Vigil@nce: FreeBSD, predictability of arc4random
December 2008 by Vigil@nce
During five minutes after the boot, the FreeBSD kernel uses
predictable random bytes.
– Gravity: 2/4
– Consequences: privileged access/rights, data reading, data
creation/edition
– Provenance: user shell
– Means of attack: no proof of concept, no attack
– Ability of attacker: expert (4/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Creation date: 25/11/2008
IMPACTED PRODUCTS
– FreeBSD
DESCRIPTION
The FreeBSD kernel uses two random generators:
– arc4random based on RC4
– Yarrow based on SHA-1
User applications (/dev/(u)random) use Yarrow.
However, the arc4random generator is not correctly initialized.
The 64k first generated bytes are thus predictable (they are
generally consumed during the 300 first seconds after the boot).
Following kernel features therefore use predictable random bytes:
– GEOM ELI (onetime keys)
– GEOM shsec
– 802.11 (WEP initial vector)
– IPv4/IPv6/TCP/UDP (Initial Sequence Number, source port, IP ID)
– kernel RPC
CHARACTERISTICS
– Identifiers: BID-32447, CVE-2008-5162, FreeBSD-SA-08:11.arc4random,
VIGILANCE-VUL-8268
– Url: http://vigilance.fr/vulnerability/8268