SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Security)  >   OpenSSL Vendors:   OpenSSL.org
(EnGarde Linux Releases Fix) Re: OpenSSL Uses Potentially Predictable Pseudo-Random Number Generator
SecurityTracker Alert ID:  1001967
SecurityTracker URL:  http://securitytracker.com/id/1001967
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 11 2001
Impact:   Disclosure of authentication information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): up to 0.9.6a
Description:   OpenSSL announced a vulnerability in the cryptographic toolkit's pseudo-random number generator (PRNG) that could allow an attacker to predict future PRNG output.

The pseudo-random number generator (PRNG) in SSLeay/OpenSSL reportedly contains a design error that weakens the function such that it could become predictable.

The PRNG function (source code file crypto/md_rand.c) uses a hash function to update its internal secret state and to generate output. The secret state consists of two items: 1) a chaining variable message digest 'md' that is the output of the hash function, and 2) a large buffer variable 'state' that is is accessed circularly and used for storing additional entropy.

When generating output bytes, vulnerable versions of OpenSSL set the 'md' variable to the hash of one half of its previous value (which is also the same half that was used as PRNG output, meaning that it is not a secret value) and some other data, including bytes from 'state'. In addition, the number of bytes used from 'state' depended on the number of bytes requested as PRNG output and could be as small as one, making a brute-force analysis of all possible cases feasible.

These two design flaws make it possible to reconstruct the complete internal PRNG state from the output of one large PRNG request (large enough gain knowledge on the 'md' variable) followed by enough consecutive 1-byte PRNG requests to cycle through all of 'state'.

Impact:   A user could potentially determine future PRNG output, which could lead to an attack of the system using the PRNG output.
Solution:   EnGarde Linux has released a fix. See the Source Message for the vendor's advisory.
Vendor URL:  www.openssl.org/ (Links to External Site)
Cause:   Randomization error
Underlying OS:   Linux (EnGarde)

Message History:   This archive entry is a follow-up to the message listed below.
Jul 10 2001 OpenSSL Uses Potentially Predictable Pseudo-Random Number Generator


 Source Message Contents
Date:  Tue, 10 Jul 2001 13:55:59 -0400 (EDT)
Subject:  [ESA-20010709-01] OpenSSL PRNG Weakness


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


+------------------------------------------------------------------------+
| EnGarde Secure Linux Security Advisory                   July 09, 2001 |
| http://www.engardelinux.org/                           ESA-20010709-01 |
|                                                                        |
| Package:  openssl                                                      |
| Summary:  There is a design weakness in OpenSSL's PRNG.                |
+------------------------------------------------------------------------+

  EnGarde Secure Linux is a secure distribution of Linux that features
  improved access control, host and network intrusion detection, Web
  based secure remote management, complete e-commerce using AllCommerce,
  and integrated open source security tools.


OVERVIEW
- --------
  A weakness exists in the pseudo-random number generator (PRNG) in all
  version of OpenSSL up to and including 0.9.6a.  Given knowledge of
  past results of PRNG queries an attacker can predict future results.


DETAIL
- ------
  There is a design error in OpenSSL's PRNG which can allow an attacker to
  determine the internal state of the PRNG.  Based on the output of
  several hundered 1-byte PRNG requests an attacker can reconstruct the
  PRNG's internal state and predict future PRNG output.

  The impact of this vulnerability is rather small, as the OpenSSL team
  has described:

    "It is unlikely for applications to request PRNG bytes in a pattern
     allowing for the attack against the OpenSSL PRNG.  Typically,
     applications will request PRNG bytes in larger chunks.
     No applications is known to us which is actually vulnerable."

  In any event, we highly recommend that all users upgrade to the latest
  openssl packages as outlined in this advisory.


SOLUTION
- --------
  All users should upgrade to the most recent version, as outlined in
  this advisory.

  Guardian Digital recently made available the Guardian Digital Secure
  Update, a means to proactively keep systems secure and manage 
  system software. EnGarde users can automatically update their system
  using the Guardian Digital WebTool secure interface.

  If choosing to manually upgrade this package, updates can be
  obtained from:

    ftp://ftp.engardelinux.org/pub/engarde/stable/updates/
    http://ftp.engardelinux.org/pub/engarde/stable/updates/

  Before upgrading the package, the machine must either:

    a) be booted into a "standard" kernel; or
    b) have LIDS disabled.

  To disable LIDS, execute the command:

    # /sbin/lidsadm -S -- -LIDS_GLOBAL

  To install the updated package, execute the command:

    # rpm -Uvh <filename>

  To reload the LIDS configuration, execute the command:

    # /usr/sbin/config_lids.pl

  To re-enable LIDS (if it was disabled), execute the command:

    # /sbin/lidsadm -S -- +LIDS_GLOBAL

  To verify the signature of the updated packages, execute the command:

    # rpm -Kv <filename>


UPDATED PACKAGES
- ----------------
  These updated packages are for EnGarde Secure Linux 1.0.1 (Finestra).

  Source Packages:

    SRPMS/openssl-0.9.6-1.0.14.src.rpm
      MD5 Sum:  420d7e9d0687f313059a64935be6f550

  i386 Binary Packages:

    i386/openssl-0.9.6-1.0.14.i386.rpm
      MD5 Sum:  347000c0645194ab5feb83eb92d2355c

    i386/openssl-devel-0.9.6-1.0.14.i386.rpm
      MD5 Sum:  09125870402b05ad8ab75d74271893a3

    i386/openssl-misc-0.9.6-1.0.14.i386.rpm
      MD5 Sum:  e865af2f976115e92f99a6ce7fd1cb1b

  i386 Binary Packages:

    i686/openssl-0.9.6-1.0.14.i686.rpm
      MD5 Sum:  4d612208e3952bdb375ad36e614abf98

    i686/openssl-devel-0.9.6-1.0.14.i686.rpm
      MD5 Sum:  8a1b228357a1fe51a96aeb9afa3981f2

    i686/openssl-misc-0.9.6-1.0.14.i686.rpm
      MD5 Sum:  1e5eb36c5db32a79dbdfccb3899ae9dc


REFERENCES
- ----------

  Guardian Digital's public key:
    http://ftp.engardelinux.org/pub/engarde/ENGARDE-GPG-KEY

  Credit for the discovery of this bug goes to:
    Markku-Juhani O. Saarinen <markku-juhani.saarinen@nokia.com>

  OpenSSL's Official Web Site:
    http://www.openssl.org/


- --------------------------------------------------------------------------
$Id: ESA-20010709-01-openssl,v 1.2 2001/07/10 15:34:45 rwm Exp rwm $
- --------------------------------------------------------------------------
Author: Ryan W. Maple, <ryan@guardiandigital.com> 
Copyright 2001, Guardian Digital, Inc.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7S0G2HD5cqd57fu0RAvYnAJ9nT8oqtjJMsQXv4r/Cl2UYv6iewACfWOJR
AR3Xr0NnQnISu9+XUS1CS/E=
=6l9n
-----END PGP SIGNATURE-----


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC