F-Secure
Tools
FreeBSD "arc4random()" Insufficient Entropy Sources Security Issue
| Report ID: | SA32871 |
| Source: | Secunia |
| Date of Discovery: | 25.11.2008 |
| Criticality: | Low |
| Affects: | FreeBSD 6.x |
| Compromise From: | From remote |
| Compromise Type: | Brute force |
Summary
A security issue, which can be exploited by malicious people to conduct brute force attacks.
Detailed Description
A security issue, which can be exploited by malicious people to conduct brute force attacks.
The security issue is caused due to the "arc4random()" function using insufficiently random entropy sources within the first 5 minutes after starting the boot process or until collecting enough random data. This weakens applications and processes relying on the security of "arc4random()" (e.g. when creating IVs for WEP, creating IP packet identifiers, kernel RPC transaction identifiers, and within GEOM ELI and GEOM shsec providers).
The security issue is caused due to the "arc4random()" function using insufficiently random entropy sources within the first 5 minutes after starting the boot process or until collecting enough random data. This weakens applications and processes relying on the security of "arc4random()" (e.g. when creating IVs for WEP, creating IP packet identifiers, kernel RPC transaction identifiers, and within GEOM ELI and GEOM shsec providers).
Solution
Update FreeBSD or apply patches.
Note: GEOM shsec providers created within the vulnerable time period have to be recreated after patching the system.
2008-11-24 17:39:39 UTC (RELENG_7, 7.1-PRERELEASE)
2008-11-24 17:39:39 UTC (RELENG_7_0, 7.0-RELEASE-p6)
2008-11-24 17:39:39 UTC (RELENG_6, 6.4-STABLE)
2008-11-24 17:39:39 UTC (RELENG_6_4, 6.4-RELEASE)
2008-11-24 17:39:39 UTC (RELENG_6_3, 6.3-RELEASE-p6)
FreeBSD 6.x:
http://security.FreeBSD.org/patches/SA-08:11/arc4random6x.patch
FreeBSD 7.x:
fetch http://security.FreeBSD.org/patches/SA-08:11/arc4random.patch
Note: GEOM shsec providers created within the vulnerable time period have to be recreated after patching the system.
2008-11-24 17:39:39 UTC (RELENG_7, 7.1-PRERELEASE)
2008-11-24 17:39:39 UTC (RELENG_7_0, 7.0-RELEASE-p6)
2008-11-24 17:39:39 UTC (RELENG_6, 6.4-STABLE)
2008-11-24 17:39:39 UTC (RELENG_6_4, 6.4-RELEASE)
2008-11-24 17:39:39 UTC (RELENG_6_3, 6.3-RELEASE-p6)
FreeBSD 6.x:
http://security.FreeBSD.org/patches/SA-08:11/arc4random6x.patch
FreeBSD 7.x:
fetch http://security.FreeBSD.org/patches/SA-08:11/arc4random.patch
CVE Reference
CVE-2008-5162