Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| reply to Cabal
Re: Heads Up: Debian OpenSSL RNG Vuln CVE-2008-0166
said by Cabal  :I know people hate to comment their code, but maybe intentionally using uninitialized memory would be a good opportunity for that sort of thing.  Funny you should mention that  |
|
Cabal
Premium
join:2007-01-21
Boston, MA
| reply to deblin
quote:
Usually it is bad to have any kind of dependency on uninitialised memory, but OpenSSL happens to include a rare case when its OK, or even a good idea: its randomness pool. Adding uninitialised memory to it can do no harm and might do some good, which is why we do it.
I know people hate to comment their code, but maybe intentionally using uninitialized memory would be a good opportunity for that sort of thing.
--
Interested in open source engine management for your Subaru? |
|
deblin
Dark Side of the Moon
Premium,MVM
join:2001-09-01
Middletown, DE
| reply to BeesTea
Thanks for the info.
Just stumbled upon this. Interesting point, not sure I entirely agree with it. But certainly in this case the author makes a good point.
--
»hillaryis404.org/ |
|
BeesTea
Network Janitor
Premium,VIP
join:2003-03-08
00000 | reply to Steve
That's the attack as I understand it exactly. Thanks! |
|
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
2 edits | reply to BeesTea
Actually, I think this is waffling on the use of the term "predictable", because in the random-number business it normally means that given one number produced by the RNG, one can compute, guess, or derive another number (the previous or the following number in the series).
When this is the case, it means that if I am on the system at the same time you're generating your SSH keys or SSL session, the random number I get will be computationally "close" to the random number you get, so I might be able to figure yours out.
My ability to exploit this vaporizes rapidly with the time difference between when I get my number and you get yours increases - it requires contemporaneous access to the same RNG.
But in the Debian case, it appears to be a much worse kind of predictable: it instead means that the RNG is pulling from a too-small pool of possible numbers, and though I might not be able to determine the next or prior number in the sequence, the pool of available numbers is small enough that I can attempt to brute-force the RNGs that produced it.
I have not studied the particular use of random numbers in SSL or SSH, but this looks yucky: if I know or suspect that your key came from a vulnerable Debian system, I can make a fair run as figuring out the key and can therefore decode your SSL session. And maybe even your SSH private key. I don't need to have access to your server to exploit it.
This really smells like bad news.
Edit - You could understand this problem as similar to taking a good, valid random number and using only the lower 16 bits instead of whatever the normal size is (though I doubt the actual bug is implemented this way).
Steve — who is not an expert on this area, and might be full of baloney |
|
