AUSCERT External Security Bulletin Redistribution
             ESB-2000.148 --  NetBSD Security Advisory 2000-007
               bad key generation in libdes if no /dev/urandom
                                22 June 2000


	AusCERT Security Bulletin Summary

Product:		libdes
Vendor:			NetBSD
Operating System:	NetBSD-current
Platform:		N/A

Impact:			Reduced Security
			Provide Misleading Information

Access Required:	Local, Remote

Ref:			ESB-2000.134

- --------------------------BEGIN INCLUDED TEXT--------------------


                 NetBSD Security Advisory 2000-007

Topic:		bad key generation in libdes if no /dev/urandom
Version:	Domestic US NetBSD-current between 19990624 and 20000622.
		No formal releases of NetBSD are vulnerable.
Severity:	high only if kerberos is in use and /dev/urandom is
		not present; none otherwise


On June 24, 1999, a new version of "libdes" was imported into
NetBSD-current.  This version was derived from version 4 of Eric
Young's libdes, and replaced the previous version, which was derived
from version 2 of Eric Young's libdes.

Certain functions required for compatibility with the DES library
included with MIT's Kerberos v4 distribution were not included in the
new version of Eric Young's libdes (which is also the version included
in SSLeay and OpenSSL).

Unfortunately, the replacement versions of these functions written during
the integration process have a serious bug.  If /dev/urandom is not
present and functioning correctly, des_init_random_number_generator
seeds the random number generator with constant data, causing the
generation of keys which are easy to determine.

The following programs which are included in the NetBSD distribution are
impacted by this bug:


Other programs which use the des_init_random_number_generator
function, such as some programs which use Kerberos version 4, are also

Kerberos service keys which were generated on a system exhibiting this
bug *must* be regenerated, or the Kerberos service principals in
question will have no security.

Technical Details

The functions reimplemented for the integration were
des_set_random_generator_seed, des_new_random_key, and

The API used by many Kerberos version 4 programs to obtain random DES
keys is relatively simple.  des_init_random_number_generator is called
to initialize the random number generator with a secret seed, such as
a key obtained from the KDC.  Environmental data is used to permute
the secret seed so that multiple callers with the same seed will get
different output streams from the random number generator.  After an
initial use of des_init_random_number_generator, des_new_random_key is
called to get 64 bits at a time of random data.

Unfortunately, in the implementation present in NetBSD from 19990624
until 20000622, a misplaced "memset" call in the body of
des_init_random_number_generator zeroes the seed data before, rather
than after, use.  While a small amount of environmental data is mixed
in on each call to des_new_random_key, the output will not be
sufficiently random to provide reasonable levels of security.

Fortunately, if /dev/urandom is present and can be read,
des_new_random_key will use it instead of the DES-based random number
generator, and is thus not vulnerable.

Solutions and Workarounds

NetBSD-current since 20000622 is not vulnerable.  Systems running
NetBSD-current should be upgraded to a source tree later than
20000622.  You should ensure that you are building libdes as a symlink
to libcrypto, from the "lib/libdes" directory in the source tree
rather than from "domestic" or "crypto-us", which are obsolete.

If an upgrade is not possible, a very quick workaround is to ensure
that /dev/urandom is present and functioning on your system.  It is
important to confirm not just that the /dev/urandom device node
exists, but is also readable by all users and kernel random number
driver is in fact present in the running kernel.

To verify, as an unprivileged user, type:

	dd if=/dev/urandom of=/dev/null bs=64 count=1

at a shell prompt.  If the output of dd starts with the following, your system
is not vulnerable:

	1+0 records in
	1+0 records out

If it is not possible to patch your source tree, it is imperative that
you ensure that future kernels always include the random number generator,
or your system will become vulnerable; make sure that

	pseudo-device rnd

is present and not commented out in your kernel configuration file.
You then need to rebuild, install the newly built kernel, and
reboot. For more information on how to do this, see:


If neither approach is feasible, the following patch can be applied to
src/crypto-us/lib/libdes/rnd_keys.c in a vulnerable source
distribution of NetBSD to correct the problem:

- - --- rnd_keys.c  1999/07/30 19:41:06     1.5
+++ rnd_keys.c  2000/06/22 00:01:26
@@ -75,12 +75,12 @@
   snprintf(accum, 512, "%ld%ld%d%s%d%qd", when.tv_sec, when.tv_usec,
                                     getpid(), hname, getuid(), *seed);
- - -  memset(accum, 0, 512);
- - - 
   SHA1Update(&sha, (u_char *)accum, strlen(accum));
   SHA1Final(results, &sha);
+  memset(accum, 0, 512);
   des_random_seed(results);    /* XXX uses only first 8 bytes! */
   memset(results, 0, 20);

Once the patch is applied, build and install a new version of libdes.

If the system in question is a server for kerberos-authenticated
services, you should change the service keys for the system once the
system software is upgraded to include the fixes described above; you
can typically use the ksrvutil command to do this.

Thanks To

Jason Thorpe for noticing the problem while integrating libcrypto into 
the main NetBSD source tree, which involved again replacing libdes.

Revision History

	2000/06/21 - Initial version.

More Information

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.

Copyright 2000, The NetBSD Foundation, Inc.  All Rights Reserved.

$NetBSD: NetBSD-SA2000-007.txt,v 1.3 2000/06/22 00:51:03 sommerfeld Exp $

Version: 2.6.3ia
Charset: noconv


- --------------------------END INCLUDED TEXT--------------------

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content.  The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security

Internet Email: auscert@auscert.org.au
Facsimile:	(07) 3365 7031
Telephone:	(07) 3365 4417 (International: +61 7 3365 4417)
		AusCERT personnel answer during Queensland business hours
		which are GMT+10:00 (AEST).
		On call after hours for emergencies.

Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key