Next Page >>
random number generator
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
arc4random(9) is a generic-purpose random number generator based on the
key stream generator of the RC4 cipher. It is expected to be
cryptographically strong, and used throughout the FreeBSD kernel for a
variety of purposes, some of which rely on its cryptographic strength.
arc4random(9) is periodically reseeded with entropy from the FreeBSD
kernel's Yarrow random number generator, which gathers entropy from a
Release Date: 2010/04/13
Last Modified: 2010/04/13
Author: Stefan Esser [stefan.esser[at]sektioneins.de]
Application: MyBB <= 1.4.11
Severity: Usage of weak random number generation in password reset
functionality allows predicting the password reset token
and the randomly generated password, which results in
account takeover.
Risk: Critical
Vendor Status: MyBB 1.4.12 was released which partly fixes this
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: BIND: Weak random number generation
Date: August 18, 2007
Bugs: #186556
ID: 200708-13
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
random that is only known to the email he gets until he reads it.
Using a fresh PHP process for the password reset in combination with the
Keep-Alive attack that is described in the previously mentioned blog
posting, it is however possible for an attacker to lookup the 32 bit seed
used for seeding the random number generator and determine the randomly
generated password for it.
The seed lookup can be performed by a pre-generated table that is around
60 GB in size, which takes a day to generate (depending on your hardware)
but allows resetting admin passwords in seconds.
Debian-specific: no
CVE Id(s) : CVE-2008-1637
Debian Bug : 490069
Thomas Biege discovered that the upstream fix for the weak random number
generator released in DSA-1544-1 was incomplete: Source port
randomization did still not use difficult-to-predict random numbers.
This is corrected in this security update.
Here is the text of the original advisory:
This is Paul Vixie's response on this, when I asked him for verification:
-----
this bug has been reported over and over again for a dozen years. it's
odd to have to keep fixing it-- i fixed it in bind4 and bind8 when theo
de raadt offered me his random number generator to use. bind9 should've
used that same one but apparently didn't. note that with this fix, the
difficulty in poisoning someone's cache rises from "a few tens of seconds"
to "a few minutes". it's a 16-bit field. not a lot of room for
randomness or unpredictability. only DNSSEC, a protocol change, fixes
this problem, which is fundamentally a protocol problem. but since folks
> This is Paul Vixie's response on this, when I asked him for verification:
>
> -----
> this bug has been reported over and over again for a dozen years. it's
> odd to have to keep fixing it-- i fixed it in bind4 and bind8 when theo
> de raadt offered me his random number generator to use. bind9 should've
> used that same one but apparently didn't. note that with this fix, the
> difficulty in poisoning someone's cache rises from "a few tens of
> seconds"
> to "a few minutes". it's a 16-bit field. not a lot of room for
> randomness or unpredictability. only DNSSEC, a protocol change, fixes
srand(tv.tv_usec+clock());
return rand() % max;
}
As you can see, every time cli_rndnum() is called, the random number generator
is reinitialized with the microsecond component of the current time and an
"approximation of the processor time used by the program" using the clock()
function. This takes away a lot of randomness from the value returned by
cli_rndnum(): as seed, more or less public information which should be
relatively easy to be guessed by the attacker is used, making it possible to
On 10/31/07, Shane Kerr <Shane_Kerr@isc.org> wrote:
>
> There seem to be two ideas you are presenting here, both intended to imply that
> the developers at ISC are technically incompetent:
>
> 1. Using a pseudo-random number generator should be called "crypto".
>
No, but a pseudo random number generator whose output *should not be
predictable* is a *cryptographic* random number generator, hence
"crypto". Isn't it obvious that a DNS server should generate an
certain kinds of denial-of-service attacks, but it is certainly not "crypto".
Because a lot of techniques in cryptography require good random numbers, it has
been widely studied by cryptographers. Therefore if you want a good
pseudo-random number generator, it is probably a good idea to see what the state
of the art in the cryptography field is. But random number generation is not
"crypto" any more than using a series of bit shift and XOR operations is crypto.
The second issue is much more important.
> This is Paul Vixie's response on this, when I asked him for verification:
>
> -----
> this bug has been reported over and over again for a dozen years. it's
> odd to have to keep fixing it-- i fixed it in bind4 and bind8 when theo
> de raadt offered me his random number generator to use. bind9 should've
> used that same one but apparently didn't. note that with this fix, the
> difficulty in poisoning someone's cache rises from "a few tens of seconds"
> to "a few minutes". it's a 16-bit field. not a lot of room for
> randomness or unpredictability. only DNSSEC, a protocol change, fixes
> this problem, which is fundamentally a protocol problem. but since folks
http://www.debian.org/security/ Florian Weimer
May 13, 2008 http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : openssl
Vulnerability : predictable random number generator
Problem type : remote
Debian-specific: yes
CVE Id(s) : CVE-2008-0166
Luciano Bello discovered that the random number generator in Debian's
Particularly the following statement is funny, and shows complete lack
of understanding of the terminology and of the problem space:
'ISC would like to assure the Internet community that this is much
less an issue of using "extremely weak crypto" as it has been
described, than the use of a random number generator that did not
provide sufficient randomness.'
My understanding is that they used a pseudo random number generator in
bind9, and when you use a pseudo random number generator (whose
sequence in this case is predictable after observing about a dozen
Ilja van Sprundel discovered that the 'Content-Disposition: attachment'
HTTP header was ignored when 'Content-Type: multipart' was also present.
Under certain circumstances, this could potentially lead to cross-site
scripting attacks. (CVE-2010-1197)
Amit Klein discovered that Firefox did not seed its random number generator
often enough. An attacker could exploit this to identify and track users
across different web sites. (CVE-2008-5913)
Updated packages for Ubuntu 8.04 LTS:
http://www.debian.org/security/ Noah Meyerhans
May 16, 2008 http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : openssh
Vulnerability : predictable random number generator
Problem type : remote
Debian-specific: yes
CVE Id(s) : CVE-2008-0166
Matt Zimmerman discovered that entries in ~/.ssh/authorized_keys with
Ilja van Sprundel discovered that the 'Content-Disposition: attachment'
HTTP header was ignored when 'Content-Type: multipart' was also present.
Under certain circumstances, this could potentially lead to cross-site
scripting attacks. (CVE-2010-1197)
Amit Klein discovered that Firefox did not seed its random number generator
often enough. An attacker could exploit this to identify and track users
across different web sites. (CVE-2008-5913)
Updated packages for Ubuntu 9.04:
http://www.debian.org/security/ Florian Weimer
May 14, 2008 http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : openssh
Vulnerability : predictable random number generator
Problem type : remote
Debian-specific: yes
CVE Id(s) : CVE-2008-0166
The recently announced vulnerability in Debian's openssl package
Ilja van Sprundel discovered that the 'Content-Disposition: attachment'
HTTP header was ignored when 'Content-Type: multipart' was also present.
Under certain circumstances, this could potentially lead to cross-site
scripting attacks. (CVE-2010-1197)
Amit Klein discovered that Firefox did not seed its random number generator
often enough. An attacker could exploit this to identify and track users
across different web sites. (CVE-2008-5913)
Several flaws were discovered in the browser engine of Firefox. If a user
were tricked into viewing a malicious site, a remote attacker could use
PunBB's password reset functionality uses internally mt_rand() to
generate a new password and a new activation link that are both
send to the user by email.
Unfortunately PunBB initialises the mersenne twister random number
generator on every request with a number between 0 and 1.000.000,
depending on the current microsecond. This means there are only
one million possible new passwords and new activation links. It
would be possible to bruteforce this limited area, but the amount
of time and traffic that would be required is huge.
characters inside the escapeshellcmd() function, which is used to
sanitize user input before its usage in shell commands
(CVE-2008-2051).
* Stefan Esser reported that a short-coming in PHP's algorithm of
seeding the random number generator might allow for predictible
random numbers (CVE-2008-2107, CVE-2008-2108).
* The IMAP extension in PHP uses obsolete c-client API calls making
it vulnerable to buffer overflows as no bounds checking can be done
(CVE-2008-2829).
+------------------------------------------------------------------------+
| Resolution | To mitigate this attack, the two values are now XORed |
| | together. This will increase the entropy to approximately |
| | 2^21, which is far more difficult to predict, especially |
| | given that the random number generator is used for other |
| | purposes in Asterisk, not just manager HTTP session ID |
| | generation. |
| | |
| | Upgrade to SVN revision 104704 or greater, or upgrade to |
| | one of the releases below. That the random number |
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2008-1637
Amit Klein discovered that pdns-recursor, a caching DNS resolver, uses a
weak random number generator to create DNS transaction IDs and UDP
source port numbers. As a result, cache poisoning attacks were
simplified. (CVE-2008-1637)
For the stable distribution (etch), these problems have been fixed in
version 3.1.4-1+etch1.
Ben Laurie of Google's Applied Security team, while working with an
external researcher, Dr. Richard Clayton of the Computer Laboratory,
Cambridge University, found that various OpenID Providers (OPs) had
TLS Server Certificates that used weak keys, as a result of the Debian
Predictable Random Number Generator (CVE-2008-0166).
In combination with the DNS Cache Poisoning issue (CVE-2008-1447) and
the fact that almost all SSL/TLS implementations do not consult CRLs
(currently an untracked issue), this means that it is impossible to
rely on these OPs.
Amit Klein of Trusteer reported that insufficient randomness is used to
calculate the TRXID values and the UDP source port numbers
(CVE-2008-1637). Thomas Biege of SUSE pointed out that a prior fix to
resolve this issue was incomplete, as it did not always enable the
stronger random number generator for source port selection
(CVE-2008-3217).
Impact
======
>
> Ben Laurie of Google's Applied Security team, while working with an
> external researcher, Dr. Richard Clayton of the Computer Laboratory,
> Cambridge University, found that various OpenID Providers (OPs) had
> TLS Server Certificates that used weak keys, as a result of the Debian
> Predictable Random Number Generator (CVE-2008-0166).
>
> In combination with the DNS Cache Poisoning issue (CVE-2008-1447) and
> the fact that almost all SSL/TLS implementations do not consult CRLs
> (currently an untracked issue), this means that it is impossible to
> rely on these OPs.
Ilja van Sprundel discovered that the 'Content-Disposition: attachment'
HTTP header was ignored when 'Content-Type: multipart' was also present.
Under certain circumstances, this could potentially lead to cross-site
scripting attacks. (CVE-2010-1197)
Amit Klein discovered that Firefox did not seed its random number generator
often enough. An attacker could exploit this to identify and track users
across different web sites. (CVE-2008-5913)
Updated packages for Ubuntu 8.04 LTS:
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Description | The Debian team recently announced that cryptographic |
| | keys generated by their OpenSSL package were created |
| | using a random number generator with predictable |
| | results. This affects Debian's stable and unstable |
| | distributions, as well as Debian-derived systems such as |
| | Ubuntu. See the links in the "Links" session of this |
| | advisory for more information about the vulnerability. |
| | |
Ilja van Sprundel discovered that the 'Content-Disposition: attachment'
HTTP header was ignored when 'Content-Type: multipart' was also present.
Under certain circumstances, this could potentially lead to cross-site
scripting attacks. (CVE-2010-1197)
Amit Klein discovered that Firefox did not seed its random number generator
often enough. An attacker could exploit this to identify and track users
across different web sites. (CVE-2008-5913)
Updated packages for Ubuntu 9.04:
Ilja van Sprundel discovered that the 'Content-Disposition: attachment'
HTTP header was ignored when 'Content-Type: multipart' was also present.
Under certain circumstances, this could potentially lead to cross-site
scripting attacks. (CVE-2010-1197)
Amit Klein discovered that Firefox did not seed its random number generator
often enough. An attacker could exploit this to identify and track users
across different web sites. (CVE-2008-5913)
Updated packages for Ubuntu 8.04 LTS:
Problem:
The htpasswd utility uses predictable salts for the salted algoritms
(Unix-style "CRYPT" and MD5). htpasswd uses the standard C rand()
function to generate "random" salts. In order to use rand(), htpasswd
seeds the random number generator with the srand() function. And that's
where the Apache developers made a critical mistake -- htpasswd
merely uses the time of day (seconds since the Epoch, time(NULL)) to
seed the random number generator.
As a result:
Next Page>>
|
