server for kerberos-authenticated services, you should change the service keys for the system once the system software is upgraded to include the fixes described above; you can typically use the ksrvutil command to do this. Thanks To ========= Jason Thorpe for noticing the problem while integrating libcrypto into the main NetBSD source tree, which involved again replacing libdes. Revision History ================ 2000/06/21 - Initial version. More Information ================ Information about NetBSD and NetBSD security can be found at http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/. Copyright 2000, The NetBSD Foundation, Inc. All Rights Reserved. $NetBSD: NetBSD-SA2000-007.txt,v 1.3 2000/06/22 00:51:03 sommerfeld Exp $ - -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQCVAwUBOVFjcj5Ru2/4N2IFAQE5HAQApt4zDoRIuqTbewuLB6d/JeLIR9wCgkfR HkmMS7jmcszQGzpAa8/kcIDaciPcj/U0YTn208zt4MuNtOpKk0GySnnQmRPNq1om 9sz7B9XqCtGYe4gQVsi9IEoTsHV/Aojrlc6i1ASe4fI8x916gpNP8GEiX0dMPGei nUPpDB3qK0c= =wQ1F - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to use any or all of this information is the responsibility of each user or organisation, and should be done so in accordance with site policies and procedures. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the original authors to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/Information/advisories.html If you believe that your system has been compromised, contact AusCERT or your representative in FIRST (Forum of Incident Response and Security Teams). Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for emergencies. -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key iQCVAwUBOXXTrSh9+71yA2DNAQFZ8QP+NdNOPM8lcVEY8z/jjOLPfykWlktpbwtG Ggus2ViXHUcWV3R0zti18abIBUVl7qmWl4dxyfKXJL1OExBcxtw/cZBLEPk6O7BZ A0GRrPjnkn9rMVz/uwdRWdnwVxf7ypbr28qLawWl/XBqIaZjPiOkfK19sSb91NC0 p7WCSs8BHRg= =cVaZ -----END PGP SIGNATURE-----