OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: security-officernetbsd.org
Date: Fri Feb 16 2001 - 00:34:08 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    auscertauscert.org.au
    Subject: NetBSD Security Advisory 2001-003
    Organisation: The NetBSD Foundation, Inc.
    Reply-to: security-officernetbsd.org

    -----BEGIN PGP SIGNED MESSAGE-----

                     NetBSD Security Advisory 2001-003
                     =================================

    Topic: Secure Shell vulnerabilities and key generation.
    Version: NetBSD 1.5_BETA (not 1.5 release), -current,
                    and users of some pkgsrc Secure Shell packages.
    Severity: Remote root compromise, possible weak keys.
    Fixed: NetBSD-current: October 30, 2000
                    NetBSD-1.5 branch: October 30, 2000
                    NetBSD pkgsrc: February 14, 2001

    Abstract
    ========

    NetBSD systems may have a number of different implementations and
    versions of Secure Shell installed, either integrated with the system
    or third-party packages from pkgsrc.

    A recent RAZOR Bindview Advisory (CAN-2001-0144) describes a buffer
    overrun vulnerability in Secure Shell daemons which may be present on
    some NetBSD systems.

    In addition, a system configuration flaw could result in weak key
    generation on some systems.

    This advisory contains information and instructions to help NetBSD
    users ensure that they are running an appropriate Secure Shell and
    system configuration.

    Technical Details
    =================

    NetBSD 1.5 and NetBSD-current include an integrated Secure Shell
    daemon, based on OpenSSH. NetBSD releases prior to 1.5 relied on
    pkgsrc system to install third-party implementations, including
    ssh.com, OpenSSH, and FreSSH.

    There are two distinct vulnerabilities:

      * A buffer overrun attack is present in the CRC32 Compensation
        Attack Detector code added to work around a weakness in the SSHv1
        protocol. This is described in the RAZOR Bindview advisory
        referenced below, technical details are not repeated here.

        This vulnerability could lead to remote root compromise, through
        execution of arbitrary code in an overflowed buffer.

      * Some NetBSD systems may not have the rnd(4) kernel randomness
        generator psuedo-device configured. The OpenSSL library uses a
        weak initialiser to seed its random number generator if this
        device is not available.

        This vulnerability could lead to compromise of cryptographic
        sessions protected by keys generated through OpenSSL.

        Programs that use the OpenSSL library as a source of randomness
        (including key generation) will have weak random numbers as a
        result. The OpenSSH code integrated into NetBSD-1.5 and
        NetBSD-current uses this device (via /dev/urandom) directly as a
        source of randomness to seed key generation. If it is not
        available, it falls back to the OpenSSL library as an alternate
        source of random input, which will in turn fail to open the device
        and fall back on its weak internal initialiser. Other programs
        which rely on OpenSSL will be similarly affected.

    Prior to the 1.5 release, NetBSD fixed the CRC32 Compensation Attack
    Detector implementation in the integrated Secure Shell daemon (based
    on OpenSSH 2.2.0), but without a visible version number change. This
    change was taken up by OpenSSH immediately thereafter, and included in
    the 2.3.0 release. This may lead to some user confusion over whether
    the integrated Secure Shell is vulnerabile to this attack.

    Note that users running NetBSD 1.5 or NetBSD-current who have upgraded
    from older releases may still have vulnerable pkgsrc packages
    installed.

    The NetBSD 1.5 release was intended to include the rnd(4) kernel
    psuedo-device in all systems. Unfortunately, it was ommitted from the
    GENERIC kernel configuration on the newsmips and luna68k ports
    (only). On several other ports, an outdated comment in the GENERIC
    kernel configuration file indicating the device was "experimental" was
    not removed, which may have led to some users subsequently removing
    the device from custom kernel configurations.

    The integrated Secure Shell in NetBSD-current is based on OpenSSH
    2.3.2. As of 2001-02-14, this now requires the presence of the rnd(4)
    device, and will generate an error if it is not available. A suitable
    fix to the OpenSSL library is currently under investigation.

    Solutions and Workarounds
    =========================

    The appropriate solution depends on the NetBSD version you are
    running.

      Users of NetBSD-1.5 and NetBSD-current:
      ---------------------------------------
            
       The CRC32 Compensation Attack Detector bug was fixed on October 30,
       2000 for both NetBSD-current and the NetBSD 1.5 release
       branch. The 1.5 release is not vulnerable to the buffer overflow.

       This date falls during the NetBSD 1.5 release cycle, between
       1.5_BETA and 1.5_BETA2. Any BETA users should upgrade to the
       final release before proceeding further.

       Systems running NetBSD-current dated from before October 30, 2000
       should be upgraded to NetBSD-current dated October 30, 2000 or
       later (crypto/dist/ssh/deattack.c revision 1.2).

       Users of NetBSD-1.5 and NetBSD-current should ensure that:

        * they are not still using a Secure Shell implementation from
          pkgsrc, left over from before the system was upgraded to a
          release with integrated Secure Shell.

        * the rnd(4) device is properly configured.

       The rnd(4) kernel psuedo-device is accessed through the /dev/random
       and /dev/urandom device special files. Ensure that these exist as
       device nodes, if not do:

         # cd /dev
         # ./MAKEDEV random

       Ensure that the kernel configuration contains the psuedo-device.
       The simplest way to verify that a running kernel has this device is
       to attempt to read a small amount of data from it, for example:

         # dd if=/dev/urandom bs=8 count=1

       If you get an error (such as "dd: /dev/urandom: Device not
       configured") you must build, install and reboot a new kernel with
       the following line in the kernel configuration file:

         pseudo-device rnd # /dev/random and in-kernel generator

       For more information on how to do this, see:

        http://www.netbsd.org/Documentation/kernel/#building_a_kernel

       (At the same time, if your configuration file still contains a
       comment about rnd being experimental, you should remove that
       comment; it is no longer relevant since NetBSD 1.5).

       NOTE: It is recommended that host and user keys that were generated
       on a system without the rnd(4) device properly configured should be
       re-generated.

      Users of pkgsrc Secure Shell implementations (NetBSD prior to 1.5):
      -------------------------------------------------------------------

       NetBSD releases prior to 1.5 do not have integrated OpenSSH in the
       main source code tree. Instead, users of these systems will have
       installed one of several available implementations and versions
       from pkgsrc. Some of these versions were vulnerable to the buffer
       overflow attack, and some utilise the rnd(4) device.

       These issues are summarised in the following table:

        Package name Version Buffer O/flow /dev/urandom
        ------------------------------------------------------------------
        ssh (ssh.com/f-secure) <=1.2.27 vulnerable Not Required
        ssh6 (above with IPv6) <=1.2.27 vulnerable Not Required
        ssh 1.2.27nb1 not vulnerable Not Required
        ssh6 1.2.27nb1 not vulnerable Not Required

        openssh <=2.2.0p1 vulnerable Recommended
        openssh 2.3.0p1 not vulnerable Recommended

        fressh 0.8 not vulnerable Required

       Users of the ssh or ssh6 packages (The ssh.com/F-Secure freeware
       ssh, with or without IPv6 support) should upgrade to the latest
       version of these packages. The NetBSD pkgsrc collection as of
       2000-02-14 contains versions of the ssh.com 1.2.27 distribution,
       patched to avoid the buffer overflow; these are identified by an
       "nb1" suffix in the package version.

       Note that there are several other security issues with the ssh.com
       1.2.27 base code, that are not addressed by the nb1 patch. These
       items are fixed in the ssh.com 1.2.31 release, but that version
       includes a restrictive license. Users concerned about these issues
       should consider switching to an OpenSSH implementation instead.

       Users of the openssh package should be aware that this also
       utilises the rnd(4) device. In NetBSD 1.4.x releases, this device
       *is* experimental and may cause stability or performace issues on
       some architectures prior to NetBSD 1.4.2. The openssh package is
       based on the OpenSSH 'p' release, which includes a better fall-back
       mechanism if rnd(4) is not present, and is recommended for users of
       pre-1.5 NetBSD systems, with or without rnd(4).

       Users of the newly-released FreSSH package should ensure that
       rnd(4) is correctly configured, it also relies on this device for
       good-quality random number generation.

       To upgrade, first make sure you have an up-to-date pkgsrc
       collection (at least as recent as 2001-02-14). This can be
       obtained via anonymous CVS, SUP or FTP from the project servers or
       mirrors.

       If you have installed OpenSSH via package (pkgsrc/security/openssh),
       upgrade it to 2.3.0p1.

       If you have installed ssh.com Secure Shell (pkgsrc/security/ssh),
       remove it and install pkgsrc/security/openssh, version 2.3.0p1.

    Thanks To
    =========

    Thor Lancelot Simon for the CRC32 Compensation Attack Detector fix
    from FreSSH, which was incorporated into NetBSD by Mason Loring Bliss
    and into OpenSSH by Markus Friedl.

    Charles Hannum for raising the OpenSSL fallback initialiser problem.
    Jun-ichiro Hagino for problem analysis and fixes to the integrated
    NetBSD versions, as well as editorial assistance in the preparation of
    this advisory. Ignatios Souvatzis for updating and summarising status
    of the pkgsrc versions.

    Revision History
    ================

            2000-12-16 Initial Release

    More Information
    ================

    Information about NetBSD and NetBSD security can be found at
    http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.

    RAZOR Bindview Advisory CAN-2001-0144, "Remote vulnerability in SSH
    daemon crc32 compensation attack detector" is available at
    http://razor.bindview.com/publish/advisories/adv_ssh1crc.html.

    Copyright 2001, The NetBSD Foundation, Inc. All Rights Reserved.

    $NetBSD: NetBSD-SA2001-003.txt,v 1.3 2001/02/16 05:57:05 dan Exp $

    -----BEGIN PGP SIGNATURE-----
    Version: 2.6.3ia
    Charset: noconv

    iQCVAwUBOozBOz5Ru2/4N2IFAQEDJwQAhbDwwkD6lLYKXB1DFQagomDIxHD7Gbt2
    IkzkIbeJasvMLvYnPAxqEmsyZuD5tA3tHrwVIVm6Nw1kH5omM2PpNdyXw50v2UUV
    Jza8jvHyKNd0E88OOPRvXMDg8H1+CPs59eIJSwKLpjs30wmzncrxCUpWnNhlUSaB
    YD8ljxdWASA=
    =gwZy
    -----END PGP SIGNATURE-----