Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.4506 NetBSD: Sysctl RNG Key Erasure 28 November 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Sysctl Publisher: NetBSD Operating System: NetBSD Impact/Access: Access Privileged Data -- Existing Account Resolution: Patch/Upgrade Original Bulletin: https://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2019-005.txt.asc - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NetBSD Security Advisory 2019-005 ================================= Topic: Sysctl RNG Key Erasure Version: NetBSD-current: affected prior to 2019-11-25 NetBSD 8*: affected NetBSD 7.2*: affected NetBSD 7.1*: affected Severity: Retroactive disclosure of cryptographic keys until reboot Fixed: NetBSD-current: 2019-11-25 NetBSD-7 branch: 2019-11-25 NetBSD-8 branch: 2019-11-25 NetBSD-7 branch: 2019-11-25 NetBSD-7-2 branch: 2019-11-25 NetBSD-7-1 branch: 2019-11-25 Please note that NetBSD releases prior to 7.1 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract ======== The algorithm used by one of the kernel's cryptographic random number generation interfaces, the kern.arandom sysctl, failed to erase past states, and therefore failed to provide what is sometimes called backtracking resistance or forward secrecy. Thus, an adversary who could disclose kernel memory could retroactively predict past outputs of this random number generator. Technical Details ================= The sysctl node kern.arandom is designed to return uniform random bits fit for use as cryptographic keys. The libc arc4random(3) function uses kern.arandom to seed userland pseudorandom number generators, and various applications may use libc arc4random(3) to generate keys. The arc4random(3) security model asserts that: An attacker who has seen the library's PRNG state in memory cannot predict past outputs. However, owing to a mistake in the implementation of kern.arandom, an attacker who has disclosed the kernel PRNG state used by kern.arandom can predict past outputs of kern.arandom, in violation of the security property we intended to guarantee. The problem is limited to kern.arandom, and does not affect /dev/random, /dev/urandom, or kern.urandom. Solutions and Workarounds ========================= Update the kernel to a fixed version and reboot. To apply a fixed version from a releng build, fetch a fitting kern-GENERIC.tgz from nyftp.netbsd.org and extract the fixed binaries: cd /var/tmp ftp https://nyftp.netbsd.org/pub/NetBSD-daily/REL/latest/ARCH/binary/sets/kern-GENERIC.tgz cd / tar xzpf /var/tmp/kern-GENERIC.tgz with the following replacements: REL = the release version you are using ARCH = your system's architecture The following instructions describe how to upgrade your kernel by updating your source tree and rebuilding and installing a new version. For all NetBSD versions, you need to obtain fixed kernel sources, rebuild and install the new kernel, and reboot the system. The fixed source may be obtained from the NetBSD CVS repository. The following instructions briefly summarise how to upgrade your kernel. In these instructions, replace: ARCH with your architecture (from uname -m), and KERNCONF with the name of your kernel configuration file. To update from CVS, re-build, and re-install the kernel: # cd src # cvs update -d -P sys/kern/subr_cprng.c # ./build.sh kernel=KERNCONF # mv /netbsd /netbsd.old # cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd # shutdown -r now For more information on how to do this, see: https://www.NetBSD.org/docs/guide/en/chap-kernel.html Thanks To ========= Taylor `Riastradh' Campbell caused, found, and fixed the bug. Revision History ================ 2019-11-26 Initial release More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at https://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2019-005.txt.asc Information about NetBSD and NetBSD security can be found at https://www.NetBSD.org/ https://www.NetBSD.org/Security/ Copyright 2019, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2019-005.txt.asc,v 1.1 2019/11/26 18:35:15 christos Exp $ - -----BEGIN PGP SIGNATURE----- iQIcBAEBAgAGBQJd3XBWAAoJEIkmHhf170n/aaoQAKfSq0VicDelAFYw7t1H0a0u bby6sL+ZXTQRw9RJO/8HJH9uCuigDSJA/bdJd5AOWvEQ9c1BWwv19qHZgIgOWGtJ 86CG85Tjb05KSd6+OMhT0uU7Q5ilzmSFMGsdp1oDvqYss6ewbqCk4hnqTPn/iWeJ 5ArJeNeKomn4OOoM/aEjh/SKoi3TE1wJ5333GUdc6mlm1j8mwn67VI8BxkzjPf2+ 3a0LJJ12zpbCzLvS/vmWkV4W+o9cv8wecvudJ9ltttPJRLHApU5keiaP2goAylzc DJmbARgkJWKmIcvoWIqQvoBhHDmzHDkjjrLQonozwf/ZwVZjQtCrApoxoHoQTASl tbDXebyL+ddOOLlpDRccPTN5yLPxGwaOf0hexIjcTKmgHYpBILaITGidKcmPvCWP bK5Mqsbu8/yhPzz89zv/YuwZ46FiES4ubhn2Rt9AXHaSqPnLAWPhugNCkwFJqQE7 9oe0g6Sr3r7vbJQUxZlLwc/zQQUvuAvbIrwNUbNQS7FZ3ItSLkvqS5nVB+ip2MWS FBHUo9ObY6FudxX30eTQYzw367UGCLVKoCcr+CcAjtsGcNB1aMm+o9FCwrYwr5qz UunvYUuYBCciek2+QNq79SbRgSBHNf12VvIZMLr6IeMJka6btl4PeUe1wghVcQKZ Y7ev9RJ1G7GCC8Jakrjf =qfMi - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXd89FmaOgq3Tt24GAQh63BAAmIV4bt1P2nlPx2B46P3/gGExPtvJFAPN t9JeTpw9wgrrs71i68Kk9Q0NolgQMe3B1qhx1jTNpQD3a57S6B6ZRhi2RTTgWnGQ bsNGCkjfgl7XSDcGqRPrRVwLQS4aNb/ryhWefqrTYcaKQVO6OhSt9q8ma7EUSusu hZ9/Y+CycMfOyBgr2q+OZU0xFdflREO6PSnkX4rQa9csQQHZ6qwGRscePFQ+4uhr JqWdjil/VW+1lnCLzxgrjnc+ZSLLvI/5zBezzyuo3ibTSpZf1fJYxrpxebgyZtfB DAgVTk4mJeGGxNBzztVrWFE0KeOnpinbuEti7tq6brejPgoqzBNaXzBKwg9u6NDF WQrW6ShLt+AofcNcNzmMLbEhnThF/8YzoEbLfWqmTVzO4XZfOx+1hsVKILgGLCnO u0iEiAoY10x+vo1NWHxUGM61Q+w92TlPzNCMhVpZrT97fWWPYuonGggDJs5dkLXq ltvhvu3Lc/oV8Sd6ueCLc2kKxt0969XGs+ugJPIJHrY5rbOgwRWwfYzW83CXbemc sPe0MwbBv3SWRgfQfqRJVcgVeiI5Ouav/r/IE/dRqIGgoEIf8HaYhkw787e/fozU dt61DFg7EKuwT2D6Tj8KGswXzvjfXhjeptzeVechtR1uj4dzXRp+67GBXpsX4LoH I6j5vvF2sKc= =Kb5M -----END PGP SIGNATURE-----