Bug#559107: weaknesses in BSD PRNG algorithms
* Petr Salinger:
> If I understand it correctly, the security problem is
> "it allows remote attackers to guess sensitive values such as IP
> fragmentation IDs by observing a sequence of previously generated
> values".
> By default, the next_value is previous_value+1, i.e. unsecure at all.
> It can be enabled to use random (secure) value, the random value is in
> kfreebsd-7 generated by weak X2 algorithm, in kfreebsd-8 by "algorithm
> suggested by Amit Klein".
The state is per-flow. It's not a global counter, right?
> So the options are:
>
> 1) leave it as is (same as native FreeBSD)
> 2) only backport new algorithm to kfreebsd-7
> 3) change default to use random algorithm in both kfreebsd-7 and kfreebsd-8
> 4) backport new algorithm to kfreebsd-7 and change default to use
> random algorithm in both kfreebsd-7 and kfreebsd-8
>
> What prefers the security team ?
I fear that IPv4 is vulnerable no matter what you do. If the
guessable state is global, please switch to (4). A per-flow counter
shouldn't be that problematic.
For IPv6, you should implement (3) or (4) because the 32 bit ID
actually provides some protection against blind spoofing.
Reply to: