Slashdot Mirror

← Back to Stories (view on slashdot.org)

OpenBSD Will Not Fix PRNG Weakness

Posted by kdawson on from the random-acts-of-kndness dept.

snake-oil-security writes "Last fall Amit Klein found a serious weakness in the OpenBSD PRNG (pseudo-random number generator), which allows an attacker to predict the next DNS transaction ID. The same flavor of this PRNG is used in other places like the OpenBSD kernel network stack. Several other BSD operating systems copied the OpenBSD code for their own PRNG, so they're vulnerable too; Apple's Darwin-based Mac OS X and Mac OS X Server, and also NetBSD, FreeBSD, and DragonFlyBSD. All the above-mentioned vendors were contacted in November 2007. FreeBSD, NetBSD, and DragonFlyBSD committed a fix to their respective source code trees, Apple refused to provide any schedule for a fix, but OpenBSD decided not to fix it. OpenBSD's coordinator stated, in an email, that OpenBSD is completely uninterested in the problem and that the problem is completely irrelevant in the real world. This was highlighted recently when Amit Klein posted to the BugTraq list."

5 of 196 comments (clear)

  1. then exploit it (if you can) by Anonymous Coward · · Score: 5, Insightful

    if you think its a problem, exploit it
    nothing says "fix it" faster than a few thousand compromised hosts
    release a PoC that gets r00t, inform the security lists and stand back
    thats what full disclosure is for.

    if it isnt exploitable then BSD can fix it at leisure
    or if thats not quick enough and as its Open Source, YOU fix it if you are that concerned

    now somebody call the whhaaambulance

  2. Uh what by Brian+Gordon · · Score: 4, Insightful

    Is the summary just supposed to be as shocking as possible? How about some details on why specifically they decided not to patch it?

  3. Re:So much for high security by norton_I · · Score: 4, Insightful

    If it isn't actually a security risk (I have no idea if it is or not), the most secure thing to do is to not "fix" it. Changing code always carries the risk of introducing security problems.

    The OpenBSD guys are pretty defensive about security. If they say it is not a problem, I am inclined to believe them.

  4. Strike 2, OpenBSD. by Neillparatzo · · Score: 5, Insightful

    OpenBSD is on a fast track to losing its most favored secure OS status if they keep this up.

    First they refused to implement WPA (despite the other BSDs having it), because it "doesn't provide real security" and "just use IPSEC".

    Now they're refusing to address a weakness in their network stack (despite the other BSDs addressing it), again with the implication that everybody should just jump to IPSEC. What if you're in a situation where an IPSEC rollout is impractical or impossible?

    Whatever happened to defense in depth? Whatever happened to "secure by default"? Whatever happened to constructive paranoia, such as randomizing of libc addresses, that was unlikely to have any real impact on security but was a nice extra, just in case? Why must I now upgrade to NetBSD to get security features that are lacking in OpenBSD? Isn't the shoe on the wrong foot?

    What happened? Was there a change of management? Is OpenBSD under the thumb of a douchebag patch manager lately? Is this going to go away at some point? Those of us that sleep with OpenBSD firewalls like a gun under our pillow are taking notice.

    1. Re:Strike 2, OpenBSD. by Anonymous Coward · · Score: 5, Insightful

      IPSec is OSI layer three, WPA is layer two. Accordingly, they are not substitutes for each other; they are compliments.

      So, OpenBSD is refusing to put a locking mechanism on the doorknob because it wants to make people use a deadbolt. Me, I'd want both; if it turns out my deadbolt had a defect and thus easily defeated, the doorknob lock would at least provide some security.