Date: Fri, 16 Feb 2001 17:34:08 +1100
From: [email protected]
To: [email protected]Subject: NetBSD Security Advisory 2001-003
Organisation: The NetBSD Foundation, Inc.
Reply-to: [email protected]
-----BEGIN PGP SIGNED MESSAGE-----
NetBSD Security Advisory 2001-003
Topic: Secure Shell vulnerabilities and key generation.
Version: NetBSD 1.5_BETA (not 1.5 release), -current,
and users of some pkgsrc Secure Shell packages.
Severity: Remote root compromise, possible weak keys.
Fixed: NetBSD-current: October 30, 2000
NetBSD-1.5 branch: October 30, 2000
NetBSD pkgsrc: February 14, 2001
Abstract
========
NetBSD systems may have a number of different implementations and
versions of Secure Shell installed, either integrated with the system
or third-party packages from pkgsrc.
A recent RAZOR Bindview Advisory (CAN-2001-0144) describes a buffer
overrun vulnerability in Secure Shell daemons which may be present on
some NetBSD systems.
In addition, a system configuration flaw could result in weak key
generation on some systems.
This advisory contains information and instructions to help NetBSD
users ensure that they are running an appropriate Secure Shell and
system configuration.
Technical Details
=================
NetBSD 1.5 and NetBSD-current include an integrated Secure Shell
daemon, based on OpenSSH. NetBSD releases prior to 1.5 relied on
pkgsrc system to install third-party implementations, including
ssh.com, OpenSSH, and FreSSH.
There are two distinct vulnerabilities:
* A buffer overrun attack is present in the CRC32 Compensation
Attack Detector code added to work around a weakness in the SSHv1
protocol. This is described in the RAZOR Bindview advisory
referenced below, technical details are not repeated here.
This vulnerability could lead to remote root compromise, through
execution of arbitrary code in an overflowed buffer.
* Some NetBSD systems may not have the rnd(4) kernel randomness
generator psuedo-device configured. The OpenSSL library uses a
weak initialiser to seed its random number generator if this
device is not available.
This vulnerability could lead to compromise of cryptographic
sessions protected by keys generated through OpenSSL.
Programs that use the OpenSSL library as a source of randomness
(including key generation) will have weak random numbers as a
result. The OpenSSH code integrated into NetBSD-1.5 and
NetBSD-current uses this device (via /dev/urandom) directly as a
source of randomness to seed key generation. If it is not
available, it falls back to the OpenSSL library as an alternate
source of random input, which will in turn fail to open the device
and fall back on its weak internal initialiser. Other programs
which rely on OpenSSL will be similarly affected.
Prior to the 1.5 release, NetBSD fixed the CRC32 Compensation Attack
Detector implementation in the integrated Secure Shell daemon (based
on OpenSSH 2.2.0), but without a visible version number change. This
change was taken up by OpenSSH immediately thereafter, and included in
the 2.3.0 release. This may lead to some user confusion over whether
the integrated Secure Shell is vulnerabile to this attack.
Note that users running NetBSD 1.5 or NetBSD-current who have upgraded
from older releases may still have vulnerable pkgsrc packages
installed.
The NetBSD 1.5 release was intended to include the rnd(4) kernel
psuedo-device in all systems. Unfortunately, it was ommitted from the
GENERIC kernel configuration on the newsmips and luna68k ports
(only). On several other ports, an outdated comment in the GENERIC
kernel configuration file indicating the device was "experimental" was
not removed, which may have led to some users subsequently removing
the device from custom kernel configurations.
The integrated Secure Shell in NetBSD-current is based on OpenSSH
2.3.2. As of 2001-02-14, this now requires the presence of the rnd(4)
device, and will generate an error if it is not available. A suitable
fix to the OpenSSL library is currently under investigation.
Solutions and Workarounds
The appropriate solution depends on the NetBSD version you are
running.
Users of NetBSD-1.5 and NetBSD-current:
The CRC32 Compensation Attack Detector bug was fixed on October 30,
2000 for both NetBSD-current and the NetBSD 1.5 release
branch. The 1.5 release is not vulnerable to the buffer overflow.
This date falls during the NetBSD 1.5 release cycle, between
1.5_BETA and 1.5_BETA2. Any BETA users should upgrade to the
final release before proceeding further.
Systems running NetBSD-current dated from before October 30, 2000
should be upgraded to NetBSD-current dated October 30, 2000 or
later (crypto/dist/ssh/deattack.c revision 1.2).
Users of NetBSD-1.5 and NetBSD-current should ensure that:
* they are not still using a Secure Shell implementation from
pkgsrc, left over from before the system was upgraded to a
release with integrated Secure Shell.
* the rnd(4) device is properly configured.
The rnd(4) kernel psuedo-device is accessed through the /dev/random
and /dev/urandom device special files. Ensure that these exist as
device nodes, if not do:
# cd /dev
# ./MAKEDEV random
Ensure that the kernel configuration contains the psuedo-device.
The simplest way to verify that a running kernel has this device is
to attempt to read a small amount of data from it, for example:
# dd if=/dev/urandom bs=8 count=1
If you get an error (such as "dd: /dev/urandom: Device not
configured") you must build, install and reboot a new kernel with
the following line in the kernel configuration file:
pseudo-device rnd # /dev/random and in-kernel generator
For more information on how to do this, see:
http://www.netbsd.org/Documentation/kernel/#building_a_kernel
(At the same time, if your configuration file still contains a
comment about rnd being experimental, you should remove that
comment; it is no longer relevant since NetBSD 1.5).
NOTE: It is recommended that host and user keys that were generated
on a system without the rnd(4) device properly configured should be
re-generated.
Users of pkgsrc Secure Shell implementations (NetBSD prior to 1.5):
NetBSD releases prior to 1.5 do not have integrated OpenSSH in the
main source code tree. Instead, users of these systems will have
installed one of several available implementations and versions
from pkgsrc. Some of these versions were vulnerable to the buffer
overflow attack, and some utilise the rnd(4) device.
These issues are summarised in the following table:
Package name Version Buffer O/flow /dev/urandom
------------------------------------------------------------------
ssh (ssh.com/f-secure) <=1.2.27 vulnerable Not Required
ssh6 (above with IPv6) <=1.2.27 vulnerable Not Required
ssh 1.2.27nb1 not vulnerable Not Required
ssh6 1.2.27nb1 not vulnerable Not Required
openssh <=2.2.0p1 vulnerable Recommended
openssh 2.3.0p1 not vulnerable Recommended
fressh 0.8 not vulnerable Required
Users of the ssh or ssh6 packages (The ssh.com/F-Secure freeware
ssh, with or without IPv6 support) should upgrade to the latest
version of these packages. The NetBSD pkgsrc collection as of
2000-02-14 contains versions of the ssh.com 1.2.27 distribution,
patched to avoid the buffer overflow; these are identified by an
"nb1" suffix in the package version.
Note that there are several other security issues with the ssh.com
1.2.27 base code, that are not addressed by the nb1 patch. These
items are fixed in the ssh.com 1.2.31 release, but that version
includes a restrictive license. Users concerned about these issues
should consider switching to an OpenSSH implementation instead.
Users of the openssh package should be aware that this also
utilises the rnd(4) device. In NetBSD 1.4.x releases, this device
*is* experimental and may cause stability or performace issues on
some architectures prior to NetBSD 1.4.2. The openssh package is
based on the OpenSSH 'p' release, which includes a better fall-back
mechanism if rnd(4) is not present, and is recommended for users of
pre-1.5 NetBSD systems, with or without rnd(4).
Users of the newly-released FreSSH package should ensure that
rnd(4) is correctly configured, it also relies on this device for
good-quality random number generation.
To upgrade, first make sure you have an up-to-date pkgsrc
collection (at least as recent as 2001-02-14). This can be
obtained via anonymous CVS, SUP or FTP from the project servers or
mirrors.
If you have installed OpenSSH via package (pkgsrc/security/openssh),
upgrade it to 2.3.0p1.
If you have installed ssh.com Secure Shell (pkgsrc/security/ssh),
remove it and install pkgsrc/security/openssh, version 2.3.0p1.
Thanks To
=========
Thor Lancelot Simon for the CRC32 Compensation Attack Detector fix
from FreSSH, which was incorporated into NetBSD by Mason Loring Bliss
and into OpenSSH by Markus Friedl.
Charles Hannum for raising the OpenSSL fallback initialiser problem.
Jun-ichiro Hagino for problem analysis and fixes to the integrated
NetBSD versions, as well as editorial assistance in the preparation of
this advisory. Ignatios Souvatzis for updating and summarising status
of the pkgsrc versions.
Revision History
================
2000-12-16 Initial Release
More Information
================
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.
RAZOR Bindview Advisory CAN-2001-0144, "Remote vulnerability in SSH
daemon crc32 compensation attack detector" is available at
http://razor.bindview.com/publish/advisories/adv_ssh1crc.html.
Copyright 2001, The NetBSD Foundation, Inc. All Rights Reserved.
$NetBSD: NetBSD-SA2001-003.txt,v 1.3 2001/02/16 05:57:05 dan Exp $
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
iQCVAwUBOozBOz5Ru2/4N2IFAQEDJwQAhbDwwkD6lLYKXB1DFQagomDIxHD7Gbt2
IkzkIbeJasvMLvYnPAxqEmsyZuD5tA3tHrwVIVm6Nw1kH5omM2PpNdyXw50v2UUV
Jza8jvHyKNd0E88OOPRvXMDg8H1+CPs59eIJSwKLpjs30wmzncrxCUpWnNhlUSaB
YD8ljxdWASA=
=gwZy
-----END PGP SIGNATURE-----