NetBSD-Announce archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

NetBSD Security Advisory 2019-005: Sysctl RNG Key Erasure

Hash: SHA1

		 NetBSD Security Advisory 2019-005

Topic:		Sysctl RNG Key Erasure

Version:	NetBSD-current:		affected prior to 2019-11-25
		NetBSD 8*:		affected
		NetBSD 7.2*:		affected
		NetBSD 7.1*:		affected

Severity:	Retroactive disclosure of cryptographic keys until reboot

Fixed:		NetBSD-current:		2019-11-25
		NetBSD-7 branch:	2019-11-25
		NetBSD-8 branch:	2019-11-25
		NetBSD-7 branch:	2019-11-25
		NetBSD-7-2 branch:	2019-11-25
		NetBSD-7-1 branch:	2019-11-25

Please note that NetBSD releases prior to 7.1 are no longer supported.
It is recommended that all users upgrade to a supported release.


The algorithm used by one of the kernel's cryptographic random number
generation interfaces, the kern.arandom sysctl, failed to erase past
states, and therefore failed to provide what is sometimes called
backtracking resistance or forward secrecy. Thus, an adversary who
could disclose kernel memory could retroactively predict past outputs
of this random number generator.

Technical Details

The sysctl node kern.arandom is designed to return uniform random bits
fit for use as cryptographic keys. The libc arc4random(3) function
uses kern.arandom to seed userland pseudorandom number generators, and
various applications may use libc arc4random(3) to generate keys. The
arc4random(3) security model asserts that:

   An attacker who has seen the library's PRNG state in memory
   cannot predict past outputs.

However, owing to a mistake in the implementation of kern.arandom, an
attacker who has disclosed the kernel PRNG state used by kern.arandom
can predict past outputs of kern.arandom, in violation of the security
property we intended to guarantee.

The problem is limited to kern.arandom, and does not affect
/dev/random, /dev/urandom, or kern.urandom.

Solutions and Workarounds

Update the kernel to a fixed version and reboot.

To apply a fixed version from a releng build, fetch a fitting
kern-GENERIC.tgz from and extract the fixed binaries:

cd /var/tmp
cd /
tar xzpf /var/tmp/kern-GENERIC.tgz

with the following replacements:
REL   = the release version you are using
ARCH  = your system's architecture

The following instructions describe how to upgrade your kernel by
updating your source tree and rebuilding and installing a new version.

For all NetBSD versions, you need to obtain fixed kernel sources, rebuild
and install the new kernel, and reboot the system.

The fixed source may be obtained from the NetBSD CVS repository. The
following instructions briefly summarise how to upgrade your kernel.
In these instructions, replace:

	ARCH     with your architecture (from uname -m), and
	KERNCONF with the name of your kernel configuration file.

To update from CVS, re-build, and re-install the kernel:

	# cd src
	# cvs update -d -P sys/kern/subr_cprng.c
	# ./ kernel=KERNCONF
	# mv /netbsd /netbsd.old
	# cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd
	# shutdown -r now

For more information on how to do this, see:

Thanks To

Taylor `Riastradh' Campbell caused, found, and fixed the bug.

Revision History

	2019-11-26	Initial release

More Information

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at

Information about NetBSD and NetBSD security can be found at

Copyright 2019, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2019-005.txt.asc,v 1.1 2019/11/26 18:35:15 christos Exp $


Home | Main Index | Thread Index | Old Index