Slashdot Mirror

← Back to Stories (view on slashdot.org)

OpenBSD Will Not Fix PRNG Weakness

Posted by kdawson on from the random-acts-of-kndness dept.

snake-oil-security writes "Last fall Amit Klein found a serious weakness in the OpenBSD PRNG (pseudo-random number generator), which allows an attacker to predict the next DNS transaction ID. The same flavor of this PRNG is used in other places like the OpenBSD kernel network stack. Several other BSD operating systems copied the OpenBSD code for their own PRNG, so they're vulnerable too; Apple's Darwin-based Mac OS X and Mac OS X Server, and also NetBSD, FreeBSD, and DragonFlyBSD. All the above-mentioned vendors were contacted in November 2007. FreeBSD, NetBSD, and DragonFlyBSD committed a fix to their respective source code trees, Apple refused to provide any schedule for a fix, but OpenBSD decided not to fix it. OpenBSD's coordinator stated, in an email, that OpenBSD is completely uninterested in the problem and that the problem is completely irrelevant in the real world. This was highlighted recently when Amit Klein posted to the BugTraq list."

7 of 196 comments (clear)

  1. Re: Uh what by Dolda2000 · · Score: 4, Informative
    I'm no security expert and I don't know anything about the attack vectors that he claims, so maybe I shouldn't say too much, but I do know this: TFA mentions that the PRNG is used for such fields as DNS transaction IDs and IP header fragment IDs, and these fields were never even meant to be random from the beginning. Verily so, TFA even says that {Free,Net}BSD don't even use the PRNG by default, but uses sequential numbers unless a certain sysctl is tweaked.

    Thus, it is my guess that even if the attack vectors are deemed serious enough, the OpenBSD team has decided that it doesn't matter, since these protocols were never designed for security anyway, and that one should use DNSSEC and/or IPSEC (or TLS) if one actually wants to be secure (it does raise the question as to why they decided to use a PRNG for those fields from the beginning, though). My second guess is that they don't even consider the attack vectors serious, though, since they probably require a cracked router to be effective anyway.

    Indeed, if they do require a cracked router, then I don't see the issue to begin with. One of the attacks was that the attacker could inject data into a TCP stream and such things, and if he has a router cracked, then I'm pretty sure he could forge all the data he wants anyway, without using any particular software attack at all, and likewise with DNS data.

  2. Re:then exploit it (if you can) by digitig · · Score: 5, Informative

    If you're working at the level where a friend has to explain the weaknesses in a PRNG class, one you roll yourself is highly unlikely to be better. There are many algorithms out there that have been very thoroughly analysed and explored by experts, and there's going to be one out there that's easy to find and better than your hand-rolled one. And, of course, what count as "weaknesses" depends on the application. A PRNG that's great for Monte-Carlo simulation may be too predictable for cryptography. A PRNG that's sufficiently hard to predict for cryptography may be too slow for Monte-Carlo simulation.

    --
    Quidnam Latine loqui modo coepi?
  3. Re:then exploit it (if you can) by maxwell+demon · · Score: 4, Informative

    Kinda hard to make some if nothing in our world are truly random. Or is anything?

    Quantum mechanics delivers true randomness, at least according to the standard interpretation.
    --
    The Tao of math: The numbers you can count are not the real numbers.
  4. Re: Uh what by Smallpond · · Score: 4, Informative

    The reason that they weren't designed to be secure is that noone had thought of the "DNS poisoning" attack when the protocols were designed. If they had, they would have made the ID field longer. Since it is only 16 bits, I doubt that there is any very secure way of protecting someone from guessing the next value. The paper describes a method of narrowing it down to 8 possibilities by doing ~10^9 calculations.

    The exploit described in the paper doesn't require a cracked router, just a malicious website. Once you can inject fake DNS entries for bankofamerica.com or ebay.com on some ISP's DNS server, the exploit has paid for itself.

  5. Re:What?? by Jugalator · · Score: 4, Informative

    The flaw in the PRNG is not exploitable. Not unless you are root on the local machine and have the ability to stop all other processes. Wait.. what?

    This could potentially provide a platform for attacks involving prediction of IP sequences and thus TCP data injection attacks.

    Where is a local machine access required for that? It could provide attacks on the network traffic itself, by merely knowing which operating systems are involved in it.
    --
    Beware: In C++, your friends can see your privates!
  6. Re:then exploit it (if you can) by Jugalator · · Score: 4, Informative

    if you think its a problem, exploit it http://www.securityfocus.com/bid/27647
    --
    Beware: In C++, your friends can see your privates!
  7. Re:then exploit it (if you can) by Jugalator · · Score: 4, Informative

    Wow, Slashdot ate my whole comment besides that link... A bug?

    Anyway, besides rudely just posting a link like that in response, I was going to say that proof-of-concept code has at least already been published, and his point is that FreeBSD, NetBSD, DragonFlyBSD has fixes available. Apple is currently working on a fix for OS X. OpenBSD is not planning to fix this. More info can be found in my parent link.

    --
    Beware: In C++, your friends can see your privates!