Bug#559107: weaknesses in BSD PRNG algorithms

To: Petr Salinger <Petr.Salinger@seznam.cz>
Cc: 559107@bugs.debian.org, Moritz Muehlenhoff <jmm@inutil.org>
Subject: Bug#559107: weaknesses in BSD PRNG algorithms
From: Florian Weimer <fw@deneb.enyo.de>
Date: Fri, 04 Dec 2009 20:14:22 +0100
Message-id: <87tyw6tuup.fsf@mid.deneb.enyo.de>
Reply-to: Florian Weimer <fw@deneb.enyo.de>, 559107@bugs.debian.org
In-reply-to: <Pine.LNX.4.62.0912041253530.2753@sci.felk.cvut.cz> (Petr Salinger's message of "Fri, 4 Dec 2009 13:31:34 +0100 (CET)")
References: <Pine.LNX.4.62.0912020917460.29205@sci.felk.cvut.cz> <20091201222629.4015.92086.reportbug@localhost.localdomain> <handler.559107.D559107.125974199823788.notifdone@bugs.debian.org> <20091202193737.GA732@inutil.org> <Pine.LNX.4.62.0912031328110.32543@sci.felk.cvut.cz> <20091203214259.GA4729@galadriel.inutil.org> <Pine.LNX.4.62.0912041253530.2753@sci.felk.cvut.cz>

* Petr Salinger:

> If I understand it correctly, the security problem is
> "it allows remote attackers to guess sensitive values such as IP
> fragmentation IDs by observing a sequence of previously generated
> values".
> By default, the next_value is previous_value+1, i.e. unsecure at all.
> It can be enabled to use random (secure) value, the random value is in
> kfreebsd-7 generated by weak X2 algorithm, in kfreebsd-8 by "algorithm
> suggested by Amit Klein".

The state is per-flow.  It's not a global counter, right?

> So the options are:
>
> 1) leave it as is (same as native FreeBSD)
> 2) only backport new algorithm to kfreebsd-7
> 3) change default to use random algorithm in both kfreebsd-7 and kfreebsd-8
> 4) backport new algorithm to kfreebsd-7 and change default to use
>    random algorithm in both kfreebsd-7 and kfreebsd-8
>
> What prefers the security team ?

I fear that IPv4 is vulnerable no matter what you do.  If the
guessable state is global, please switch to (4).  A per-flow counter
shouldn't be that problematic.

For IPv6, you should implement (3) or (4) because the 32 bit ID
actually provides some protection against blind spoofing.

Reply to:

References:
- Bug#559107: Local root exploit in rtld
  - From: Moritz Muehlenhoff <jmm@debian.org>
- Bug#559107: closed by Petr Salinger <Petr.Salinger@seznam.cz> (Re: Bug#559107: Local root exploit in rtld)
  - From: Moritz Muehlenhoff <jmm@inutil.org>
- Bug#559107: weaknesses in BSD PRNG algorithms
  - From: Petr Salinger <Petr.Salinger@seznam.cz>
- Bug#559107: weaknesses in BSD PRNG algorithms
  - From: Moritz Muehlenhoff <jmm@inutil.org>
- Bug#559107: weaknesses in BSD PRNG algorithms
  - From: Petr Salinger <Petr.Salinger@seznam.cz>

Prev by Date: Re: Another header bug? (was: failed build of net-snmp_5.4.2.1~dfsg-4)
Next by Date: Bug#559344: kldutils: bashism used in /etc/init.d/module-init-tools
Previous by thread: Bug#559107: weaknesses in BSD PRNG algorithms
Next by thread: Zerocopy BPF
Index(es):
- Date
- Thread