12th Jun 2000 [SBWID-132]
COMMAND
kernel
SYSTEMS AFFECTED
FreeBSD/Alpha prior to 2000-05-10 (4.0-STABLE)/2000-04-28 (5.0-CURRENT)
PROBLEM
The FreeBSD kernel provides a cryptographic-strength pseudo-random
number generator via the /dev/random and /dev/urandom interfaces,
which samples hardware measurements to provide a high-quality
source of "entropy" (randomness).
The FreeBSD port to the Alpha platform did not provide the
/dev/random or /dev/urandom devices - this was an oversight during
the development process which was not corrected before the Alpha
port "became mainstream". FreeBSD/i386 is not affected.
As a consequence, there is no way for Alpha systems prior to the
correction date to obtain cryptographic-strength random numbers,
unless an application "rolls its own" entropy gathering mechanism.
This in itself is not a vulnerability, although it is an omission
and a departure from the expected behaviour of a FreeBSD system.
The actual vulnerability is that some applications fail to
correctly check for a working /dev/random and do not exit with an
error if it is not available, so this weakness goes undetected.
OpenSSL 0.9.4, and utilities based on it, including OpenSSH (both
of which are included in the base FreeBSD 4.0 system) are affected
in this manner (this bug was corrected in OpenSSL 0.9.5).
Therefore, cryptographic security systems on vulnerable
FreeBSD/Alpha systems (including OpenSSH in the base FreeBSD 4.0
system) may have weakened strength, and cryptographic keys
generated on such systems should not be trusted.
Cryptographic secrets (such as OpenSSH public/private keys)
generated on FreeBSD/Alpha systems may be much weaker than their
"advertised" strength, and may lead to data compromise to a
dedicated and knowledgeable attacker. PGP/GnuPG keys, and keys
generated by the SSH or SSH2 ports, are not believed to be
weakened since that software will correctly detect the lack of a
working /dev/random and use alternative sources of entropy.
OpenSSH and OpenSSL are currently the only known vulnerable
applications.
SOLUTION
One of the following three options, followed by step 2).
1a) Upgrade your FreeBSD/Alpha system to FreeBSD 4.0-STABLE after
the correction date.
1b) install the patched 4.0-RELEASE GENERIC kernel available from:
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:25/kernel.gz
e.g. perform the following steps as root:
# fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:25/kernel.gz
# fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:25/kernel.gz.asc
Verify the detached PGP signature using your PGP utility -
consult your utility's documentation for how to do this
# gunzip kernel.gz
# cp /kernel /kernel.old
# chflags noschg /kernel
# cp kernel /kernel
# chflags schg /kernel
1c) Download the kernel source patch and rebuild your
FreeBSD/Alpha kernel, as follows:
# fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:25/kernel.sys.diff
Download the detached PGP signature:
# fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:25/kernel.sys.diff.asc
and verify the signature using your PGP utility.
Apply the patch:
# cd /usr/src
# patch -p < /path/to/kernel.sys.diff
Rebuild your kernel as described in
http://www.freebsd.org/handbook/kernelconfig.html
and reboot with the new kernel.
NOTE: Because of the significant improvements to the
FreeBSD/Alpha platform in FreeBSD 4.0, it is not planned at
this time to backport the necessary changes to FreeBSD
3.4-STABLE.
2) Immediately regenerate all OpenSSH-generated SSH keys and
OpenSSL-generated SSL certificates, and any other data relying
on cryptographic random numbers which were generated on
FreeBSD/Alpha systems, whose strength cannot be verified.
[Note: for most systems, the only significant vulnerability is
likely to be from OpenSSH and OpenSSL-generated keys and
certificates (e.g. for SSL webservers)]