OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: NetBSD Security Officer (security-officernetbsd.org)
Date: Thu Aug 23 2001 - 01:07:55 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----

                     NetBSD Security Advisory 2001-013
                     =================================

    Topic: OpenSSL PRNG weakness (up to 0.9.6a)

    Version: NetBSD-current: source prior to July 10, 2001
                    NetBSD 1.5.1: affected
                    NetBSD 1.5: affected
                    pkgsrc: openssl packages prior to 0.9.6b or 0.9.6nb1

    Severity: attacker can predict sequence of future PRNG outputs

    Fixed: NetBSD-current: July 10, 2001
                    NetBSD-1.5 branch: July 29, 2001 (1.5.2 includes the fix)
                    pkgsrc: openssl-0.9.6b or openssl-0.9.6nb1

    Abstract
    ========

    The OpenSSL libcrypto includes a PRNG (pseudo random number generator)
    implementation. The logic used for PRNG was not strong enough,
    and allows attackers to guess the internal state of the PRNG.
    Therefore, attackers can predict future PRNG output.

    Technical Details
    =================

    http://www.openssl.org/news/secadv_prng.txt

    Solutions and Workarounds
    =========================

    The problem can be remedied by replacing the libcrypto library,
    and recompiling all statically-linked binaries on the system that
    use this library.

    The following instructions describe how to upgrade your openssl
    libraries by updating your source tree and rebuilding and installing
    a new version of telnetd(8).

    * All NetBSD releases using openssl from pkgsrc:

            If you are using openssl from pkgsrc, upgrade it to either of
            the following packages:
                    openssl-0.9.6b or higher
                    openssl-0.9.6nb1 (0.9.6 + specific fix for the issue)

            Also, make sure that you upgrade any statically-linked binaries
            in packages and local applications that have been linked with
            libcrypto.

    * NetBSD-current:

            Systems running NetBSD-current dated from before 2001-07-10
            should be upgraded to NetBSD-current dated 2001-07-11 or later.

            The following directories need to be updated from the
            netbsd-current CVS branch (aka HEAD):
                    src/crypto/dist/openssl
                    src/lib/libcrypto

            To update from CVS, re-build, and re-install the openssl
            libraries:
                    # cd src
                    # cvs update -d -P crypto/dist/openssl lib/libcrypto
                    # cd lib/libcrypto
                    # make cleandir dependall
                    # make install

            You also need to upgrade any statically-linked binaries
            that use libcrypto. Whilst there are no statically-linked
            binaries in the default NetBSD installation that use
            libcrypto, it would be a good idea to run a full build
            (i.e. "make build").

    * NetBSD 1.5, 1.5.1:

            Systems running NetBSD 1.5 or 1.5.1 sources dated from
            before 2001-07-29 should be upgraded from NetBSD 1.5.x
            sources dated 2001-07-30 or later.

            NetBSD 1.5.2 is not vulnerable.

            The following source needs to be updated to version 1.2
            or later from the netbsd-1-5 CVS branch:
                    crypto/dist/openssl/crypto/rand/md_rand.c

            To update from CVS, re-build, and re-install the openssl
            libraries:
                    # cd src
                    # cvs update -d -P crypto/dist/openssl/crypto/rand
                    # cd lib/libcrypto
                    # make cleandir dependall
                    # make install

            Alternatively, apply the following patch (with potential offset
            differences):
                    ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2001-013-openssl-1.5.patch

            To patch, re-build and re-install the openssl libraries:
                    # cd src/crypto/dist/openssl/crypto/rand
                    # patch < /path/to/SA2001-013-openssl-1.5.patch
                    # cd ../../../../../lib/libcrypto
                    # make cleandir dependall
                    # make install

            You also need to upgrade any statically-linked binaries
            that use libcrypto. Whilst there are no statically-linked
            binaries in the default NetBSD installation that use
            libcrypto, it would be a good idea to run a full build
            (i.e. "make build").

    Thanks To
    =========

    Jun-ichiro Hagino for the fix to -current and 1.5

    Markku-Juhani O. Saarinen for discovering the problem
    in the PRNG and reporting it to the OpenSSL project.

    Revision History
    ================

            2001-08-23 Initial release

    More Information
    ================

    An up-to-date PGP signed copy of this release will be maintained at
      ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2001-013.txt.asc

    Information about NetBSD and NetBSD security can be found at
    http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.

    Copyright 2001, The NetBSD Foundation, Inc. All Rights Reserved.

    $NetBSD: NetBSD-SA2001-013.txt,v 1.13 2001/08/23 02:03:23 lukem Exp $

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.6 (NetBSD)
    Comment: For info see http://www.gnupg.org

    iQCVAwUBO4RlGD5Ru2/4N2IFAQHJkAP/Su564Mbn4Hl4+pkMh/fWiwtRIAE8aYex
    PcfCSW22nPrGpDdMwOPAvQAANCzNIJ2liXn9kzGqjNodOdSKDZ92hw6Yq/hlXhN/
    9R5CY3HR7ETFJtXBe3+8X5yqsrdAebDSh6Cz49HU2YxU+IN9idmy/JstNC6Ie69e
    U/XVIkv+BGM=
    =VRtV
    -----END PGP SIGNATURE-----