-----BEGIN PGP SIGNED MESSAGE-----
AUSCERT External Security Bulletin Redistribution
NetBSD: Sysctl RNG Key Erasure
28 November 2019
AusCERT Security Bulletin Summary
Operating System: NetBSD
Impact/Access: Access Privileged Data -- Existing Account
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
NetBSD Security Advisory 2019-005
Topic: Sysctl RNG Key Erasure
Version: NetBSD-current: affected prior to 2019-11-25
NetBSD 8*: affected
NetBSD 7.2*: affected
NetBSD 7.1*: affected
Severity: Retroactive disclosure of cryptographic keys until reboot
Fixed: NetBSD-current: 2019-11-25
NetBSD-7 branch: 2019-11-25
NetBSD-8 branch: 2019-11-25
NetBSD-7 branch: 2019-11-25
NetBSD-7-2 branch: 2019-11-25
NetBSD-7-1 branch: 2019-11-25
Please note that NetBSD releases prior to 7.1 are no longer supported.
It is recommended that all users upgrade to a supported release.
The algorithm used by one of the kernel's cryptographic random number
generation interfaces, the kern.arandom sysctl, failed to erase past
states, and therefore failed to provide what is sometimes called
backtracking resistance or forward secrecy. Thus, an adversary who
could disclose kernel memory could retroactively predict past outputs
of this random number generator.
The sysctl node kern.arandom is designed to return uniform random bits
fit for use as cryptographic keys. The libc arc4random(3) function
uses kern.arandom to seed userland pseudorandom number generators, and
various applications may use libc arc4random(3) to generate keys. The
arc4random(3) security model asserts that:
An attacker who has seen the library's PRNG state in memory
cannot predict past outputs.
However, owing to a mistake in the implementation of kern.arandom, an
attacker who has disclosed the kernel PRNG state used by kern.arandom
can predict past outputs of kern.arandom, in violation of the security
property we intended to guarantee.
The problem is limited to kern.arandom, and does not affect
/dev/random, /dev/urandom, or kern.urandom.
Solutions and Workarounds
Update the kernel to a fixed version and reboot.
To apply a fixed version from a releng build, fetch a fitting
kern-GENERIC.tgz from nyftp.netbsd.org and extract the fixed binaries:
tar xzpf /var/tmp/kern-GENERIC.tgz
with the following replacements:
REL = the release version you are using
ARCH = your system's architecture
The following instructions describe how to upgrade your kernel by
updating your source tree and rebuilding and installing a new version.
For all NetBSD versions, you need to obtain fixed kernel sources, rebuild
and install the new kernel, and reboot the system.
The fixed source may be obtained from the NetBSD CVS repository. The
following instructions briefly summarise how to upgrade your kernel.
In these instructions, replace:
ARCH with your architecture (from uname -m), and
KERNCONF with the name of your kernel configuration file.
To update from CVS, re-build, and re-install the kernel:
# cd src
# cvs update -d -P sys/kern/subr_cprng.c
# ./build.sh kernel=KERNCONF
# mv /netbsd /netbsd.old
# cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd
# shutdown -r now
For more information on how to do this, see:
Taylor `Riastradh' Campbell caused, found, and fixed the bug.
2019-11-26 Initial release
Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
Information about NetBSD and NetBSD security can be found at
Copyright 2019, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.
$NetBSD: NetBSD-SA2019-005.txt.asc,v 1.1 2019/11/26 18:35:15 christos Exp $
- -----BEGIN PGP SIGNATURE-----
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to firstname.lastname@example.org
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
Australian Computer Emergency Response Team
The University of Queensland
Internet Email: email@example.com
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----