|
|
Subscribe / Log in / New account

Security

Holes in the Linux random number generator?

May 24, 2006

This article was contributed by Jake Edge.

Eye catching headlines are seen every day on the web, but one needs to be careful not to distort the contents of the article. A recent SecuriTeam article is headlined "Holes in the Linux Random Number Generator" but that title overstates the actual contents of the paper (PDF) it is announcing.

The three authors of the paper provide a nice detailed description of the Linux random number generator (RNG) and the algorithms that it uses, while also reporting a very theoretical attack. The basic attack is against the "forward security" of the RNG via a single compromise of the contents of the entropy pool. This value can be used to run the RNG algorithm in reverse and recover previous states of the entropy pool. Doing this enough times can recover keys that have been previously generated.

There are a number of reasons why this attack is considered to have little impact on real world systems. The most obvious is that if an attacker can access the state of the entropy pool, they have already broken the security of the system and can, as root, do any number of different things to the system. If recovering previously generated keys is the object of the attack, the paper outlines ways to do that, but the processing requirements are enormous as Ted Ts'o points out:

To put this in perspective, generating a 1024 bit RSA key will require approximately 14 turns of the crank, so if you are lucky with the positioning of the index *and* you penetrate the machine and capture the state of the pool (which as I mentioned, probably means you've rooted the box and the system will probably have to be reinstalled from trusted media anyway), *and* a 1024-bit RSA key had just been generated, you would be able to determine that 1024-bit RSA key with a work factor of approximately O(2**68) if you are lucky (probability 1 in 8), and O(2**96) if you are not.

The paper also describes a well known feature of the Linux RNG implementation as if it were a newly discovered denial of service issue. The /dev/random device was specifically designed to block when the entropy pool had insufficient entropy to satisfy the request. The /dev/urandom device is provided as an alternative that generates very good random numbers and does not block (and is therefore not vulnerable to a denial of service). For any but the most sensitive applications (key generation being an obvious choice), /dev/urandom is the recommended source for random numbers. Alan Cox sums up the situation nicely:

The denial of service when no true entropy exists is intentional and long discussed. User consumption of entropy can be controlled by conventional file permissions, acls and SELinux already, or by a policy daemon or combinations thereof. It is clearly better to refuse to give out entropy to people than to give false entropy.

The paper has sparked an interesting discussion on the linux kernel mailing list and has lead to some concrete suggestions for improving the algorithm, but it would be an exaggeration to conclude that the paper describes real world Linux security concerns. An administrator or security professional reading the SecuriTeam headline might easily be led astray.

Comments (6 posted)

New vulnerabilities

awstats: missing input sanitizing

Package(s):awstats CVE #(s):CVE-2006-2237
Created:May 19, 2006 Updated:June 20, 2006
Description: Hendrik Weimer discovered that specially crafted web requests can cause awstats, a powerful and featureful web server log analyzer, to execute arbitrary commands.
Alerts:
SuSE SUSE-SA:2006:033 awstats 2006-06-20
Ubuntu USN-290-1 awstats 2006-06-08
Gentoo 200606-06 awstats 2006-06-07
Debian DSA-1075-1 awstats 2006-05-26
Ubuntu USN-285-1 awstats 2006-05-23
Debian DSA-1058-1 awstats 2006-05-18

Comments (none posted)

cscope: buffer overflows

Package(s):cscope CVE #(s):CVE-2004-2541
Created:May 22, 2006 Updated:June 19, 2009
Description: A buffer overflow in Cscope 15.5, and possibly multiple overflows, allows remote attackers to execute arbitrary code via a C file with a long #include line that is later browsed by the target.
Alerts:
CentOS CESA-2009:1102 cscope 2009-06-19
CentOS CESA-2009:1101 cscope 2009-06-16
Red Hat RHSA-2009:1102-01 cscope 2009-06-15
Red Hat RHSA-2009:1101-01 cscope 2009-06-15
Gentoo 200606-10 cscope 2006-06-11
Debian DSA-1064-1 cscope 2006-05-19

Comments (1 posted)

dia: format string vulnerabilities

Package(s):dia CVE #(s):CVE-2006-2453 CVE-2006-2480
Created:May 24, 2006 Updated:June 8, 2006
Description: The dia drawing utility suffers from several format string vulnerabilities exploitable via a maliciously crafted dia file - or a file with a well-chosen name.
Alerts:
Gentoo 200606-03 dia 2006-06-07
SuSE SUSE-SR:2006:012 mysql, Sun Java, dia, ruby, NetworkManager, libextractor 2006-06-02
Red Hat RHSA-2006:0541-02 Dia 2006-06-01
Mandriva MDKSA-2006:093 dia 2006-05-30
Fedora FEDORA-2006-580 dia 2006-05-24
Ubuntu USN-286-1 dia 2006-05-24

Comments (none posted)

hostapd: insufficient boundary checks

Package(s):hostapd CVE #(s):CVE-2006-2213
Created:May 22, 2006 Updated:May 25, 2006
Description: Matteo Rosi and Leonardo Maccari discovered that hostapd, a wifi network authenticator daemon, performs insufficient boundary checks on a key length value, which might be exploited to crash the service.
Alerts:
Mandriva MDKSA-2006:088 hostapd 2006-05-24
Debian DSA-1065-1 hostapd 2006-05-19

Comments (none posted)

kernel: denial of service

Package(s):kernel CVE #(s):CVE-2006-1859 CVE-2006-1860
Created:May 19, 2006 Updated:May 24, 2006
Description: Memory leak in __setlease in fs/locks.c in Linux kernel before 2.6.16.16 allows attackers to cause a denial of service (memory consumption) via unspecified actions related to an "uninitialized return value," aka "slab leak."

lease_init in fs/locks.c in Linux kernel before 2.6.16.16 allows attackers to cause a denial of service (fcntl_setlease lockup) via actions that cause lease_init to free a lock that might not have been allocated on the stack.

Alerts:
rPath rPSA-2006-0079-1 kernel 2006-05-23
Fedora FEDORA-2006-573 kernel 2006-05-21
Fedora FEDORA-2006-572 kernel 2006-05-21
Trustix TSLSA-2006-0028 kernel, mysql 2006-05-19

Comments (none posted)

kernel-patch-vserver: privilege escalation

Package(s):kernel-patch-vserver CVE #(s):CVE-2006-2110
Created:May 22, 2006 Updated:May 24, 2006
Description: Jan Rekorajski discovered that the kernel patch for virtual private servers does not limit context capabilities to the root user within the virtual server, which might lead to privilege escalation for some virtual server specific operations.
Alerts:
Debian DSA-1060-1 kernel-patch-vserver 2006-05-19

Comments (none posted)

kphone: insecure file creation

Package(s):kphone CVE #(s):CVE-2006-2442
Created:May 22, 2006 Updated:May 25, 2006
Description: Sven Dreyer discovered that KPhone, a Voice over IP client for KDE, creates a configuration file world-readable, which could leak sensitive information like SIP passwords.
Alerts:
Mandriva MDKSA-2006:089 kphone 2006-05-24
Debian DSA-1062-1 kphone 2006-05-19

Comments (none posted)

libextractor: heap-based buffer overflows

Package(s):libextractor CVE #(s):CVE-2006-2458
Created:May 22, 2006 Updated:May 31, 2006
Description: Luigi Auriemma has found two heap-based buffer overflows in libextractor 0.5.13 and earlier: one of them occurs in the asf_read_header function in the ASF plugin, and the other occurs in the parse_trak_atom function in the Qt plugin.
Alerts:
Debian DSA-1081-1 libextractor 2006-05-29
Gentoo 200605-14 libextractor 2006-05-21

Comments (none posted)

mpg123: buffer overflows

Package(s):mpg123 CVE #(s):CVE-2006-1655
Created:May 24, 2006 Updated:July 3, 2006
Description: mpg123 does not properly validate MPEG 2.0 layer 3 files, leading to a number of buffer overflow vulnerabilities.
Alerts:
Gentoo 200607-01 mpg123 2006-07-03
Mandriva MDKSA-2006:092 mpg123 2006-05-26
Debian DSA-1074-1 mpg123 2006-05-24

Comments (none posted)

OpenLDAP: boundary error

Package(s):openldap CVE #(s):
Created:May 23, 2006 Updated:May 24, 2006
Description: According to this Secunia advisory, a weakness exists in OpenLDAP which is caused due to a boundary error in slurpd within the handling of the status file. This can be exploited to cause a stack-based buffer overflow via an overly long hostname read from the status file. The weakness has been reported to be in OpenLDAP version 2.3.21 and earlier.
Alerts:
OpenPKG OpenPKG-SA-2006.008 openldap 2006-05-22

Comments (none posted)

phpbb2: missing input sanitizing

Package(s):phpbb2 CVE #(s):CVE-2006-1896
Created:May 22, 2006 Updated:February 11, 2008
Description: It was discovered that phpbb2, a web based bulletin board, insufficiently sanitizes values passed to the "Font Color 3" setting, which might lead to the execution of injected code by admin users.
Alerts:
Debian DSA-1066-1 phpbb2 2006-05-20

Comments (none posted)

phpgroupware: missing input sanitizing

Package(s):phpgroupware CVE #(s):CVE-2005-2781
Created:May 22, 2006 Updated:May 24, 2006
Description: It was discovered that the Avatar upload feature of FUD Forum, a component of the web based groupware system phpgroupware, does not sufficiently validate uploaded files, which might lead to the execution of injected web script code.
Alerts:
Debian DSA-1063-1 phpgroupware 2006-05-08

Comments (none posted)

popfile: missing input sanitizing

Package(s):popfile CVE #(s):CVE-2006-0876
Created:May 22, 2006 Updated:May 24, 2006
Description: It has been discovered that popfile, a bayesian mail classifier, can be forced into a crash through malformed character sets within email messages, which allows denial of service.
Alerts:
Debian DSA-1061-1 popfile 2006-05-19

Comments (none posted)

postgresql: SQL injection

Package(s):postgresql CVE #(s):CVE-2006-2313 CVE-2006-2314
Created:May 24, 2006 Updated:June 6, 2007
Description: The PostgreSQL team has put out a set of "urgent updates" (in the form of the 7.3.15, 7.4.13, 8.0.8, and 8.1.4 releases) closing a newly-discovered set of SQL injection issues. Details about the problem can be found on the technical information page; in short: multi-byte encodings can be used to defeat normal string sanitizing techniques. The update fixes one problem related to invalid multi-byte characters, but punts on another by simply disallowing the old, unsafe technique of escaping single quotes with a backslash.
Alerts:
Fedora FEDORA-2007-0249 php-pear-DB 2007-06-06
Trustix TSLSA-2006-0059 postgresql 2006-10-27
Gentoo 200607-04 postgresql 2006-07-09
SuSE SUSE-SA:2006:030 postgresql 2006-06-09
Ubuntu USN-288-3 dovecot, exim4, postfix 2006-06-09
Ubuntu USN-288-2 postgresql-8.1 2006-06-09
Mandriva MDKSA-2006:098 postgresql 2006-06-07
Debian DSA-1087-1 postgresql 2006-06-03
Ubuntu USN-288-1 postgresql 2006-05-29
rPath rPSA-2006-0080-1 postgresql 2006-05-24
Red Hat RHSA-2006:0526-02 postgresql 2006-05-23
Fedora FEDORA-2006-578 postgresql 2006-05-23
Fedora FEDORA-2006-579 postgresql 2006-05-23

Comments (1 posted)

zoo: archive problem

Package(s):bin CVE #(s):
Created:May 23, 2006 Updated:May 24, 2006
Description: A security problem is zoo's fullpath() function could cause problems if zoo was run in an automated way, or if a user were to open a malicious zoo archive manually.
Alerts:
Slackware SSA:2006-142-02 bin 2006-05-23

Comments (none posted)

Page editor: Jonathan Corbet
Next page: Kernel development>>


Copyright © 2006, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds