-----BEGIN PGP SIGNED MESSAGE----- NetBSD Security Advisory 2001-003 ================================= Topic: Secure Shell vulnerabilities and key generation. Version: NetBSD 1.5_BETA (not 1.5 release), -current, and users of some pkgsrc Secure Shell packages. Severity: Remote root compromise, possible weak keys. Fixed: NetBSD-current: October 30, 2000 NetBSD-1.5 branch: October 30, 2000 NetBSD pkgsrc: February 14, 2001 Abstract ======== NetBSD systems may have a number of different implementations and versions of Secure Shell installed, either integrated with the system or third-party packages from pkgsrc. A recent RAZOR Bindview Advisory (CAN-2001-0144) describes a buffer overrun vulnerability in Secure Shell daemons which may be present on some NetBSD systems. In addition, a system configuration flaw could result in weak key generation on some systems. This advisory contains information and instructions to help NetBSD users ensure that they are running an appropriate Secure Shell and system configuration. Technical Details ================= NetBSD 1.5 and NetBSD-current include an integrated Secure Shell daemon, based on OpenSSH. NetBSD releases prior to 1.5 relied on pkgsrc system to install third-party implementations, including ssh.com, OpenSSH, and FreSSH. There are two distinct vulnerabilities: * A buffer overrun attack is present in the CRC32 Compensation Attack Detector code added to work around a weakness in the SSHv1 protocol. This is described in the RAZOR Bindview advisory referenced below, technical details are not repeated here. This vulnerability could lead to remote root compromise, through execution of arbitrary code in an overflowed buffer. * Some NetBSD systems may not have the rnd(4) kernel randomness generator psuedo-device configured. The OpenSSL library uses a weak initialiser to seed its random number generator if this device is not available. This vulnerability could lead to compromise of cryptographic sessions protected by keys generated through OpenSSL. Programs that use the OpenSSL library as a source of randomness (including key generation) will have weak random numbers as a result. The OpenSSH code integrated into NetBSD-1.5 and NetBSD-current uses this device (via /dev/urandom) directly as a source of randomness to seed key generation. If it is not available, it falls back to the OpenSSL library as an alternate source of random input, which will in turn fail to open the device and fall back on its weak internal initialiser. Other programs which rely on OpenSSL will be similarly affected. Prior to the 1.5 release, NetBSD fixed the CRC32 Compensation Attack Detector implementation in the integrated Secure Shell daemon (based on OpenSSH 2.2.0), but without a visible version number change. This change was taken up by OpenSSH immediately thereafter, and included in the 2.3.0 release. This may lead to some user confusion over whether the integrated Secure Shell is vulnerabile to this attack. Note that users running NetBSD 1.5 or NetBSD-current who have upgraded from older releases may still have vulnerable pkgsrc packages installed. The NetBSD 1.5 release was intended to include the rnd(4) kernel psuedo-device in all systems. Unfortunately, it was ommitted from the GENERIC kernel configuration on the newsmips and luna68k ports (only). On several other ports, an outdated comment in the GENERIC kernel configuration file indicating the device was "experimental" was not removed, which may have led to some users subsequently removing the device from custom kernel configurations. The integrated Secure Shell in NetBSD-current is based on OpenSSH 2.3.2. As of 2001-02-14, this now requires the presence of the rnd(4) device, and will generate an error if it is not available. A suitable fix to the OpenSSL library is currently under investigation. Solutions and Workarounds ========================= The appropriate solution depends on the NetBSD version you are running. Users of NetBSD-1.5 and NetBSD-current: --------------------------------------- The CRC32 Compensation Attack Detector bug was fixed on October 30, 2000 for both NetBSD-current and the NetBSD 1.5 release branch. The 1.5 release is not vulnerable to the buffer overflow. This date falls during the NetBSD 1.5 release cycle, between 1.5_BETA and 1.5_BETA2. Any BETA users should upgrade to the final release before proceeding further. Systems running NetBSD-current dated from before October 30, 2000 should be upgraded to NetBSD-current dated October 30, 2000 or later (crypto/dist/ssh/deattack.c revision 1.2). Users of NetBSD-1.5 and NetBSD-current should ensure that: * they are not still using a Secure Shell implementation from pkgsrc, left over from before the system was upgraded to a release with integrated Secure Shell. * the rnd(4) device is properly configured. The rnd(4) kernel psuedo-device is accessed through the /dev/random and /dev/urandom device special files. Ensure that these exist as device nodes, if not do: # cd /dev # ./MAKEDEV random Ensure that the kernel configuration contains the psuedo-device. The simplest way to verify that a running kernel has this device is to attempt to read a small amount of data from it, for example: # dd if=/dev/urandom bs=8 count=1 If you get an error (such as "dd: /dev/urandom: Device not configured") you must build, install and reboot a new kernel with the following line in the kernel configuration file: pseudo-device rnd # /dev/random and in-kernel generator For more information on how to do this, see: http://www.netbsd.org/Documentation/kernel/#building_a_kernel (At the same time, if your configuration file still contains a comment about rnd being experimental, you should remove that comment; it is no longer relevant since NetBSD 1.5). NOTE: It is recommended that host and user keys that were generated on a system without the rnd(4) device properly configured should be re-generated. Users of pkgsrc Secure Shell implementations (NetBSD prior to 1.5): ------------------------------------------------------------------- NetBSD releases prior to 1.5 do not have integrated OpenSSH in the main source code tree. Instead, users of these systems will have installed one of several available implementations and versions from pkgsrc. Some of these versions were vulnerable to the buffer overflow attack, and some utilise the rnd(4) device. These issues are summarised in the following table: Package name Version Buffer O/flow /dev/urandom ------------------------------------------------------------------ ssh (ssh.com/f-secure) <=1.2.27 vulnerable Not Required ssh6 (above with IPv6) <=1.2.27 vulnerable Not Required ssh 1.2.27nb1 not vulnerable Not Required ssh6 1.2.27nb1 not vulnerable Not Required openssh <=2.2.0p1 vulnerable Recommended openssh 2.3.0p1 not vulnerable Recommended fressh 0.8 not vulnerable Required Users of the ssh or ssh6 packages (The ssh.com/F-Secure freeware ssh, with or without IPv6 support) should upgrade to the latest version of these packages. The NetBSD pkgsrc collection as of 2000-02-14 contains versions of the ssh.com 1.2.27 distribution, patched to avoid the buffer overflow; these are identified by an "nb1" suffix in the package version. Note that there are several other security issues with the ssh.com 1.2.27 base code, that are not addressed by the nb1 patch. These items are fixed in the ssh.com 1.2.31 release, but that version includes a restrictive license. Users concerned about these issues should consider switching to an OpenSSH implementation instead. Users of the openssh package should be aware that this also utilises the rnd(4) device. In NetBSD 1.4.x releases, this device *is* experimental and may cause stability or performace issues on some architectures prior to NetBSD 1.4.2. The openssh package is based on the OpenSSH 'p' release, which includes a better fall-back mechanism if rnd(4) is not present, and is recommended for users of pre-1.5 NetBSD systems, with or without rnd(4). Users of the newly-released FreSSH package should ensure that rnd(4) is correctly configured, it also relies on this device for good-quality random number generation. To upgrade, first make sure you have an up-to-date pkgsrc collection (at least as recent as 2001-02-14). This can be obtained via anonymous CVS, SUP or FTP from the project servers or mirrors. If you have installed OpenSSH via package (pkgsrc/security/openssh), upgrade it to 2.3.0p1. If you have installed ssh.com Secure Shell (pkgsrc/security/ssh), remove it and install pkgsrc/security/openssh, version 2.3.0p1. Thanks To ========= Thor Lancelot Simon for the CRC32 Compensation Attack Detector fix from FreSSH, which was incorporated into NetBSD by Mason Loring Bliss and into OpenSSH by Markus Friedl. Charles Hannum for raising the OpenSSL fallback initialiser problem. Jun-ichiro Hagino for problem analysis and fixes to the integrated NetBSD versions, as well as editorial assistance in the preparation of this advisory. Ignatios Souvatzis for updating and summarising status of the pkgsrc versions. Revision History ================ 2000-12-16 Initial Release More Information ================ Information about NetBSD and NetBSD security can be found at http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/. RAZOR Bindview Advisory CAN-2001-0144, "Remote vulnerability in SSH daemon crc32 compensation attack detector" is available at http://razor.bindview.com/publish/advisories/adv_ssh1crc.html. Copyright 2001, The NetBSD Foundation, Inc. All Rights Reserved. $NetBSD: NetBSD-SA2001-003.txt,v 1.3 2001/02/16 05:57:05 dan Exp $ -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQCVAwUBOozBOz5Ru2/4N2IFAQEDJwQAhbDwwkD6lLYKXB1DFQagomDIxHD7Gbt2 IkzkIbeJasvMLvYnPAxqEmsyZuD5tA3tHrwVIVm6Nw1kH5omM2PpNdyXw50v2UUV Jza8jvHyKNd0E88OOPRvXMDg8H1+CPs59eIJSwKLpjs30wmzncrxCUpWnNhlUSaB YD8ljxdWASA= =gwZy -----END PGP SIGNATURE-----