OpenBSD Will Not Fix PRNG Weakness

snake-oil-security writes "Last fall Amit Klein found a serious weakness in the OpenBSD PRNG (pseudo-random number generator), which allows an attacker to predict the next DNS transaction ID. The same flavor of this PRNG is used in other places like the OpenBSD kernel network stack. Several other BSD operating systems copied the OpenBSD code for their own PRNG, so they're vulnerable too; Apple's Darwin-based Mac OS X and Mac OS X Server, and also NetBSD, FreeBSD, and DragonFlyBSD. All the above-mentioned vendors were contacted in November 2007. FreeBSD, NetBSD, and DragonFlyBSD committed a fix to their respective source code trees, Apple refused to provide any schedule for a fix, but OpenBSD decided not to fix it. OpenBSD's coordinator stated, in an email, that OpenBSD is completely uninterested in the problem and that the problem is completely irrelevant in the real world. This was highlighted recently when Amit Klein posted to the BugTraq list."

then exploit it (if you can)

if you think its a problem, exploit it
nothing says "fix it" faster than a few thousand compromised hosts
release a PoC that gets r00t, inform the security lists and stand back
thats what full disclosure is for.

if it isnt exploitable then BSD can fix it at leisure
or if thats not quick enough and as its Open Source, YOU fix it if you are that concerned

now somebody call the whhaaambulance

Re:then exploit it (if you can)

[alexhs]

Wow, Slashdot ate my whole comment besides that link... A bug? A bug indeed, and it is yours, apparently you can't code in HTML :P
You probably did a typo in a closing tag. Anyway, There's a reason why we have a "preview" button ;)

Re:then exploit it (if you can)

[digitig]

True, but if you roll one yourself, the P in PRNG no longer has a second meaning of 'predictable.'
It does if you don't do it right, and you're unlikely to do it right unless you're a cryptographic expert. Just because your algorithm isn't published doesn't mean a competent codebreaker won't be able to crack it: ahref=http://en.wikipedia.org/wiki/Security_through_obscurityrel=url2html-8229http://en.wikipedia.org/wiki/Security_through_obscurity>.

Uh what

[Brian+Gordon]

Is the summary just supposed to be as shocking as possible? How about some details on why specifically they decided not to patch it?

Re:Uh what ... yeah

[cloricus]

I like the part where if some company, say Apple, does fix it BSD sports fans can't automatically get the fix because, hey, the BSD license!

That's right, I'm trolling BSD users because their idea of Free Software has a flaw, and it'd be nice for them to realise it once in awhile. This is instead of their constant trolling of the GPL (and compatible) while pretending their perception is perfect. And I'm no coward in saying it.

What??

[uuxququex]

Are you really comparing OpenBSD to Windows 95? The mind boggles...

The flaw in the PRNG is not exploitable. Not unless you are root on the local machine and have the ability to stop all other processes. If you are root then there is nothing to exploit as you are already, well, root.

So perhaps you should have RTA first? Or where you in a hurry to make a post on front of the list?

Re:What??

You've got it backwards.

You say "OpenBSD is secure, therefore any comparison of OpenBSD to windows 95 is invalid". The GP says "OpenBSD and windows 95 seem to be comparable here, therefore OpenBSD - apparently - is not 100% secure". A priori, the latter makes much more sense; your position can only be reasonably adopted if you already KNOW that OpenBSD is secure. Given that we're talking about a potential flaw in OpenBSD here, such an assertion would amount to circular reasoning.

You say that the flaw "is not exploitable". On what basis are you claiming this? Can you back up your claim somehow? Did you examine the source code or investigate possible attack scenarios? Are you an OpenBSD developer?

The answer to all the above is "no", of course. You do not know that the flaw is not exploitable; you merely have formed an opinion on OpenBSD's supposedly perfect security already and cannot stand the cognitive dissonance created by having to admit it might not be; therefore, you're forced to make claims such as this in the hopes that someone else who's suffering from the same problem(s) will mod you up.

But of course, that need not concern me, the GP, or anyone else - we don't care about your personal problems. All that matters to us is that until we have, at the very least, strong evidence that this flaw cannot possibly be exploited, we are going to treat it as if it can be. And even in the face of such evidence, we are still going to assert that it's better to be careful and that even a flaw that you currently believe cannot be exploited should be patched - after all, nobody is perfect.

It's better to be vigilant, and the OpenBSD developers should be the first to agree to that.

Re:So much for high security

[norton_I]

If it isn't actually a security risk (I have no idea if it is or not), the most secure thing to do is to not "fix" it. Changing code always carries the risk of introducing security problems.

The OpenBSD guys are pretty defensive about security. If they say it is not a problem, I am inclined to believe them.

Re:If the OpenBSD devs say it isn't a security fla

>If the OpenBSD developers say this isn't a security concern, I've got 100% confidence that they are correct.

I see you don't remember how OpenBSD developers downplayed remote root vulnerability in mbuf code, until COREsecurity gived them working exploit :].
And this is that mega randomness with what OpenBSD team was so proud :] LOL.

Re:Uh what ... yeah

[cmaxx]

Nuhuh. This is because the BSD license is semantically freer than GPL in precisely this case:

Apple are free to release their putative fix to the community, or not - their free choice. That's one more freedom, relative to being obliged to release any changes they make which lead to a binary release outisde of Apple, which the GPL would oblige.

There are plenty of folk who see that as a feature not a flaw.

Oh for Bob's sake!

[Chas]

When the PRNG in WINDOWS is shown to be vulnerable (because it's a actually static value), it's a horrendous problem.

But when the PRNG for a non-MS operating system is shown to have a similar (but not identical) problem, it's "irrelevant"?

Perception is as important as actuality

[Alain+Williams]

It is not just good enough to be 'secure in the "real world"' it is also important to be seen and believed to be secure.

Can someone say how hard a fix would be ? Surely: for the sake of a bit of work they are committing a public relations blunder!

Re:Perception is as important as actuality

[X0563511]

I think the real point here, is that the OpenBSD people don't really care what others think. They follow their own drum, for better or for worse.

Nobody forces you to use OpenBSD, and nobody prevents you from patching it yourself. They are entirely in their rights to say "No" even if it is a stupid thing to do.

Re:Alternative submission

[yakumo.unr]

If flawed, predictable PRNG code is so 'irrelevant in the real world' why does even Microsoft seek to improve upon it?

"Strengthens the cryptography platform with a redesigned random number generator, which leverages the Trusted Platform Module (TPM), when present, for entropy and complies with the latest standards. The redesigned RNG uses the AES-based pseudo-random number generator (PRNG) from NIST Special Publication 800-90 by default. The Dual Elliptical Curve (Dual EC) PRNG from SP 800-90 is also available for customers who prefer to use it."

Overview of Windows Vista Service Pack 1

Though this question obviously will depend on how MS's previous PRNG implementation stacks up against OpenBSD's.

Strike 2, OpenBSD.

[Neillparatzo]

OpenBSD is on a fast track to losing its most favored secure OS status if they keep this up.

First they refused to implement WPA (despite the other BSDs having it), because it "doesn't provide real security" and "just use IPSEC".

Now they're refusing to address a weakness in their network stack (despite the other BSDs addressing it), again with the implication that everybody should just jump to IPSEC. What if you're in a situation where an IPSEC rollout is impractical or impossible?

Whatever happened to defense in depth? Whatever happened to "secure by default"? Whatever happened to constructive paranoia, such as randomizing of libc addresses, that was unlikely to have any real impact on security but was a nice extra, just in case? Why must I now upgrade to NetBSD to get security features that are lacking in OpenBSD? Isn't the shoe on the wrong foot?

What happened? Was there a change of management? Is OpenBSD under the thumb of a douchebag patch manager lately? Is this going to go away at some point? Those of us that sleep with OpenBSD firewalls like a gun under our pillow are taking notice.

Re:Strike 2, OpenBSD.

[the_B0fh]

And they care about your notice why?

Re:Strike 2, OpenBSD.

First they refused to implement WPA (despite the other BSDs having it), because it "doesn't provide real security" and "just use IPSEC".

Umm, they're completely correct to take this stance. WPA is far inferior to IPSEC, security-wise. It's OpenBSD's job to help insulate you from insecure technologies. We could easily say, "Just because FreeBSD allows one-character passwords, OpenBSD should, too!" And you know what? We'd be wrong to think in that way.

What happened? Was there a change of management? Is OpenBSD under the thumb of a douchebag patch manager lately? Is this going to go away at some point? Those of us that sleep with OpenBSD firewalls like a gun under our pillow are taking notice.

What happened? Nothing happened. The OpenBSD team members are performing their task perfectly. They are computer security experts who have considered this problem, and found it to not be the issue that some others think it is. So they're doing the responsible thing, and not making willy-nilly changes to their codebase for the sake of a "security glitch" that really doesn't exist.

Re:Strike 2, OpenBSD.

IPSec is OSI layer three, WPA is layer two. Accordingly, they are not substitutes for each other; they are compliments.

So, OpenBSD is refusing to put a locking mechanism on the doorknob because it wants to make people use a deadbolt. Me, I'd want both; if it turns out my deadbolt had a defect and thus easily defeated, the doorknob lock would at least provide some security.

GPL has the same flaw, ya know.

[Animaether]

say Google fixes something in a GPLed project that they're -not- distributing. Then GPL fans can't automatically get the fix because, hey, the GPL license*!

( * which only says something about making the code, and thus the fix, available if the code, or compiled version thereof, is distributed. )

The difference is trivial, isn't it. In both cases an existing fix would not automatically be contributed back.

Re:Uh what ... yeah

[molarmass192]

... and if Apple wasn't using OSS at all, I'd bet that they'd be selling quite a few less laptops and desktops. I know I wouldn't have bought three laptops over the past 2 years. I also know several people who would not have gone the OS X route. GCC / FreeBSD / GNU are very strong selling points for Apple that they didn't have with OS 9. On that note, I think you're right to a large extent, if it came down to a choice between the GPL or closed source, I have a gut feeling Apple would have tried the close route. The BSD license gives them flexibility to release source if and when they want.

Re:Uh what ... yeah

[Goaway]

Being given something is not a freedom. It may be a good thing, but stretching the definition of "freedom" to include that renders term almost entirely meaningless.

Don't conflate "things you want" with "freedom", please.

Re:Uh what ... yeah

[ShieldW0lf]

It's about the developers freedom and the users freedom. The developer is free of leverage, and can act as they wish. The user is free of leverage, and can act as they wish. They're not allowed to use the legal system to enforce leverage around the code, obviously. But that doesn't prevent them doing anything they wish with the code, it just prevents them being bastards via the legal system.

They'd more likely be used to compromise the user

[Xenographic]

DNS poisoning and the like are more likely to be used to compromise the user than his computer. After all, they can just put up their fake Bank of America clone that, thanks to poisoned DNS, is identical to the real one and steal his password.

Not everything is about compromising someone's computer.

Re:So much for high security

[Metzli]

I may be wrong, but I don't remember anyone claiming that OpenBSD is the "highest security OS." The last I checked, it wasn't on the list for A1. It's likely to be one of the most secure open source operating systems, but it's by no means the ultimate.

Your dollar, your time

[reiisi]

You be vigilant on the things that worry you on your dollar and on your time.

As we can see, even Microsoft can't seem to be vigilant on everything at once.

And the question to ask would be, what alternative? OpenBSD has (yet another) theoretical vulnerability. Is it one that affects the things you use obsd for?

MSWxxx has yet another real vulnerability. Is it one that affects what you use MSWxxx for?

It's better to allocate your time to be vigilant on things that matter (to you).