LWN.net News from the source
Linux random number generation (RNG) is often a source of confusion to developers, but it is also a very integral part of the security of the system. It provides random data to generate cryptographic keys, TCP sequence numbers, and the like, so unpredictability as well as very strong random numbers are required. When someone notices a flaw, or a possible flaw in the RNG, kernel hackers take notice.
Recurring universally unique identifiers (UUIDs), as reported by the smolt hardware profiler client program, had some worried about problems in the kernel RNG. As it turns out, the problem exists in the interaction between Fedora 8 LiveCD installations and smolt – essentially the UUID came from the CD – but it sparked a discussion leading to some possible improvements. Along the way, some common misconceptions about kernel RNG were cleared up.
The kernel gathers information from external sources to provide input to its entropy pool. This pool contains bits that have extremely strong random properties, so long as unpredictable events (inter-keypress timings, mouse movements, disk interrupts, etc.) are sampled. It provides direct access to this pool via the /dev/random device. Reading from that device will provide the strongest random numbers that Linux can offer – depleting the entropy pool. When the entropy pool runs low, reads to /dev/random block until there is sufficient entropy.
The alternative interface, the one that nearly all programs should use, is /dev/urandom. Reading from that device will not block. If sufficient entropy is available, it will provide random numbers just as strong as /dev/random, if not, it uses the SHA cryptographic hash algorithm to generate very strong random numbers. Developers often overestimate how strong their random numbers need to be; they also overestimate how easy "breaking" /dev/urandom would be, which leads to programs that, unnecessarily, read /dev/random. Ted Ts'o, who wrote the kernel RNG, puts it this way:
There is still a bit of hole in all of this: how does a freshly installed system, with little or no user interaction, at least yet, get its initial entropy? When Alan Cox and Mike McGrath started describing the smolt problem, the immediate reaction was to look closely at how the entropy pool was being initialized. While that turned out not to be the problem, it did lead Matt Mackall, maintainer of the kernel RNG, to start thinking about better pool initialization. Various ideas about mixing in data specific to the host, like MAC address and PCI device characteristics were discussed.
As Ts'o points out, that will help prevent things like UUID collisions, but it doesn't solve the problem of predictability of the random numbers that will be generated by these systems.
Linux provides random numbers suitable for nearly any purpose via /dev/urandom. For the truly paranoid, there is also /dev/random, but developers would do well to forget that device exists for everything but the most critical needs. If one is generating a large key pair, to use for the next century, using some data from /dev/random is probably right. Anything with lower requirements should seriously consider /dev/urandom.
| Package(s): | autofs | CVE #(s): | CVE-2007-5964 | ||||||||||||||||||||||||||||||||
| Created: | December 12, 2007 | Updated: | January 14, 2008 | ||||||||||||||||||||||||||||||||
| Description: | Versions of the autofs automounter daemon as shipped by Red Hat (and possibly other distributors) are installed with an insecure configuration; in particular, the "hosts" map lacks the "nosuid" option, allowing an attacker who has control over an NFS server to run setuid programs on vulnerable systems. | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
| Package(s): | e2fsprogs | CVE #(s): | CVE-2007-5497 | ||||||||||||||||||||||||||||||||||||
| Created: | December 7, 2007 | Updated: | February 12, 2008 | ||||||||||||||||||||||||||||||||||||
| Description: | Rafal Wojtczuk of McAfee AVERT Research discovered that e2fsprogs, ext2 file system utilities and libraries, contained multiple integer overflows in memory allocations, based on sizes taken directly from filesystem information. These could result in heap-based overflows potentially allowing the execution of arbitrary code. | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
| Package(s): | emacs | CVE #(s): | CVE-2007-6109 | ||||||||||||||||
| Created: | December 10, 2007 | Updated: | May 6, 2008 | ||||||||||||||||
| Description: | From the National Vulnerability Database: Buffer overflow in emacs allows attackers to have an unknown impact, as demonstrated via a vector involving the command line. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
| Package(s): | emul-linux-x86-qtlibs | CVE #(s): | |||||
| Created: | December 10, 2007 | Updated: | December 12, 2007 | ||||
| Description: | From the Gentoo advisory: An attacker could trigger one of the vulnerabilities by causing a Qt application to parse specially crafted text or Unicode strings, which may lead to the execution of arbitrary code with the privileges of the user running the application. | ||||||
| Alerts: |
| ||||||
| Package(s): | firebird | CVE #(s): | CVE-2007-4992 CVE-2007-5246 | ||||
| Created: | December 10, 2007 | Updated: | December 12, 2007 | ||||
| Description: | From the Gentoo advisory: Adriano Lima and Ramon de Carvalho Valle reported that functions isc_attach_database() and isc_create_database() do not perform proper boundary checking when processing their input. A remote attacker could send specially crafted requests to the Firebird server on TCP port 3050, possibly resulting in the execution of arbitrary code with the privileges of the user running Firebird (usually firebird). | ||||||
| Alerts: |
| ||||||
| Package(s): | heimdal | CVE #(s): | CVE-2007-5939 | ||||
| Created: | December 7, 2007 | Updated: | December 12, 2007 | ||||
| Description: | The gss_userok function in appl/ftp/ftpd/gss_userok.c in Heimdal 0.7.2 does not allocate memory for the ticketfile pointer before calling free, which allows remote attackers to have an unknown impact via an invalid username. NOTE: the vulnerability was originally reported for ftpd.c, but this is incorrect. | ||||||
| Alerts: |
| ||||||
| Package(s): | libnfsidmap | CVE #(s): | CVE-2007-4135 | ||||
| Created: | December 7, 2007 | Updated: | December 12, 2007 | ||||
| Description: | The NFSv4 ID mapper (nfsidmap) before 0.17 does not properly handle return values from the getpwnam_r function when performing a username lookup, which can cause it to report a file as being owned by "root" instead of "nobody" if the file exists on the server but not on the client. | ||||||
| Alerts: |
| ||||||
| Package(s): | MySQL | CVE #(s): | CVE-2007-3781 CVE-2007-5969 | ||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 11, 2007 | Updated: | May 21, 2008 | ||||||||||||||||||||||||||||||||||||||||||||
| Description: | MySQL Community Server before 5.0.51, when a table relies on symlinks created through explicit DATA DIRECTORY and INDEX DIRECTORY options, allows remote authenticated users to overwrite system table information and gain privileges via a RENAME TABLE statement that changes the symlink to point to an existing file. (CVE-2007-5969)
MySQL Community Server before 5.0.45 does not require privileges such as SELECT for the source table in a CREATE TABLE LIKE statement, which allows remote authenticated users to obtain sensitive information such as the table structure. (CVE-2007-3781) | ||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||
| Package(s): | nagios | CVE #(s): | CVE-2007-5624 | ||||||||||||||||||||||||
| Created: | December 7, 2007 | Updated: | September 14, 2009 | ||||||||||||||||||||||||
| Description: | Cross-site scripting (XSS) vulnerability in Nagios 2.x before 2.10 allows remote attackers to inject arbitrary web script or HTML via unknown vectors to unspecified CGI scripts. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
| Package(s): | phpMyAdmin | CVE #(s): | CVE-2007-0095 | ||||||||||||||||||||||||||||||||
| Created: | December 11, 2007 | Updated: | September 25, 2008 | ||||||||||||||||||||||||||||||||
| Description: | phpMyAdmin 2.9.1.1 allows remote attackers to obtain sensitive information via a direct request for themes/darkblue_orange/layout.inc.php, which reveals the path in an error message. | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
| Package(s): | ruby-gnome2 | CVE #(s): | CVE-2007-6183 | ||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 7, 2007 | Updated: | December 22, 2008 | ||||||||||||||||||||||||||||||||||||||||||||
| Description: | A format string vulnerability in the mdiag_initialize function in gtk/src/rbgtkmessagedialog.c in Ruby-GNOME 2 (aka Ruby/Gnome2) 0.16.0, and SVN versions before 20071127, allows context-dependent attackers to execute arbitrary code via format string specifiers in the message parameter. | ||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||
| Package(s): | samba | CVE #(s): | CVE-2007-6015 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 11, 2007 | Updated: | December 3, 2008 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | A stack buffer overflow flaw was found in the way Samba authenticates remote users. A remote unauthenticated user could trigger this flaw to cause the Samba server to crash, or execute arbitrary code with the permissions of the Samba server. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
| Package(s): | xorg-x11-xfs | CVE #(s): | |||||
| Created: | December 10, 2007 | Updated: | December 12, 2007 | ||||
| Description: | From the xorg advisory: Several vulnerabilities have been identified in xfs, the X font server. The QueryXBitmaps and QueryXExtents protocol requests suffer from lack of validation of their 'length' parameters. Maliciously crafted requests can either cause two different problems with both requests: * An integer overflow in the computation of the size of a dynamic buffer can lead to a heap overflow in the build_range() function. * An arbitrary number of bytes on the heap can be swapped by the swap_char2b() function. | ||||||
| Alerts: |
| ||||||
| Package(s): | zabbix | CVE #(s): | CVE-2007-6210 | ||||||||||||
| Created: | December 6, 2007 | Updated: | December 12, 2007 | ||||||||||||
| Description: | Bas van Schaik has found a privilege escalation in the agentd process of the Zabbix network monitor application. Agentd can be used to run user commands under the root account, leading to an escalation of privilege. | ||||||||||||||
| Alerts: |
| ||||||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>
Copyright © 2007, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds