Subject: NetBSD Security Advisory 2001-003
To: None <netbsd-announce@netbsd.org>
From: None <security-officer@netbsd.org>
List: current-users
Date: 02/16/2001 17:34:08
auscert@auscert.org.au
Subject: NetBSD Security Advisory 2001-003
Organisation: The NetBSD Foundation, Inc.
Reply-to: security-officer@netbsd.org


-----BEGIN PGP SIGNED MESSAGE-----

                 NetBSD Security Advisory 2001-003
                 =================================

Topic:          Secure Shell vulnerabilities and key generation.
Version:        NetBSD 1.5_BETA (not 1.5 release), -current, 
		and users of some pkgsrc Secure Shell packages.
Severity:       Remote root compromise, possible weak keys.
Fixed:          NetBSD-current:    October 30, 2000
                NetBSD-1.5 branch: October 30, 2000
                NetBSD pkgsrc:     February 14, 2001


Abstract
========

NetBSD systems may have a number of different implementations and
versions of Secure Shell installed, either integrated with the system
or third-party packages from pkgsrc.

A recent RAZOR Bindview Advisory (CAN-2001-0144) describes a buffer
overrun vulnerability in Secure Shell daemons which may be present on
some NetBSD systems.

In addition, a system configuration flaw could result in weak key
generation on some systems.

This advisory contains information and instructions to help NetBSD
users ensure that they are running an appropriate Secure Shell and
system configuration.

Technical Details
=================

NetBSD 1.5 and NetBSD-current include an integrated Secure Shell
daemon, based on OpenSSH.  NetBSD releases prior to 1.5 relied on
pkgsrc system to install third-party implementations, including
ssh.com, OpenSSH, and FreSSH.

There are two distinct vulnerabilities:

  * A buffer overrun attack is present in the CRC32 Compensation
    Attack Detector code added to work around a weakness in the SSHv1
    protocol.  This is described in the RAZOR Bindview advisory
    referenced below, technical details are not repeated here.

    This vulnerability could lead to remote root compromise, through
    execution of arbitrary code in an overflowed buffer.

  * Some NetBSD systems may not have the rnd(4) kernel randomness
    generator psuedo-device configured.  The OpenSSL library uses a
    weak initialiser to seed its random number generator if this
    device is not available.

    This vulnerability could lead to compromise of cryptographic
    sessions protected by keys generated through OpenSSL.

    Programs that use the OpenSSL library as a source of randomness
    (including key generation) will have weak random numbers as a
    result.  The OpenSSH code integrated into NetBSD-1.5 and
    NetBSD-current uses this device (via /dev/urandom) directly as a
    source of randomness to seed key generation. If it is not
    available, it falls back to the OpenSSL library as an alternate
    source of random input, which will in turn fail to open the device
    and fall back on its weak internal initialiser.  Other programs
    which rely on OpenSSL will be similarly affected.

Prior to the 1.5 release, NetBSD fixed the CRC32 Compensation Attack
Detector implementation in the integrated Secure Shell daemon (based
on OpenSSH 2.2.0), but without a visible version number change. This
change was taken up by OpenSSH immediately thereafter, and included in
the 2.3.0 release.  This may lead to some user confusion over whether
the integrated Secure Shell is vulnerabile to this attack.

Note that users running NetBSD 1.5 or NetBSD-current who have upgraded
from older releases may still have vulnerable pkgsrc packages
installed.

The NetBSD 1.5 release was intended to include the rnd(4) kernel
psuedo-device in all systems. Unfortunately, it was ommitted from the
GENERIC kernel configuration on the newsmips and luna68k ports
(only). On several other ports, an outdated comment in the GENERIC
kernel configuration file indicating the device was "experimental" was
not removed, which may have led to some users subsequently removing
the device from custom kernel configurations.

The integrated Secure Shell in NetBSD-current is based on OpenSSH
2.3.2.  As of 2001-02-14, this now requires the presence of the rnd(4)
device, and will generate an error if it is not available.  A suitable
fix to the OpenSSL library is currently under investigation.


Solutions and Workarounds
=========================

The appropriate solution depends on the NetBSD version you are
running.

  Users of NetBSD-1.5 and NetBSD-current:
  ---------------------------------------
        
   The CRC32 Compensation Attack Detector bug was fixed on October 30,
   2000 for both NetBSD-current and the NetBSD 1.5 release
   branch. The 1.5 release is not vulnerable to the buffer overflow.

   This date falls during the NetBSD 1.5 release cycle, between
   1.5_BETA and 1.5_BETA2. Any BETA users should upgrade to the
   final release before proceeding further.

   Systems running NetBSD-current dated from before October 30, 2000
   should be upgraded to NetBSD-current dated October 30, 2000 or
   later (crypto/dist/ssh/deattack.c revision 1.2).

   Users of NetBSD-1.5 and NetBSD-current should ensure that:

    * they are not still using a Secure Shell implementation from
      pkgsrc, left over from before the system was upgraded to a
      release with integrated Secure Shell. 

    * the rnd(4) device is properly configured.

   The rnd(4) kernel psuedo-device is accessed through the /dev/random
   and /dev/urandom device special files.  Ensure that these exist as
   device nodes, if not do:

     # cd /dev
     # ./MAKEDEV random

   Ensure that the kernel configuration contains the psuedo-device.
   The simplest way to verify that a running kernel has this device is
   to attempt to read a small amount of data from it, for example:

     # dd if=/dev/urandom bs=8 count=1

   If you get an error (such as "dd: /dev/urandom: Device not
   configured") you must build, install and reboot a new kernel with
   the following line in the kernel configuration file:

     pseudo-device  rnd         # /dev/random and in-kernel generator

   For more information on how to do this, see:

    http://www.netbsd.org/Documentation/kernel/#building_a_kernel 

   (At the same time, if your configuration file still contains a
   comment about rnd being experimental, you should remove that
   comment; it is no longer relevant since NetBSD 1.5).

   NOTE: It is recommended that host and user keys that were generated
   on a system without the rnd(4) device properly configured should be
   re-generated.

  Users of pkgsrc Secure Shell implementations (NetBSD prior to 1.5):
  -------------------------------------------------------------------

   NetBSD releases prior to 1.5 do not have integrated OpenSSH in the
   main source code tree.  Instead, users of these systems will have
   installed one of several available implementations and versions
   from pkgsrc.  Some of these versions were vulnerable to the buffer
   overflow attack, and some utilise the rnd(4) device.

   These issues are summarised in the following table:

    Package name           Version     Buffer O/flow   /dev/urandom
    ------------------------------------------------------------------
    ssh (ssh.com/f-secure) <=1.2.27    vulnerable      Not Required
    ssh6 (above with IPv6) <=1.2.27    vulnerable      Not Required
    ssh                      1.2.27nb1 not vulnerable  Not Required
    ssh6                     1.2.27nb1 not vulnerable  Not Required

    openssh                <=2.2.0p1   vulnerable      Recommended
    openssh                  2.3.0p1   not vulnerable  Recommended

    fressh                   0.8       not vulnerable  Required

   Users of the ssh or ssh6 packages (The ssh.com/F-Secure freeware
   ssh, with or without IPv6 support) should upgrade to the latest
   version of these packages. The NetBSD pkgsrc collection as of
   2000-02-14 contains versions of the ssh.com 1.2.27 distribution,
   patched to avoid the buffer overflow; these are identified by an
   "nb1" suffix in the package version.

   Note that there are several other security issues with the ssh.com
   1.2.27 base code, that are not addressed by the nb1 patch.  These
   items are fixed in the ssh.com 1.2.31 release, but that version
   includes a restrictive license.  Users concerned about these issues
   should consider switching to an OpenSSH implementation instead.

   Users of the openssh package should be aware that this also
   utilises the rnd(4) device. In NetBSD 1.4.x releases, this device
   *is* experimental and may cause stability or performace issues on
   some architectures prior to NetBSD 1.4.2.  The openssh package is
   based on the OpenSSH 'p' release, which includes a better fall-back
   mechanism if rnd(4) is not present, and is recommended for users of
   pre-1.5 NetBSD systems, with or without rnd(4).

   Users of the newly-released FreSSH package should ensure that
   rnd(4) is correctly configured, it also relies on this device for
   good-quality random number generation.

   To upgrade, first make sure you have an up-to-date pkgsrc
   collection (at least as recent as 2001-02-14).  This can be
   obtained via anonymous CVS, SUP or FTP from the project servers or
   mirrors.

   If you have installed OpenSSH via package (pkgsrc/security/openssh), 
   upgrade it to 2.3.0p1.

   If you have installed ssh.com Secure Shell (pkgsrc/security/ssh),
   remove it and install pkgsrc/security/openssh, version 2.3.0p1.


Thanks To
=========

Thor Lancelot Simon for the CRC32 Compensation Attack Detector fix
from FreSSH, which was incorporated into NetBSD by Mason Loring Bliss
and into OpenSSH by Markus Friedl.

Charles Hannum for raising the OpenSSL fallback initialiser problem.
Jun-ichiro Hagino for problem analysis and fixes to the integrated
NetBSD versions, as well as editorial assistance in the preparation of
this advisory. Ignatios Souvatzis for updating and summarising status
of the pkgsrc versions.

Revision History
================

	2000-12-16	Initial Release


More Information
================

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.

RAZOR Bindview Advisory CAN-2001-0144, "Remote vulnerability in SSH
daemon crc32 compensation attack detector" is available at
http://razor.bindview.com/publish/advisories/adv_ssh1crc.html.


Copyright 2001, The NetBSD Foundation, Inc.  All Rights Reserved.

$NetBSD: NetBSD-SA2001-003.txt,v 1.3 2001/02/16 05:57:05 dan Exp $


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQCVAwUBOozBOz5Ru2/4N2IFAQEDJwQAhbDwwkD6lLYKXB1DFQagomDIxHD7Gbt2
IkzkIbeJasvMLvYnPAxqEmsyZuD5tA3tHrwVIVm6Nw1kH5omM2PpNdyXw50v2UUV
Jza8jvHyKNd0E88OOPRvXMDg8H1+CPs59eIJSwKLpjs30wmzncrxCUpWnNhlUSaB
YD8ljxdWASA=
=gwZy
-----END PGP SIGNATURE-----