oss-sec mailing list archives

FreeBSD: URGENT: RNG broken for last 4 months

From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 17 Feb 2015 23:22:12 -0700

https://lists.freebsd.org/pipermail/freebsd-current/2015-February/054580.html

If you are running a current kernel r273872 or later, please upgrade
your kernel to r278907 or later immediately and regenerate keys.

I discovered an issue where the new framework code was not calling
randomdev_init_reader, which means that read_random(9) was not returning
good random data.  read_random(9) is used by arc4random(9) which is
the primary method that arc4random(3) is seeded from.

This means most/all keys generated may be predictable and must be
regenerated.  This includes, but not limited to, ssh keys and keys
generated by openssl.  This is purely a kernel issue, and a simple
kernel upgrade w/ the patch is sufficient to fix the issue.

-- 
  John-Mark Gurney                              Voice: +1 415 225 5579

     "All that I will do, has been done, All that I have, has not."

=======

I assume this needs a CVE, I know technically it didn't involve a
release but quite a few people run -current (and it's a 4 month affected
window), so if we're assigning CVE's to stuff hosted in github, then it
seems fair that this should get one.

-- 
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

Attachment: signature.asc
Description: OpenPGP digital signature

Current thread:

FreeBSD: URGENT: RNG broken for last 4 months Kurt Seifried (Feb 17)
- Re: FreeBSD: URGENT: RNG broken for last 4 months Loganaden Velvindron (Feb 17)
- Re: FreeBSD: URGENT: RNG broken for last 4 months cve-assign (Feb 18)
  - Re: FreeBSD: URGENT: RNG broken for last 4 months Kurt Seifried (Feb 18)