OpenBSD Will Not Fix PRNG Weakness

snake-oil-security writes "Last fall Amit Klein found a serious weakness in the OpenBSD PRNG (pseudo-random number generator), which allows an attacker to predict the next DNS transaction ID. The same flavor of this PRNG is used in other places like the OpenBSD kernel network stack. Several other BSD operating systems copied the OpenBSD code for their own PRNG, so they're vulnerable too; Apple's Darwin-based Mac OS X and Mac OS X Server, and also NetBSD, FreeBSD, and DragonFlyBSD. All the above-mentioned vendors were contacted in November 2007. FreeBSD, NetBSD, and DragonFlyBSD committed a fix to their respective source code trees, Apple refused to provide any schedule for a fix, but OpenBSD decided not to fix it. OpenBSD's coordinator stated, in an email, that OpenBSD is completely uninterested in the problem and that the problem is completely irrelevant in the real world. This was highlighted recently when Amit Klein posted to the BugTraq list."

then exploit it (if you can)

if you think its a problem, exploit it
nothing says "fix it" faster than a few thousand compromised hosts
release a PoC that gets r00t, inform the security lists and stand back
thats what full disclosure is for.

if it isnt exploitable then BSD can fix it at leisure
or if thats not quick enough and as its Open Source, YOU fix it if you are that concerned

now somebody call the whhaaambulance

Re:then exploit it (if you can)

[digitig]

If you're working at the level where a friend has to explain the weaknesses in a PRNG class, one you roll yourself is highly unlikely to be better. There are many algorithms out there that have been very thoroughly analysed and explored by experts, and there's going to be one out there that's easy to find and better than your hand-rolled one. And, of course, what count as "weaknesses" depends on the application. A PRNG that's great for Monte-Carlo simulation may be too predictable for cryptography. A PRNG that's sufficiently hard to predict for cryptography may be too slow for Monte-Carlo simulation.

Re:then exploit it (if you can)

[orgelspieler]

I wrote a program like that once. It kept on outputting 42.

Re:Uh what

[Zeinfeld]

Is the summary just supposed to be as shocking as possible? How about some details on why specifically they decided not to patch it?

It is entirely believable to me. Back in 1995 I told Marc Andressen at Netscape that he had a serious problem with the random number generator used to choose session keys for SSL. There was simply not enough randomness going in for there to be 128 bits going out.

Marc had every reason to listen to me, I had broken SSL 1.0 in ten minutes when he tried to demonstrate it at MIT. But it took several weeks to drill the problem into his thick skull.

So they eventually asked me for a description of how to do the thing right.

A year later the exact same bug was discovered independently. By this time they had hired some competent crypto people. I spoke to Taher about the problem later and his explanation was that they found the design note on the PRNG which was so comprehensive that they didn't think it necessary to check the actual code.

Strike 2, OpenBSD.

[Neillparatzo]

OpenBSD is on a fast track to losing its most favored secure OS status if they keep this up.

First they refused to implement WPA (despite the other BSDs having it), because it "doesn't provide real security" and "just use IPSEC".

Now they're refusing to address a weakness in their network stack (despite the other BSDs addressing it), again with the implication that everybody should just jump to IPSEC. What if you're in a situation where an IPSEC rollout is impractical or impossible?

Whatever happened to defense in depth? Whatever happened to "secure by default"? Whatever happened to constructive paranoia, such as randomizing of libc addresses, that was unlikely to have any real impact on security but was a nice extra, just in case? Why must I now upgrade to NetBSD to get security features that are lacking in OpenBSD? Isn't the shoe on the wrong foot?

What happened? Was there a change of management? Is OpenBSD under the thumb of a douchebag patch manager lately? Is this going to go away at some point? Those of us that sleep with OpenBSD firewalls like a gun under our pillow are taking notice.

Re:Strike 2, OpenBSD.

IPSec is OSI layer three, WPA is layer two. Accordingly, they are not substitutes for each other; they are compliments.

So, OpenBSD is refusing to put a locking mechanism on the doorknob because it wants to make people use a deadbolt. Me, I'd want both; if it turns out my deadbolt had a defect and thus easily defeated, the doorknob lock would at least provide some security.

Theo is slow to change, but he will.

[argent]

Theo has refused to implement other 'foreign' security changes in OpenBSD when they were first introduced, then turned around and implemented them after a while. He was contemptuous towards non-execute stacks when I spoke with him at Usenix many years ago, because he was convinced OpenBSD's code review policy made it irrelevant and because no-execute didn't stop all stack smashing attacks... but OpenBSD eventually picked it up.

Basically, he's very conservative, very resistant to change, and don't forget that's one of the things that made OpenBSD what it was to begin with... but if it really matters he'll come around.

Code excerpt for the curious...

[davidbrit2]

http://xkcd.com/221/ Oh hush, you knew somebody would post it.

Re:Uh what

[LizardKing]

That's because he's so l33t he can pick a Slashdot id at random every time he posts.