Hash: SHA1

             AUSCERT External Security Bulletin Redistribution

                        ESB-2008.1068 -- [FreeBSD]
             arc4random(9) predictable sequence vulnerability
                             25 November 2008


        AusCERT Security Bulletin Summary

Product:              arc4random
Publisher:            FreeBSD
Operating System:     FreeBSD
Impact:               Reduced Security
Access:               Remote/Unauthenticated
CVE Names:            CVE-2008-5162

Original Bulletin:  

- --------------------------BEGIN INCLUDED TEXT--------------------

Hash: SHA1

FreeBSD-SA-08.11.arc4random                                 Security Advisory
                                                          The FreeBSD Project

Topic:          arc4random(9) predictable sequence vulnerability

Category:       core
Module:         sys
Announced:      2008-11-24
Credits:        Robert Woolley, Mark Murray, Maxim Dounin, Ruslan Ermilov
Affects:        All supported versions of FreeBSD.
Corrected:      2008-11-24 17:39:39 UTC (RELENG_7, 7.1-PRERELEASE)
                2008-11-24 17:39:39 UTC (RELENG_7_0, 7.0-RELEASE-p6)
                2008-11-24 17:39:39 UTC (RELENG_6, 6.4-STABLE)
                2008-11-24 17:39:39 UTC (RELENG_6_4, 6.4-RELEASE)
                2008-11-24 17:39:39 UTC (RELENG_6_3, 6.3-RELEASE-p6)
CVE Name:       CVE-2008-5162

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.

I.   Background

arc4random(9) is a generic-purpose random number generator based on the
key stream generator of the RC4 cipher.  It is expected to be
cryptographically strong, and used throughout the FreeBSD kernel for a
variety of purposes, some of which rely on its cryptographic strength.
arc4random(9) is periodically reseeded with entropy from the FreeBSD
kernel's Yarrow random number generator, which gathers entropy from a
variety of sources including hardware interrupts.  During the boot
process, additional entropy is provided to the Yarrow random number
generator from userland, helping to ensure that adequate entropy is
present for cryptographic purposes.

II.  Problem Description
When the arc4random(9) random number generator is initialized, there may
be inadequate entropy to meet the needs of kernel systems which rely on
arc4random(9); and it may take up to 5 minutes before arc4random(9) is
reseeded with secure entropy from the Yarrow random number generator.

III. Impact

All security-related kernel subsystems that rely on a quality random
number generator are subject to a wide range of possible attacks for the
300 seconds after boot or until 64k of random data is consumed.  The list

* GEOM ELI providers with onetime keys.  When a provider is configured in
  a way so that it gets attached at the same time during boot (e.g. it
  uses the rc subsystem to initialize) it might be possible for an
  attacker to recover the encrypted data.

* GEOM shsec providers.  The GEOM shsec subsytem is used to split a shared
  secret between two providers so that it can be recovered when both of
  them are present.  This is done by writing the random sequence to one
  of providers while appending the result of the random sequence on the
  other host to the original data.  If the provider was created within the
  first 300 seconds after booting, it might be possible for an attacker
  to extract the original data with access to only one of the two providers
  between which the secret data is split.

* System processes started early after boot may receive predictable IDs.

* The 802.11 network stack uses arc4random(9) to generate initial vectors
  (IV) for WEP encryption when operating in client mode and WEP
  authentication challenges when operating in hostap mode, which may be

* The IPv4, IPv6 and TCP/UDP protocol implementations rely on a quality
  random number generator to produce unpredictable IP packet identifiers,
  initial TCP sequence numbers and outgoing port numbers.  During the
  first 300 seconds after booting, it may be easier for an attacker to
  execute IP session hijacking, OS fingerprinting, idle scanning, or in
  some cases DNS cache poisoning and blind TCP data injection attacks.

* The kernel RPC code uses arc4random(9) to retrieve transaction
  identifiers, which might make RPC clients vulnerable to hijacking

IV.  Workaround

No workaround is available for affected systems.

V.   Solution

NOTE WELL: Any GEOM shsec providers which were created or written to
during the first 300 seconds after booting should be re-created after
applying this security update.

Perform one of the following:

1) Upgrade your vulnerable system to 6-STABLE, or 7-STABLE, or to the
RELENG_7_0, or RELENG_6_3 security branch dated after the correction

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 6.3 and
7.0 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 7.x]
# fetch http://security.FreeBSD.org/patches/SA-08:11/arc4random.patch
# fetch http://security.FreeBSD.org/patches/SA-08:11/arc4random.patch.asc

[FreeBSD 6.x]
# fetch http://security.FreeBSD.org/patches/SA-08:11/arc4random6x.patch
# fetch http://security.FreeBSD.org/patches/SA-08:11/arc4random6x.patch.asc

b) Apply the patch.

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the

VI.  Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch                                                           Revision
- - -------------------------------------------------------------------------
  src/UPDATING                                             1.416.
  src/UPDATING                                            1.416.
  src/UPDATING                                             1.507.
- - -------------------------------------------------------------------------

VII. References


The latest revision of this advisory is available at
Version: GnuPG v1.4.9 (FreeBSD)


- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.

Comment: http://www.auscert.org.au/render.html?it=1967