—–BEGIN PGP SIGNED MESSAGE—–

Liebe Kolleginnen und Kollegen,

soeben erreichte uns nachfolgende Warnung des FreeBSD Security
Officers.Wir geben diese Informationen unveraendert an Sie weiter.

CVE-2008-5162 – Unzureichende Entropie fuer den arc4random(9)
Zufallszahlengenerator

Beim Booten des Systems wird der arc4random(9) Zufallszahlengenerator
nicht mit genug Entropie versorgt, so dass die erzeugten Zufallszahlen
vorhersagbar sind. Dieser Zustand haelt ca. 5 Minuten oder bis 64KB an
Zufallszahlendaten verbraucht sind an, dann wird genug Entropie ueber
den Yarrow Zufallszahlengenerator bereitgestellt.

Der arc4random(9) Zufallszahlengenerator basiert auf dem Key Stream
Generator des RC4 Algorithmus und wird an verschiedenen Stellen des
FreeBSD Kernels verwendet, u.a. die GEOM ELI und GEOM shsec Provider,
die Erzeugung von Prozess IDs waehrend der ersten 5 Minuten nach dem
Booten, die Erzeugung von Initialisierungsvektoren fuer WEP
Verschluesselung, IP IDs fuer IPv4 und IPv6, TCP Initial Sequence
Numbers, Quellportnummern fuer TCP und UDP und Transaction IDs fuer
RPC Routinen des Kernels.

Angreifer koennen diese Schwachstelle dazu ausnutzen, die
Verschluesselung zu brechen und so an vertrauliche Daten gelangen bzw.
diese manipulieren sowie Session Hijacking Angriffe durchzufuehren und
dabei uebertragene Daten zu veraendern.

Betroffen sind die folgenden Software Pakete und Plattformen:

Paket sys

FreeBSD Versionen vor den folgenden Erscheinungsdaten
2008-11-24 17:39:39 UTC (RELENG_7, 7.1-PRERELEASE)
2008-11-24 17:39:39 UTC (RELENG_7_0, 7.0-RELEASE-p6)
2008-11-24 17:39:39 UTC (RELENG_6, 6.4-STABLE)
2008-11-24 17:39:39 UTC (RELENG_6_4, 6.4-RELEASE)
2008-11-24 17:39:39 UTC (RELENG_6_3, 6.3-RELEASE-p6)

Vom Hersteller werden ueberarbeitete Pakete zur Verfuegung gestellt.

Hersteller Advisory:
http://security.FreeBSD.org/advisories/FreeBSD-SA-08:11.arc4random.asc

(c) der deutschen Zusammenfassung bei DFN-CERT Services GmbH; die
Verbreitung, auch auszugsweise, ist nur unter Hinweis auf den Urheber,
DFN-CERT Services GmbH, und nur zu nicht kommerziellen Zwecken
gestattet.

Mit freundlichen Gruessen,
Klaus Moeller, DFN-CERT

– —–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

=============================================================================
FreeBSD-SA-08.11.arc4random Security Advisory
The FreeBSD Project

Topic: arc4random(9) predictable sequence vulnerability

Category: core
Module: sys
Announced: 2008-11-24
Credits: Robert Woolley, Mark Murray, Maxim Dounin, Ruslan Ermilov
Affects: All supported versions of FreeBSD.
Corrected: 2008-11-24 17:39:39 UTC (RELENG_7, 7.1-PRERELEASE)
2008-11-24 17:39:39 UTC (RELENG_7_0, 7.0-RELEASE-p6)
2008-11-24 17:39:39 UTC (RELENG_6, 6.4-STABLE)
2008-11-24 17:39:39 UTC (RELENG_6_4, 6.4-RELEASE)
2008-11-24 17:39:39 UTC (RELENG_6_3, 6.3-RELEASE-p6)
CVE Name: CVE-2008-5162

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit .

I. Background

arc4random(9) is a generic-purpose random number generator based on the
key stream generator of the RC4 cipher. It is expected to be
cryptographically strong, and used throughout the FreeBSD kernel for a
variety of purposes, some of which rely on its cryptographic strength.
arc4random(9) is periodically reseeded with entropy from the FreeBSD
kernel’s Yarrow random number generator, which gathers entropy from a
variety of sources including hardware interrupts. During the boot
process, additional entropy is provided to the Yarrow random number
generator from userland, helping to ensure that adequate entropy is
present for cryptographic purposes.

II. Problem Description

When the arc4random(9) random number generator is initialized, there may
be inadequate entropy to meet the needs of kernel systems which rely on
arc4random(9); and it may take up to 5 minutes before arc4random(9) is
reseeded with secure entropy from the Yarrow random number generator.

III. Impact

All security-related kernel subsystems that rely on a quality random
number generator are subject to a wide range of possible attacks for the
300 seconds after boot or until 64k of random data is consumed. The list
includes:

* GEOM ELI providers with onetime keys. When a provider is configured in
a way so that it gets attached at the same time during boot (e.g. it
uses the rc subsystem to initialize) it might be possible for an
attacker to recover the encrypted data.

* GEOM shsec providers. The GEOM shsec subsytem is used to split a shared
secret between two providers so that it can be recovered when both of
them are present. This is done by writing the random sequence to one
of providers while appending the result of the random sequence on the
other host to the original data. If the provider was created within the
first 300 seconds after booting, it might be possible for an attacker
to extract the original data with access to only one of the two providers
between which the secret data is split.

* System processes started early after boot may receive predictable IDs.

* The 802.11 network stack uses arc4random(9) to generate initial vectors
(IV) for WEP encryption when operating in client mode and WEP
authentication challenges when operating in hostap mode, which may be
insecure.

* The IPv4, IPv6 and TCP/UDP protocol implementations rely on a quality
random number generator to produce unpredictable IP packet identifiers,
initial TCP sequence numbers and outgoing port numbers. During the
first 300 seconds after booting, it may be easier for an attacker to
execute IP session hijacking, OS fingerprinting, idle scanning, or in
some cases DNS cache poisoning and blind TCP data injection attacks.

* The kernel RPC code uses arc4random(9) to retrieve transaction
identifiers, which might make RPC clients vulnerable to hijacking
attacks.

IV. Workaround

No workaround is available for affected systems.

V. Solution

NOTE WELL: Any GEOM shsec providers which were created or written to
during the first 300 seconds after booting should be re-created after
applying this security update.

Perform one of the following:

1) Upgrade your vulnerable system to 6-STABLE, or 7-STABLE, or to the
RELENG_7_0, or RELENG_6_3 security branch dated after the correction
date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 6.3 and
7.0 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 7.x]
# fetch http://security.FreeBSD.org/patches/SA-08:11/arc4random.patch
# fetch http://security.FreeBSD.org/patches/SA-08:11/arc4random.patch.asc

[FreeBSD 6.x]
# fetch http://security.FreeBSD.org/patches/SA-08:11/arc4random6x.patch
# fetch http://security.FreeBSD.org/patches/SA-08:11/arc4random6x.patch.asc

b) Apply the patch.

# cd /usr/src
# patch < /path/to/patch c) Recompile your kernel as described in and reboot the
system.

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch Revision
Path
– – ————————————————————————-
RELENG_6
src/sys/dev/random/randomdev.c 1.59.2.2
src/sys/dev/random/randomdev_soft.c 1.11.2.3
RELENG_6_4
src/UPDATING 1.416.2.40.2.2
src/sys/dev/random/randomdev.c 1.59.2.1.8.2
src/sys/dev/random/randomdev_soft.c 1.11.2.2.6.2
RELENG_6_3
src/UPDATING 1.416.2.37.2.11
src/sys/conf/newvers.sh 1.69.2.15.2.10
src/sys/dev/random/randomdev.c 1.59.2.1.6.1
src/sys/dev/random/randomdev_soft.c 1.11.2.2.4.1
RELENG_7
src/sys/dev/random/randomdev.c 1.61.2.1
src/sys/dev/random/randomdev_soft.c 1.15.2.1
RELENG_7_0
src/UPDATING 1.507.2.3.2.10
src/sys/conf/newvers.sh 1.72.2.5.2.10
src/sys/dev/random/randomdev.c 1.61.4.1
src/sys/dev/random/randomdev_soft.c 1.15.4.1
– – ————————————————————————-

VII. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5162

The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-08:11.arc4random.asc
– —–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.9 (FreeBSD)

iEYEARECAAYFAkkq550ACgkQFdaIBMps37K3SwCfcj0iiFxH2tljR1N7/qhXWiW1
N/cAoIjgcsh6sZG/upobud4TVme9QJPf
=SKuK
– —–END PGP SIGNATURE—–

– —
Dipl. Inform. Klaus Moeller (Incident Response Team)
Phone: +49 40 808077-555, Fax: +49 40 808077-556

DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
Sachsenstrase 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski

Automatische Warnmeldungen https://www.cert.dfn.de/autowarn
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.2 (GNU/Linux)

iQEVAwUBSSv9YkhXCWfrVVdXAQH9NggAlW5RnWoxWm+9TlmzcS2gtQd0QGQNamS2
aqdtPk86N37IFG2qHWkzn1qdFRmgXg2WxrOd5IuIM5JwwOaMZE59GL/AyiVH4hjq
WfmHo4G1c8J7XB8htSAc+raxh45N67VCRhR+pWKjwtJIUuWiBMyhFkciv6ZJu70O
eO84DwwSAHL3E5/3U4P4CAh9BibaBfLZkD4amDjNHdV892esS9MAiIbaflOYgVn4
9/YabTB8elKq9+ANprYHjIsOpVN7fPuxP54gU7MQSfbLAgLdKdFMApV5lHt/tdbB
W4HI0+FbGPiabpvgwCjT0/YgzpLDnFGFI53H5tQuT1eNooLefzgqFA==
=pawX
—–END PGP SIGNATURE—–

—–BEGIN PGP SIGNED MESSAGE—–

Liebe Kolleginnen und Kollegen,

soeben erreichte uns nachfolgende Warnung des FreeBSD Security
Officers.Wir geben diese Informationen unveraendert an Sie weiter.

CVE-2008-5162 – Unzureichende Entropie fuer den arc4random(9)
Zufallszahlengenerator

Beim Booten des Systems wird der arc4random(9) Zufallszahlengenerator
nicht mit genug Entropie versorgt, so dass die erzeugten Zufallszahlen
vorhersagbar sind. Dieser Zustand haelt ca. 5 Minuten oder bis 64KB an
Zufallszahlendaten verbraucht sind an, dann wird genug Entropie ueber
den Yarrow Zufallszahlengenerator bereitgestellt.

Der arc4random(9) Zufallszahlengenerator basiert auf dem Key Stream
Generator des RC4 Algorithmus und wird an verschiedenen Stellen des
FreeBSD Kernels verwendet, u.a. die GEOM ELI und GEOM shsec Provider,
die Erzeugung von Prozess IDs waehrend der ersten 5 Minuten nach dem
Booten, die Erzeugung von Initialisierungsvektoren fuer WEP
Verschluesselung, IP IDs fuer IPv4 und IPv6, TCP Initial Sequence
Numbers, Quellportnummern fuer TCP und UDP und Transaction IDs fuer
RPC Routinen des Kernels.

Angreifer koennen diese Schwachstelle dazu ausnutzen, die
Verschluesselung zu brechen und so an vertrauliche Daten gelangen bzw.
diese manipulieren sowie Session Hijacking Angriffe durchzufuehren und
dabei uebertragene Daten zu veraendern.

Betroffen sind die folgenden Software Pakete und Plattformen:

Paket sys

FreeBSD Versionen vor den folgenden Erscheinungsdaten
2008-11-24 17:39:39 UTC (RELENG_7, 7.1-PRERELEASE)
2008-11-24 17:39:39 UTC (RELENG_7_0, 7.0-RELEASE-p6)
2008-11-24 17:39:39 UTC (RELENG_6, 6.4-STABLE)
2008-11-24 17:39:39 UTC (RELENG_6_4, 6.4-RELEASE)
2008-11-24 17:39:39 UTC (RELENG_6_3, 6.3-RELEASE-p6)

Vom Hersteller werden ueberarbeitete Pakete zur Verfuegung gestellt.

Hersteller Advisory:
http://security.FreeBSD.org/advisories/FreeBSD-SA-08:11.arc4random.asc

(c) der deutschen Zusammenfassung bei DFN-CERT Services GmbH; die
Verbreitung, auch auszugsweise, ist nur unter Hinweis auf den Urheber,
DFN-CERT Services GmbH, und nur zu nicht kommerziellen Zwecken
gestattet.

Mit freundlichen Gruessen,
Klaus Moeller, DFN-CERT

– —–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

=============================================================================
FreeBSD-SA-08.11.arc4random Security Advisory
The FreeBSD Project

Topic: arc4random(9) predictable sequence vulnerability

Category: core
Module: sys
Announced: 2008-11-24
Credits: Robert Woolley, Mark Murray, Maxim Dounin, Ruslan Ermilov
Affects: All supported versions of FreeBSD.
Corrected: 2008-11-24 17:39:39 UTC (RELENG_7, 7.1-PRERELEASE)
2008-11-24 17:39:39 UTC (RELENG_7_0, 7.0-RELEASE-p6)
2008-11-24 17:39:39 UTC (RELENG_6, 6.4-STABLE)
2008-11-24 17:39:39 UTC (RELENG_6_4, 6.4-RELEASE)
2008-11-24 17:39:39 UTC (RELENG_6_3, 6.3-RELEASE-p6)
CVE Name: CVE-2008-5162

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit .

I. Background

arc4random(9) is a generic-purpose random number generator based on the
key stream generator of the RC4 cipher. It is expected to be
cryptographically strong, and used throughout the FreeBSD kernel for a
variety of purposes, some of which rely on its cryptographic strength.
arc4random(9) is periodically reseeded with entropy from the FreeBSD
kernel’s Yarrow random number generator, which gathers entropy from a
variety of sources including hardware interrupts. During the boot
process, additional entropy is provided to the Yarrow random number
generator from userland, helping to ensure that adequate entropy is
present for cryptographic purposes.

II. Problem Description

When the arc4random(9) random number generator is initialized, there may
be inadequate entropy to meet the needs of kernel systems which rely on
arc4random(9); and it may take up to 5 minutes before arc4random(9) is
reseeded with secure entropy from the Yarrow random number generator.

III. Impact

All security-related kernel subsystems that rely on a quality random
number generator are subject to a wide range of possible attacks for the
300 seconds after boot or until 64k of random data is consumed. The list
includes:

* GEOM ELI providers with onetime keys. When a provider is configured in
a way so that it gets attached at the same time during boot (e.g. it
uses the rc subsystem to initialize) it might be possible for an
attacker to recover the encrypted data.

* GEOM shsec providers. The GEOM shsec subsytem is used to split a shared
secret between two providers so that it can be recovered when both of
them are present. This is done by writing the random sequence to one
of providers while appending the result of the random sequence on the
other host to the original data. If the provider was created within the
first 300 seconds after booting, it might be possible for an attacker
to extract the original data with access to only one of the two providers
between which the secret data is split.

* System processes started early after boot may receive predictable IDs.

* The 802.11 network stack uses arc4random(9) to generate initial vectors
(IV) for WEP encryption when operating in client mode and WEP
authentication challenges when operating in hostap mode, which may be
insecure.

* The IPv4, IPv6 and TCP/UDP protocol implementations rely on a quality
random number generator to produce unpredictable IP packet identifiers,
initial TCP sequence numbers and outgoing port numbers. During the
first 300 seconds after booting, it may be easier for an attacker to
execute IP session hijacking, OS fingerprinting, idle scanning, or in
some cases DNS cache poisoning and blind TCP data injection attacks.

* The kernel RPC code uses arc4random(9) to retrieve transaction
identifiers, which might make RPC clients vulnerable to hijacking
attacks.

IV. Workaround

No workaround is available for affected systems.

V. Solution

NOTE WELL: Any GEOM shsec providers which were created or written to
during the first 300 seconds after booting should be re-created after
applying this security update.

Perform one of the following:

1) Upgrade your vulnerable system to 6-STABLE, or 7-STABLE, or to the
RELENG_7_0, or RELENG_6_3 security branch dated after the correction
date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 6.3 and
7.0 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 7.x]
# fetch http://security.FreeBSD.org/patches/SA-08:11/arc4random.patch
# fetch http://security.FreeBSD.org/patches/SA-08:11/arc4random.patch.asc

[FreeBSD 6.x]
# fetch http://security.FreeBSD.org/patches/SA-08:11/arc4random6x.patch
# fetch http://security.FreeBSD.org/patches/SA-08:11/arc4random6x.patch.asc

b) Apply the patch.

# cd /usr/src
# patch < /path/to/patch c) Recompile your kernel as described in and reboot the
system.

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch Revision
Path
– – ————————————————————————-
RELENG_6
src/sys/dev/random/randomdev.c 1.59.2.2
src/sys/dev/random/randomdev_soft.c 1.11.2.3
RELENG_6_4
src/UPDATING 1.416.2.40.2.2
src/sys/dev/random/randomdev.c 1.59.2.1.8.2
src/sys/dev/random/randomdev_soft.c 1.11.2.2.6.2
RELENG_6_3
src/UPDATING 1.416.2.37.2.11
src/sys/conf/newvers.sh 1.69.2.15.2.10
src/sys/dev/random/randomdev.c 1.59.2.1.6.1
src/sys/dev/random/randomdev_soft.c 1.11.2.2.4.1
RELENG_7
src/sys/dev/random/randomdev.c 1.61.2.1
src/sys/dev/random/randomdev_soft.c 1.15.2.1
RELENG_7_0
src/UPDATING 1.507.2.3.2.10
src/sys/conf/newvers.sh 1.72.2.5.2.10
src/sys/dev/random/randomdev.c 1.61.4.1
src/sys/dev/random/randomdev_soft.c 1.15.4.1
– – ————————————————————————-

VII. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5162

The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-08:11.arc4random.asc
– —–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.9 (FreeBSD)

iEYEARECAAYFAkkq550ACgkQFdaIBMps37K3SwCfcj0iiFxH2tljR1N7/qhXWiW1
N/cAoIjgcsh6sZG/upobud4TVme9QJPf
=SKuK
– —–END PGP SIGNATURE—–

– —
Dipl. Inform. Klaus Moeller (Incident Response Team)
Phone: +49 40 808077-555, Fax: +49 40 808077-556

DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
Sachsenstrase 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski

Automatische Warnmeldungen https://www.cert.dfn.de/autowarn
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.2 (GNU/Linux)

iQEVAwUBSSv9YkhXCWfrVVdXAQH9NggAlW5RnWoxWm+9TlmzcS2gtQd0QGQNamS2
aqdtPk86N37IFG2qHWkzn1qdFRmgXg2WxrOd5IuIM5JwwOaMZE59GL/AyiVH4hjq
WfmHo4G1c8J7XB8htSAc+raxh45N67VCRhR+pWKjwtJIUuWiBMyhFkciv6ZJu70O
eO84DwwSAHL3E5/3U4P4CAh9BibaBfLZkD4amDjNHdV892esS9MAiIbaflOYgVn4
9/YabTB8elKq9+ANprYHjIsOpVN7fPuxP54gU7MQSfbLAgLdKdFMApV5lHt/tdbB
W4HI0+FbGPiabpvgwCjT0/YgzpLDnFGFI53H5tQuT1eNooLefzgqFA==
=pawX
—–END PGP SIGNATURE—–