SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   OpenSSL Vendors:   OpenSSL.org
(NetBSD Issues Fix) OpenSSL Uses Potentially Predictable Pseudo-Random Number Generator
SecurityTracker Alert ID:  1002276
SecurityTracker URL:  http://securitytracker.com/id/1002276
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 27 2001
Impact:   Disclosure of authentication information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): up to 0.9.6a
Description:   OpenSSL announced a vulnerability in the cryptographic toolkit's pseudo-random number generator (PRNG) that could allow an attacker to predict future PRNG output.

The pseudo-random number generator (PRNG) in SSLeay/OpenSSL reportedly contains a design error that weakens the function such that it could become predictable.

The PRNG function (source code file crypto/md_rand.c) uses a hash function to update its internal secret state and to generate output. The secret state consists of two items: 1) a chaining variable message digest 'md' that is the output of the hash function, and 2) a large buffer variable 'state' that is is accessed circularly and used for storing additional entropy.

When generating output bytes, vulnerable versions of OpenSSL set the 'md' variable to the hash of one half of its previous value (which is also the same half that was used as PRNG output, meaning that it is not a secret value) and some other data, including bytes from 'state'. In addition, the number of bytes used from 'state' depended on the number of bytes requested as PRNG output and could be as small as one, making a brute-force analysis of all possible cases feasible.

These two design flaws make it possible to reconstruct the complete internal PRNG state from the output of one large PRNG request (large enough gain knowledge on the 'md' variable) followed by enough consecutive 1-byte PRNG requests to cycle through all of 'state'.

Impact:   A user could potentially determine future PRNG output, which could lead to an attack of the system using the PRNG output.
Solution:   The vendor has released a fix. See the Source Message for the vendor's advisory containing directions on how to obtain the appropriate fix.
Vendor URL:  www.openssl.org/ (Links to External Site)
Cause:   Randomization error
Underlying OS:  UNIX (NetBSD)

Message History:   This archive entry is a follow-up to the message listed below.
Jul 10 2001 OpenSSL Uses Potentially Predictable Pseudo-Random Number Generator



 Source Message Contents

Subject:  NetBSD Security Advisory 2001-013: OpenSSL PRNG weakness (up to 0.9.6a)


-----BEGIN PGP SIGNED MESSAGE-----


                 NetBSD Security Advisory 2001-013
                 =================================

Topic:		OpenSSL PRNG weakness (up to 0.9.6a)

Version:	NetBSD-current:	source prior to July 10, 2001
		NetBSD 1.5.1:	affected
		NetBSD 1.5:	affected
		pkgsrc:		openssl packages prior to 0.9.6b or 0.9.6nb1

Severity:	attacker can predict sequence of future PRNG outputs

Fixed:		NetBSD-current:		July 10, 2001
		NetBSD-1.5 branch:	July 29, 2001 (1.5.2 includes the fix)
		pkgsrc:			openssl-0.9.6b or openssl-0.9.6nb1

Abstract
========

The OpenSSL libcrypto includes a PRNG (pseudo random number generator)
implementation.  The logic used for PRNG was not strong enough,
and allows attackers to guess the internal state of the PRNG.
Therefore, attackers can predict future PRNG output.


Technical Details
=================

http://www.openssl.org/news/secadv_prng.txt


Solutions and Workarounds
=========================

The problem can be remedied by replacing the libcrypto library,
and recompiling all statically-linked binaries on the system that
use this library.

The following instructions describe how to upgrade your openssl
libraries by updating your source tree and rebuilding and installing
a new version of telnetd(8).


* All NetBSD releases using openssl from pkgsrc:

	If you are using openssl from pkgsrc, upgrade it to either of
	the following packages:
		openssl-0.9.6b or higher
		openssl-0.9.6nb1 (0.9.6 + specific fix for the issue)

	Also, make sure that you upgrade any statically-linked binaries
	in packages and local applications that have been linked with
	libcrypto.


* NetBSD-current:

	Systems running NetBSD-current dated from before 2001-07-10
	should be upgraded to NetBSD-current dated 2001-07-11 or later.

	The following directories need to be updated from the
	netbsd-current CVS branch (aka HEAD):
		src/crypto/dist/openssl
		src/lib/libcrypto

	To update from CVS, re-build, and re-install the openssl
	libraries:
		# cd src
		# cvs update -d -P crypto/dist/openssl lib/libcrypto
		# cd lib/libcrypto
		# make cleandir dependall
		# make install

	You also need to upgrade any statically-linked binaries
	that use libcrypto.  Whilst there are no statically-linked
	binaries in the default NetBSD installation that use
	libcrypto, it would be a good idea to run a full build
	(i.e. "make build").


* NetBSD 1.5, 1.5.1:

	Systems running NetBSD 1.5 or 1.5.1 sources dated from
	before 2001-07-29 should be upgraded from NetBSD 1.5.x
	sources dated 2001-07-30 or later.

	NetBSD 1.5.2 is not vulnerable.

	The following source needs to be updated to version 1.2
	or later from the netbsd-1-5 CVS branch:
		crypto/dist/openssl/crypto/rand/md_rand.c

	To update from CVS, re-build, and re-install the openssl
	libraries:
		# cd src
		# cvs update -d -P crypto/dist/openssl/crypto/rand
		# cd lib/libcrypto
		# make cleandir dependall
		# make install


        Alternatively, apply the following patch (with potential offset
        differences):
                ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2001-013-openssl-1.5.patch

	To patch, re-build and re-install the openssl libraries:
		# cd src/crypto/dist/openssl/crypto/rand
		# patch < /path/to/SA2001-013-openssl-1.5.patch
		# cd ../../../../../lib/libcrypto
		# make cleandir dependall
		# make install


	You also need to upgrade any statically-linked binaries
	that use libcrypto.  Whilst there are no statically-linked
	binaries in the default NetBSD installation that use
	libcrypto, it would be a good idea to run a full build
	(i.e. "make build").


Thanks To
=========

Jun-ichiro Hagino for the fix to -current and 1.5

Markku-Juhani O. Saarinen for discovering the problem
in the PRNG and reporting it to the OpenSSL project.


Revision History
================

	2001-08-23	Initial release


More Information
================

An up-to-date PGP signed copy of this release will be maintained at
  ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2001-013.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.


Copyright 2001, The NetBSD Foundation, Inc.  All Rights Reserved.

$NetBSD: NetBSD-SA2001-013.txt,v 1.13 2001/08/23 02:03:23 lukem Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (NetBSD)
Comment: For info see http://www.gnupg.org

iQCVAwUBO4RlGD5Ru2/4N2IFAQHJkAP/Su564Mbn4Hl4+pkMh/fWiwtRIAE8aYex
PcfCSW22nPrGpDdMwOPAvQAANCzNIJ2liXn9kzGqjNodOdSKDZ92hw6Yq/hlXhN/
9R5CY3HR7ETFJtXBe3+8X5yqsrdAebDSh6Cz49HU2YxU+IN9idmy/JstNC6Ie69e
U/XVIkv+BGM=
=VRtV
-----END PGP SIGNATURE-----

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC