NetBSD Problem Report #47718

From www@NetBSD.org  Fri Apr  5 19:41:32 2013
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66])
	by www.NetBSD.org (Postfix) with ESMTP id 3B35863F2D0
	for <gnats-bugs@gnats.NetBSD.org>; Fri,  5 Apr 2013 19:41:32 +0000 (UTC)
Message-Id: <20130405194131.37C4063F2D0@www.NetBSD.org>
Date: Fri,  5 Apr 2013 19:41:31 +0000 (UTC)
From: rafael@trits.com.br
Reply-To: rafael@trits.com.br
To: gnats-bugs@NetBSD.org
Subject: RNG Bug May Result in Weak Cryptographic Keys (OR MEMORY CORRUPTION)
X-Send-Pr-Version: www-1.0

>Number:         47718
>Category:       security
>Synopsis:       RNG Bug May Result in Weak Cryptographic Keys (OR MEMORY CORRUPTION)
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    tls
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Apr 05 19:45:00 +0000 2013
>Closed-Date:    Sun Jul 13 00:06:08 +0000 2014
>Last-Modified:  Sun Jul 13 00:06:08 +0000 2014
>Originator:     Rafael Werlang
>Release:        1
>Organization:
>Environment:
?
>Description:
First I want to tell you how hard I found it to report this. I tried e-mailing a couple times to security-alert@NetBSD.org but it was delivered back to me. So I will just post the e-mail content here:

Hi,

Yesterday I came across a post on Naked Security with a transcript of the problem discussed on advisory NetBSD-SA2013-003.

Looking further, both the content of the post and the advisory itself claims that the worst case scenario due to the bug is that the generated keys might get low entropy.

I find that not to be the case, as I commented on Naked Security: "If the first rnd_extract_data function call returned 13, 14 or 15 bytes of data on a 32bit processor, or even 9 up to 15 bytes on a 64bit processor, seems like data right after the memory allocated for the key would get corrupted during the second rnd_extract_data call.".

I haven't had a chance to take a deeper look at the code to figure out what memory could get corrupted.

Anyway, I think it would be appropriate to let users know that the worst case scenario, in fact, might be memory corruption, not weak cryptographic keys, so they may see it as an urgent update.


Gently,
Rafael Jacober Werlang


>How-To-Repeat:
...
>Fix:
I guess the problem is already fixed by now.

>Release-Note:

>Audit-Trail:

Responsible-Changed-From-To: security-officer->tls
Responsible-Changed-By: agc@NetBSD.org
Responsible-Changed-When: Sat, 06 Apr 2013 05:08:53 +0000
Responsible-Changed-Why:
Thanks for the problem report.

I've absolutely no idea why mail sent to security-alert@netbsd.org
should get bounced, as it's a valid email address. Can you tell us
what the bounce message said, please; a copy of the header would be
useful too, thanks

I've assigned this to Thor to analyse and answer.


State-Changed-From-To: open->analyzed
State-Changed-By: tls@NetBSD.org
State-Changed-When: Wed, 10 Apr 2013 01:56:31 +0000
State-Changed-Why:
I don't see much of a problem here, compared to the major bug addressed by the advisory: we can overwrite up to 3 bytes on the current stack frame with random data, but the 3 bytes of data are *random*, not under the control of any potential attacker.  The advisory wants another revision due to several typos in my last attempt -- I'll make sure this possibility is mentioned there when the revision goes out.


From: rafael@trits.com.br
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Reply to security/47718 (RNG Bug May Result in Weak Cryptographic Keys (or memory corruption))
Date: Fri, 12 Apr 2013 19:08:01 +0000 (UTC)

 >Submitter-Id:	net
 >Originator:	Rafael Werlang
 >Organization:	
 >Confidential:	no
 >Synopsis:	Reply to security/47718 (RNG Bug May Result in Weak Cryptographic Keys (or memory corruption))
 >Severity:	non-critical
 >Priority:	low
 >Category:	security
 >Class:		sw-bug
 >Release:	x
 >Environment:	x
 >Description:
 Please forward this to tls@netbsd.org and gnats-bugs@netbsd.org. I tried e-mailing them but as I said before, your mailing system isn't working properly so I keep getting errors from your mail server.

 This is about "security/47718 (RNG Bug May Result in Weak Cryptographic Keys (or memory corruption))" as a response to tls@netbsd.org which said:


 Synopsis: RNG Bug May Result in Weak Cryptographic Keys (OR MEMORY 
 CORRUPTION)

 State-Changed-From-To: open->analyzed
 State-Changed-By: tls@NetBSD.org
 State-Changed-When: Wed, 10 Apr 2013 01:56:31 +0000
 State-Changed-Why:
 I don't see much of a problem here, compared to the major bug
 addressed by the advisory: we can overwrite up to 3 bytes on the
 current stack frame with random data, but the 3 bytes of data are
 *random*, not under the control of any potential attacker.  The
 advisory wants another revision due to several typos in my last
 attempt -- I'll make sure this possibility is mentioned there when the
 revision goes out.


 I would like to reply as follows:


 Well, It really depends on which data might get corrupted. Suppose you have a counter iterator or some boolean variable right after the key on memory, what would be the implication of a corruption in such case?

 I agree we can overwrite up to 3 bytes on a 32bit processor, but that would be up to 7 bytes on a 64bit one.

 I also agree a potential attacker has no control over the overwriting data, but to me it seems it is possible that the app just crash, and I am worried about how sysadmins and programmers are handling this scenario when the app crashes.


 Finally it would be great if someone could fix your mailing daemon as sugested by Martin Husemann, or at least provide me with another e-mail address, skype, or something. I am misusing this report form cause that is the only way I found to contact you guys at netbsd.org
 >How-To-Repeat:
 x
 >Fix:
 x

From: Martin Husemann <martin@duskware.de>
To: gnats-bugs@NetBSD.org
Cc: tls@NetBSD.org, rafael@trits.com.br
Subject: Re: security/47718: RNG Bug May Result in Weak Cryptographic Keys (or memory corruption)
Date: Fri, 12 Apr 2013 23:12:57 +0200

 On Fri, Apr 12, 2013 at 07:10:06PM +0000, rafael@trits.com.br wrote:
 >  Please forward this to tls@netbsd.org and gnats-bugs@netbsd.org. I
 > tried e-mailing them but as I said before, your mailing system isn't
 > working properly so I keep getting errors from your mail server.

 As I said before, it is your mailer that is broken: it creates
 a bounce imediatly w/o retrying on a 4xx SMTP return code.
 Please fix it.

 Martin

State-Changed-From-To: analyzed->closed
State-Changed-By: dholland@NetBSD.org
State-Changed-When: Sun, 13 Jul 2014 00:06:08 +0000
State-Changed-Why:
The actual problem was already fixed when the PR came in; at this point the security
advisory is a year old and if it didn't get updated then (not sure and not worth
checking) it's too late now.


>Unformatted:
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.