Security
Python and crypto-strength random numbers by default
There are various types of random number generators (RNGs) that target different use cases, but a programming language can only have one default. For high-security random numbers (e.g. cryptographic keys and the like), it is a grievous error to use the wrong kind of RNG, while other use cases are typically more forgiving. The Python community is in the middle of a debate about how it should be handling random numbers within the language's standard library.
The random module
On the python-ideas mailing list, Guido van Rossum kicked off the discussion by noting that he had been contacted by OpenBSD founder Theo de Raadt about the random.random() RNG that ships with Python. That RNG is based on the Mersenne Twister (MT) algorithm, which is a pseudo-RNG (PRNG) with an enormously long period. The PRNG can either be seeded by the user (with a call to random.seed()) or, by default, it is seeded with 2500 bytes of entropy from the os.urandom() pool (the strong, non-blocking random pool supplied by the operating system). From a given seed, the same sequence of random numbers will be generated, which makes it deterministic.
Using MT-derived random numbers for cryptographic or other security purposes is definitely not recommended by security experts. Given enough output from the RNG, the seed can be recovered, which means that all further random numbers can be perfectly predicted—generally with disastrous results. But for many uses, such as games, testing, or simulations, the random module provides a simple-to-use way to get perfectly adequate random numbers. The Python documentation for the module clearly indicates that it should not be used for security purposes and suggests either os.urandom() or the random.SystemRandom class.
But Van Rossum noted that "as the meme goes -- nobody reads the
docs
", so De Raadt's concern is that people will simply reach for
the default provided by the language—no matter what they are using the
random numbers for. According to Van Rossum, De Raadt is advocating the
arc4random()
RNG that OpenBSD uses (and, in fact, has switched
to by default). Some of that advocacy can be seen in a forwarded email message that Van Rossum
posted. Though De Raadt was invited to participate in the thread,
"he's too
busy
" to do so, which left Van Rossum in a bit of a quandary:
That set off quite a discussion, which now spans four threads in python-ideas.
Donald Stufft responded that
he sees a problem with the current approach, but that he doesn't have any
"great
solution
" for it:
But, as Paul Moore and others pointed out, those with non-security needs for random numbers should be able to expect to access them easily from the standard library. He often uses the random module for games of various sorts, as well as for things like Monte Carlo simulations where millions of results are used. While the reproducibility feature is not particularly important to him, he would expect that a simple API would provide it. People doing crypto or other security programming ought to be looking for an RNG beyond the default:
Steven D'Aprano concurred:
Part of the problem, of course, is that there is a large body of existing code that expects the random module to behave in a certain way. Some of it requires the reproducibility feature and isn't being used for security purposes. Changing the default would break those programs a few years down the road (if the change follows the normal Python deprecation schedule). As Stephen J. Turnbull put it:
Stufft's proposal
That first thread got rather long, so Stufft attempted something of a reboot in a message that was rather long itself. He had talked to De Raadt to try to better understand his concerns, which Stufft said were not being reflected in the earlier thread. He broke down the users of random numbers into three groups: those who need deterministic output (and reproducibility), those who need cryptographic-strength random numbers (and don't want determinism), and those who aren't sure if their use case is security-sensitive or not. The last group generally doesn't need deterministic output, but currently that's what they get by default. It is Stufft's belief (that is shared with De Raadt, he said) that the members of that group would be better served with a crypto-strength RNG.
Those in group #3 might be told to use os.urandom() (or the random.SystemRandom class that is based on it), but they may end up using the standard random functions due to either the performance of the stronger alternative or bad advice (if, indeed, their need is security-sensitive). In fact, Stufft said, the performance of os.urandom() is one of the main reasons not to make it the default:
Stufft looked at StackOverflow and other sites with Python code to see what kinds of advice there was about RNG choices. His post had several snippets of code that used the module-level random functions in dubious ways.
That led him to propose that Python change its random-number handling in several ways. It would provide a means to access a fast user-space RNG like arc4random() and add a new class (random.SomeKindOfRandom) that uses it. The proposal would also move the MT-based RNG to a random.DeterministicRandom class and deprecate the module-level functions in the random module. That would mean that users would (eventually) have to choose the kind of randomness they wanted before they would be able to get random numbers. They would call functions like:
random.SomeKindOfRandom().random()
random.DeterministicRandom().random()
SystemRandom would still be available for those who wanted that
RNG mechanism.
Obviously, SomeKindOfRandom would need a better name, though there
are objections to the whole idea of doing user-space RNG.
Stufft pointed out that security expert Thomas Ptacek is not
in favor of user-space RNGs like arc4random().
As might be guessed, Stufft's suggestions were not met with universal acclaim. There were concerns about backward compatibility and for how today's code could be switched, with minimal changes, to run (correctly) in this new world.
But Nick
Coghlan strongly objected to the idea of
deprecating all of the module-level functions. As he pointed out, nearly
all of the module-level functions could provide any kind of random numbers,
though they need to have good performance.
Making someone choose what type they want, before they can
even get
a random number is "a *huge* regression in Python's usability for
educational use cases
". He said that a common "hello world" kind
of program for using random numbers in Python is to roll a six-side die:
>>> from random import randint
>>> randint(1, 6)
6
He continued:
He noted that there are calls at the module-level that imply the need for a deterministic RNG (like seed() and others that are stateful) and which can be deprecated to help those who really need them to move to an alternative API. Essentially, he is asking that those who don't care about the RNG wars (and those new to Python in particular) be left out—they can still call the functions they call today.
Breaking compatibility "in the name of the public good
" is
the wrong approach, Antoine Pitrou said.
He and others are tired of seeing security trump all other considerations
whenever a topic like this is raised. Since a change like Stufft has
suggested can't fix the problem of bad advice on the internet, compromising
on a change that maintains compatibility is preferable.
Python 3 was there to break compatibility. Not Python 3.4. Not Python 3.5. Not Python 3.6.
(in case you're wondering, trying to make all published code on the Internet secure by appropriately changing the interpreter's "behaviour" to match erroneous expectations - even *documented* as erroneous - is *not* reasonable - no matter how hard you try, there will always be occurrences of broken code that people copy and paste around)
Coghlan's proposals
Coghlan started another thread as something of a "pre-PEP" on enhancing the random module. It would create three types of RNGs in Python: seedable, seedless, and system. The seedless version would be the default and guidance would be provided that those who need deterministic random numbers should use the seeded version, while those with strong security needs should use the system RNG.
Coghlan's proposal lays out plans for Python 3.6, which is likely destined for late 2016 (or early 2017), and for 3.7, which is probably due sometime in 2018—a change of this nature for Python can take a while, for sure. Essentially, his idea is to deprecate the stateful methods and module-level functions (seed(), getstate(), and setstate()), except for the SeedableRandom class. Those functions would warn the user, but not actually cause an error—except if the default type has been changed.
The most controversial part of Coghlan's proposal would provide a random.set_default_instance() function to specify which of the three types would be used by the module-level functions. Both Stufft and D'Aprano are concerned that would allow any module to affect all of the random numbers generated from that point on, potentially nullifying the choice another module has made.
Beyond that, though, Moore would like to see some kind of cost/benefit analysis. He is
trying to remain open-minded, but is concerned about the disruption for
users, particularly those who don't have any security requirements for
their use of random numbers. While he recognizes that it is somewhat
emotionally stated, the benefits to him seem to be: "Users of code
written based on bad advice will be protected from
the consequences (as long as the code runs on a sufficiently new
version of Python)
".
Based on some of that feedback, Coghlan went ahead and drafted PEP 504 that simplifies earlier proposals. It dispenses with the user-space CSPRNG (e.g. arc4random() or something similar) and changes the default to the system RNG (i.e. random.urandom()). If a program uses random.seed() or the other stateful calls (i.e. getstate() or setstate()), the random module will switch to the existing MT-based deterministic PRNG.
He proposes that this be done for 3.6, with a
silent-by-default deprecation warning for the fallback to MT. In 3.7 it
would instead be a visible-by-default runtime warning.
In his announcement of the PEP, he said: "That approach would provide a definite security improvement over the
status quo, while restricting the compatibility break to a performance
regression in applications that use the module level API without
calling seed(), getstate() or setstate().
"
Van Rossum's reaction
But it turns out that Van Rossum is not
particularly happy with that PEP as the end result of the discussion.
He stopped following the "mega-threads
", but doesn't see much
value in changing things:
I am fine with adding more secure ways of generating random numbers. But we already have random.SystemRandom(), so there doesn’t seem to be a hurry?
Though Stufft reiterated his belief that
the existing module "guides you towards using an
insecure source of random numbers rather than a secure one
",
Van Rossum was not impressed with that
argument:
The discussion is continuing at the time of this writing, but there is a
sense that adding access to a fast user-space PRNG, perhaps based
on ChaCha20
(like arc4random()), may be in the offing. A change in the
default would leave some
users and programs behind eventually, but it would seem that most believe users who
require deterministic
random numbers make up a small minority. Van Rossum, though, seems
unconvinced that there is much urgency for a solution. He suggested adding
the new method for 3.6, but waiting "a few releases
" to decide
if any change to the default was warranted. "Security isn't served
well by panicky over-reaction
", he said.
There is plenty of time left in the 3.6 development schedule, so perhaps other proposals and ideas will eventually win the day. But with Van Rossum firmly opposed to the changes that have been proposed so far, a big change seems unlikely for 3.6. Only time will tell.
Brief items
Security quotes of the week
FBI Director James Comey referred to the backlash against his lobbying for backdoors into encrypted communications provided by the technology industry as "venom and deep cynicism" that are making a rational discussion about what could and should be done nearly impossible.
New vulnerabilities
freetype2: denial of service
| Package(s): | freetype2 | CVE #(s): | CVE-2014-9745 CVE-2014-9746 CVE-2014-9747 | ||||||||||||||||
| Created: | September 14, 2015 | Updated: | October 7, 2015 | ||||||||||||||||
| Description: | From the Mageia advisory:
It was discovered that FreeType did not correctly handle certain malformed font files. If a user were tricked into using a specially crafted font file, a remote attacker could cause FreeType to crash or hang, resulting in a denial of service, or possibly expose uninitialized memory (Savannah bugs 41309 and 41590). The CVE numbers were referenced in the Debian LTS advisory. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
icedtea-web: applet execution
| Package(s): | icedtea-web | CVE #(s): | CVE-2015-5234 CVE-2015-5235 | ||||||||||||||||||||||||||||||||||||
| Created: | September 14, 2015 | Updated: | June 9, 2016 | ||||||||||||||||||||||||||||||||||||
| Description: | From the Arch advisory:
- CVE-2015-5234 (unexpected permanent authorization of unsigned applets) It was discovered that IcedTea-Web did not properly sanitize applet URLs when storing applet trust settings. A malicious web page could use this flaw to inject trust-settings configuration, and cause applets to be executed without user approval. - CVE-2015-5235 (applet origin spoofing) It was discovered that IcedTea-Web did not properly determine an applet's origin when asking the user if the applet should be run. A malicious page could use this flaw to cause IcedTea-Web to execute the applet without user approval, or confuse the user into approving applet execution based on an incorrectly indicated applet origin. A remote attacker is able to execute a malicious applet without user approval via multiple vectors. | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
ipython: cross-site scripting
| Package(s): | ipython | CVE #(s): | CVE-2015-6938 | ||||||||||||||||
| Created: | September 15, 2015 | Updated: | October 8, 2015 | ||||||||||||||||
| Description: | From the Mageia advisory:
In IPython, local folder name was used in HTML templates without escaping, allowing XSS in said pages by carefully crafting folder name and URL to access it. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
kernel: privilege escalation
| Package(s): | kernel | CVE #(s): | CVE-2015-6666 | ||||||||
| Created: | September 14, 2015 | Updated: | September 23, 2015 | ||||||||
| Description: | From the Red Hat bugzilla:
After fixing Linux's NT flag handling, an optimization was added, making the code vulnerable. A malicious 32-bit program might be able to leak NT into an unrelated task. On a kernel with setting CONFIG_PREEMPT=y, this causes a straightforward DoS. With CONFIG_PREEMPT=n setting, it's probably still exploitable for DoS with some more care. This vulnerability could be possibly used also for privilege escalation. | ||||||||||
| Alerts: |
| ||||||||||
moodle: information leak
| Package(s): | moodle | CVE #(s): | CVE-2015-3177 | ||||||||
| Created: | September 16, 2015 | Updated: | September 16, 2015 | ||||||||
| Description: | From the CVE entry:
Moodle 2.8.x before 2.8.6 does not consider the tool/monitor:subscribe capability before entering subscriptions to site-wide event-monitor rules, which allows remote authenticated users to obtain sensitive information via a subscription request. | ||||||||||
| Alerts: |
| ||||||||||
onionshare: denial of service
| Package(s): | onionshare | CVE #(s): | |||||||||
| Created: | September 11, 2015 | Updated: | September 16, 2015 | ||||||||
| Description: | From the onionshare bug report: Some users might be running Tor Browser confined with AppArmor profiles included in Tor Browser Launcher. In this case, OnionShare needs to make sure chooses a hidden service directory in a place that tor has permissions to write to. | ||||||||||
| Alerts: |
| ||||||||||
openldap: denial of service
| Package(s): | openldap | CVE #(s): | CVE-2015-6908 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | September 14, 2015 | Updated: | September 30, 2015 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Arch Linux advisory:
By sending a crafted packet, an attacker can cause the OpenLDAP daemon to crash with a SIGABRT. This is due to an assert() call within the ber_get_next method (io.c line 682) that is hit when decoding tampered BER data. The following proof of concept exploit can be used to trigger the condition: # echo "/4SEhISEd4MKYj5ZMgAAAC8=" | base64 -d | nc -v 127.0.0.1 389 The above causes slapd to abort as follows when running with '-d3', however it should be noted that this will crash the server even when running in daemon mode. A remote attacker is able to send specially crafted packets that cause the OpenLDAP server to crash, leading to denial of service. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
php-doctrine-annotations: privilege escalation
| Package(s): | php-doctrine-annotations | CVE #(s): | CVE-2015-5723 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | September 15, 2015 | Updated: | August 2, 2016 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Doctrine project:
We are releasing new versions of Doctrine Cache, Annotations, ORM and MongoDB ODM today that fix a security misconfiguration vulnerability. This vulnerability was assigned CVE-2015-5723. It requires an attacker to have direct access to a user of the server to be exploitable. We consider exploitabilty to be low to medium. Exploiting this vulnerability can allow attackers to perform local arbitrary code execution with privleges of other users (privilege escalation). You are only affected by this vulnerability, if your application runs with a umask of 0. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
phpMyAdmin: guessable user credentials
| Package(s): | phpMyAdmin | CVE #(s): | CVE-2015-6830 | ||||||||||||||||||||
| Created: | September 14, 2015 | Updated: | October 5, 2015 | ||||||||||||||||||||
| Description: | From the Red Hat bugzilla:
A vulnerability allowing to complete reCaptcha test and subsequently perform a brute force attack to guess user credentials without having to complete further reCaptcha tests was found. This vulnerability only affects installations with reCaptcha test enabled. Affected versions are 4.3.x (prior to 4.3.13.2) and 4.4.x (prior to 4.4.14.1) | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
qemu: two vulnerabilities
| Package(s): | qemu | CVE #(s): | CVE-2015-6815 CVE-2015-6855 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | September 15, 2015 | Updated: | October 14, 2015 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Mageia advisory:
Qemu emulator built with the e1000 NIC emulation support is vulnerable to an infinite loop issue. It could occur while processing transmit descriptor data when sending a network packet. A privileged user inside guest could use this flaw to crash the Qemu instance resulting in DoS (CVE-2015-6815). Qemu emulator built with the IDE disk and CD/DVD-ROM emulation support is vulnerable to a divide by zero issue. It could occur while executing an IDE command WIN_READ_NATIVE_MAX to determine the maximum size of a drive. A privileged user inside guest could use this flaw to crash the Qemu instance resulting in DoS (CVE-2015-6855). | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
qemu: denial of service
| Package(s): | qemu | CVE #(s): | CVE-2015-5239 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | September 15, 2015 | Updated: | September 16, 2015 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Mageia advisory:
Qemu emulator built with the VNC display driver is vulnerable to an infinite loop issue. It could occur while processing a CLIENT_CUT_TEXT message with specially crafted payload message. A privileged guest user could use this flaw to crash the Qemu process on the host, resulting in DoS. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
vzctl: insecure ploop-based containers
| Package(s): | vzctl | CVE #(s): | CVE-2015-6927 | ||||||||
| Created: | September 14, 2015 | Updated: | January 11, 2017 | ||||||||
| Description: | From the Debian advisory:
It was discovered that vzctl, a set of control tools for the OpenVZ server virtualization solution, determined the storage layout of containers based on the presence of an XML file inside the container. An attacker with local root privileges in a simfs-based container could gain control over ploop-based containers. Further information on the prerequites of such an attack can be found at https://src.openvz.org/projects/OVZL/repos/vzctl/commits/... | ||||||||||
| Alerts: |
| ||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>