From owner-doc-jp@jp.freebsd.org  Mon Jul  3 23:29:12 2000
Received: (from daemon@localhost)
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) id XAA97032;
	Mon, 3 Jul 2000 23:29:12 +0900 (JST)
	(envelope-from owner-doc-jp@jp.FreeBSD.org)
Received: from smtp03.246.ne.jp (smtp03.246.ne.jp [210.253.192.37])
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) with SMTP id XAA97027
	for <doc-jp@jp.freebsd.org>; Mon, 3 Jul 2000 23:29:11 +0900 (JST)
	(envelope-from y-koga@jp.FreeBSD.org)
Received: (qmail 19921 invoked by alias); 3 Jul 2000 23:29:07 +0900
Message-ID: <20000703142907.19920.qmail@smtp.246.ne.jp>
Received: (qmail 19897 invoked from network); 3 Jul 2000 23:29:04 +0900
Received: from tp4hrb189.246.ne.jp (HELO localhost) (210.253.196.189)
  by smtp.246.ne.jp with SMTP; 3 Jul 2000 23:29:04 +0900
To: doc-jp@jp.freebsd.org
In-Reply-To: <20000620192506.1645.qmail@smtp.246.ne.jp>
References: <20000612215144.D1A3B37BBF7@hub.freebsd.org>
	<20000620192506.1645.qmail@smtp.246.ne.jp>
X-Mailer: Mew version 1.94.2 on Emacs 19.28 / Mule 2.3 (SUETSUMUHANA)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit
Date: Mon, 03 Jul 2000 23:29:06 +0900
From: Koga Youichirou <y-koga@jp.freebsd.org>
X-Dispatcher: imput version 20000228(IM140)
Reply-To: doc-jp@jp.freebsd.org
Precedence: list
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+000315
X-Sequence: doc-jp 7500
Subject: [doc-jp 7500] Re: ANNOUNCE: FreeBSD Security Advisory:
 FreeBSD-SA-00:25.alpha-dev-random
Errors-To: owner-doc-jp@jp.freebsd.org
Sender: owner-doc-jp@jp.freebsd.org
X-Originator: y-koga@jp.freebsd.org

$B$3$,(B:
> $BA4A3$3$J$l$F$$$J$$$7!"$H$3$m$I$3$m1QC18l$,;D$C$F$$$^$9$,!":#=5$O%V%i%C(B
> $B%7%e%"%C%W$9$k;~4V$,<h$l$J$$5$$,$9$k$N$G!"=P$7$A$c$$$^$9!#(B
> 
> $B$I$J$?$+%V%i%C%7%e%"%C%W$7$F$/$@$5$$(B (^^;;;

$BCY$/$J$j$^$7$?$,!"$O$;$Y$5$s$H:4F#$5$s$N=$@50F$rE,Ev$K:NMQ$7$F!"<+J,$J(B
$B$j$K%V%i%C%7%e%"%C%W$7$^$7$?!#$@$$$V$3$J$l$F$-$?$+$J!#(B

$B!t;D$k$O!"(BFreeBSD-SA-00:23 $B$@!#(B

BEGIN------------------- $B$3$3$+$i(B ------------------------
 $B$3$N%a!<%k$O(B, announce-jp $B$KN.$l$?(B

  Subject: ANNOUNCE: FreeBSD Security Advisory: FreeBSD-SA-00:25.alpha-dev-random
  From: FreeBSD Security Advisories <security-advisories@freebsd.org>
  Date: Mon, 12 Jun 2000 14:51:44 -0700 (PDT)
  Message-Id: <20000612215144.D1A3B37BBF7@hub.freebsd.org>
  X-Sequence: announce-jp 457

 $B$rF|K\8lLu$7$?$b$N$G$9(B. 

 $B86J8$O(B PGP $B=pL>$5$l$F$$$^$9$,(B, $B$3$NF|K\8lLu$O(B PGP $B=pL>$5$l$F$$$^$;$s(B. 
 $B%Q%C%AEy$NFbMF$,2~cb$5$l$F$$$J$$$3$H$r3NG'$9$k$?$a$K(B PGP $B$N%A%'%C%/$r(B
 $B9T$J$&$K$O(B, $B86J8$r;2>H$7$F$/$@$5$$(B. 

 $BF|K\8lLu$O(B FreeBSD $BF|K\8l%I%-%e%a%s%F!<%7%g%s%W%m%8%'%/%H(B(doc-jp)$B$,;29M$N(B
 $B$?$a$KDs6!$9$k$b$N$G(B, doc-jp $B$O(B $B$=$NFbMF$K$D$$$F$$$+$J$kJ]>Z$b$$$?$7$^$;$s(B.
 $BF|K\8lLu$K$D$$$F$N$*Ld$$9g$o$;$O(B doc-jp@jp.FreeBSD.org $B$^$G$*4j$$$7$^$9(B.

--($B$3$3$+$i(B)
=============================================================================
FreeBSD-SA-00:25                                           Security Advisory
                                                                FreeBSD, Inc.

$B%H%T%C%/(B:	FreeBSD/Alpha platform lacks kernel pseudo-random number
		generator, some applications fail to detect this.

$BJ,N`(B:		core
$B%b%8%e!<%k(B:	kernel
$B9pCNF|(B:		2000-06-12
$B1F6AHO0O(B:	$B=$@5F|$h$jA0$N(B FreeBSD/Alpha
$B=$@5F|(B:		2000-05-10 (4.0-STABLE)
		2000-04-28 (5.0-CURRENT)
FreeBSD $B$K8GM-$+(B:	Yes

I.   $BGX7J(B - Background

The FreeBSD kernel provides a cryptographic-strength pseudo-random
number generator via the /dev/random and /dev/urandom interfaces,
which samples hardware measurements to provide a high-quality source
of "entropy" (randomness).

FreeBSD $B%+!<%M%k$O(B, /dev/random $B$*$h$S(B /dev/urandom $B%$%s%?%U%'!<%9$rDL(B
$B$8$F(B, $B0E9f$N@8@.$K;HMQ$G$-$k6/EY$r;}$D5?;wMp?tH/@84o$rDs6!$7$F$$$^$9(B.
$B$3$N5?;wMp?tH/@84o$O(B, $B%O!<%I%&%'%"E*$JB,Dj$r9T$J$$(B, $B9bIJ<A$J%(%s%H%m%T(B
$B!<(B ($BMp?t@-(B) $B8;$rDs6!$9$k$b$N$G$9(B. 

II.  $BLdBj$N>\:Y(B - Problem Description

The FreeBSD port to the Alpha platform did not provide the /dev/random
or /dev/urandom devices - this was an oversight during the development
process which was not corrected before the Alpha port "became
mainstream". FreeBSD/i386 is not affected.

FreeBSD $B$N(B Alpha $BHG$G$O(B, $B%G%P%$%9(B /dev/random $B$*$h$S(B /dev/urandom $B$,Ds(B
$B6!$5$l$F$$$^$;$s$G$7$?(B. $B$3$l$O(B, $B3+H/%W%m%;%9$K$*$1$k%_%9$G$"$j(B, Alpha 
$BHG$,3+H/$N%a%$%s%9%H%j!<%`$K<h$j9~$^$l$k$^$G$K=$@5$5$l$J$$$^$^$G$-$^$7(B
$B$?(B. FreeBSD $B$N(B i386 $BHG$K$O(B, $B$3$NLdBj$O$"$j$^$;$s(B. 

As a consequence, there is no way for Alpha systems prior to the
correction date to obtain cryptographic-strength random numbers,
unless an application "rolls its own" entropy gathering
mechanism. This in itself is not a vulnerability, although it is an
omission and a departure from the expected behaviour of a FreeBSD
system.

$B$D$^$j(B, $B=$@5F|0JA0$N(B Alpha $BHG(B FreeBSD $B$G$O(B, $B%"%W%j%1!<%7%g%s<+?H$,%(%s(B
$B%H%m%T!<$N@8@.5!9=$r;}$?$J$$8B$j(B, $B0E9f$N@8@.$K;HMQ$G$-$k$h$&$J6/EY$r;}(B
$B$C$?Mp?t$rF@$kJ}K!$,$"$j$^$;$s(B. $B$3$l$O%_%9$G$"$j(B, FreeBSD $B%7%9%F%`$K4|(B
$BBT$5$l$kF0:n$KH?$7$F$$$^$9$,(B, $B$=$l<+BN$,<eE@$H$J$k$o$1$G$O$"$j$^$;$s(B. 

The actual vulnerability is that some applications fail to correctly
check for a working /dev/random and do not exit with an error if it is
not available, so this weakness goes undetected. OpenSSL 0.9.4, and
utilities based on it, including OpenSSH (both of which are included
in the base FreeBSD 4.0 system) are affected in this manner (this bug
was corrected in OpenSSL 0.9.5)

$B<B:]$K%;%-%e%j%F%#>e$N<eE@$H$J$k$N$O(B, /dev/random $B$,F/$/$+$I$&$+$r@5$7(B
$B$/3NG'$7$J$$$G(B, /dev/random $B$,MxMQ$G$-$J$/$F$b%(%i!<$G=*N;$7$J$$$h$&$J(B
$B%"%W%j%1!<%7%g%s$,B8:_$9$k$H$$$&$3$H$G$9(B. $B$=$N>l9g(B, $B$3$N%;%-%e%j%F%#>e(B
$B$N<eE@$O8!=P$5$l$J$$$^$^$K$J$C$F$7$^$$$^$9(B. OpenSSL 0.9.4 $B$H(B, OpenSSL 
$B$K4p$E$/(B OpenSSH $B$N$h$&$J%f!<%F%#%j%F%#(B ($B$I$A$i$b(B FreeBSD 4.0 $B$N%Y!<%9(B
$B%7%9%F%`$K4^$^$l$F$$$^$9(B) $B$,$3$N1F6A$r<u$1$^$9(B ($B$3$N%P%0$O(B OpenSSL
0.9.5 $B$G=$@5$5$l$F$$$^$9(B). 

Therefore, cryptographic security systems on vulnerable FreeBSD/Alpha
systems (including OpenSSH in the base FreeBSD 4.0 system) may have
weakened strength, and cryptographic keys generated on such systems
should not be trusted.

$B$7$?$,$C$F(B, $B$3$N<eE@$r;}$D(B FreeBSD/Alpha $B>e$N0E9f$K$b$H$E$/%;%-%e%j%F(B
$B%#%7%9%F%`(B ($B4^$`(B FreeBSD 4.0 $B$N%Y!<%9%7%9%F%`Cf$N(B OpenSSH) $B$K$O0E9f6/(B
$BEY>e$NLdBj$,$"$k2DG=@-$,$"$j$^$9(B. $B$^$?(B, $B$=$N$h$&$J%7%9%F%`>e$G@8@.$5$l(B
$B$?0E9f80$O?.Mj$9$Y$-$G$O$"$j$^$;$s(B. 

III. $B1F6AHO0O(B - Impact

Cryptographic secrets (such as OpenSSH public/private keys) generated
on FreeBSD/Alpha systems may be much weaker than their "advertised"
strength, and may lead to data compromise to a dedicated and
knowledgeable attacker.

FreeBSD/Alpha $B>e$G@8@.$5$l$?0E9f$K$*$1$kHkL)(B (OpenSSH $B$N8x3+80$dHkL)80(B
$B$J$I(B) $B$O(B, $B8x>N$5$l$F$$$k6/EY$h$j$b$:$C$H<e$$$b$N$K$J$C$F$7$^$&4m81@-$,(B
$B$"$j$^$9(B. $B$=$N>l9g(B, $B0E9f2=$5$l$?%G!<%?$O(B, $BG&BQ6/$/CN<1$N$"$k967b<T$K2r(B
$BFI$5$l$F$7$^$&4m81$,$"$j$^$9(B. 

PGP/GnuPG keys, and keys generated by the SSH or SSH2 ports, are not
believed to be weakened since that software will correctly detect the
lack of a working /dev/random and use alternative sources of
entropy. OpenSSH and OpenSSL are currently the only known vulnerable
applications.

PGP/GnuPG $B$N80$d(B, SSH $B$^$?$O(B SSH2 $B$N(B port $B$G@8@.$5$l$?80$O(B,
/dev/random $B$,F/$+$J$$$3$H$r%=%U%H%&%'%"$,@5$7$/8!=P$7(B, $B%(%s%H%m%T!<8;(B
$B$H$7$FB>$N$b$N$r;HMQ$9$k$N$G(B, $B$3$N<eE@$O$J$$$H9M$($i$l$^$9(B. $B8=:_$N$H$3(B
$B$m(B, $B<eE@$r;}$D%"%W%j%1!<%7%g%s$H$7$F3NG'$5$l$F$$$k$N$O(B OpenSSH $B$H(B 
OpenSSL $B$@$1$G$9(B. 

IV.  $BBP1~:v(B - Workaround

None available.

$B$"$j$^$;$s(B. 

V.   $B=$@5=hCV(B - Solution

One of the following three options, followed by step 2).

1a)$B!A(B1c) $B$N$$$:$l$+$r9T$J$$(B, $B$D$$$G(B 2) $B$r9T$J$C$F$/$@$5$$(B. 

1a) Upgrade your FreeBSD/Alpha system to FreeBSD 4.0-STABLE after the
correction date.

1a) FreeBSD/Alpha $B%7%9%F%`$r(B, $B=$@5F|0J9_$N(B FreeBSD 4.0-STABLE $B$K%"%C%W(B
$B%0%l!<%I$9$k(B. 

1b) install the patched 4.0-RELEASE GENERIC kernel available from:

1b) $B%Q%C%AE,MQ:Q$_$N(B 4.0-RELEASE GENERIC $B%+!<%M%k$r%$%s%9%H!<%k$9$k(B. 
$B$3$N%+!<%M%k$O(B, $B0J2<$N(BURL$B$+$iF~<j$G$-$^$9(B. 

ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:25/kernel.gz

e.g. perform the following steps as root:

$BNc(B. root $B$K$J$C$F(B, $B0J2<$r<B9T$7$^$9(B. 

# fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:25/kernel.gz
# fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:25/kernel.gz.asc

[ Verify the detached PGP signature using your PGP utility - consult your
utility's documentation for how to do this ]

[PGP $B%f!<%F%#%j%F%#$r;HMQ$7$F(B, $BJL%U%!%$%k$H$7$FDs6!$5$l$F$$$k(B PGP
signature $B$H>H9g$7$^$9(B. $B6qBNE*$JJ}K!$O(B, $B;HMQ$9$k(B PGP $B%f!<%F%#%j%F%#$N(B
$B%I%-%e%a%s%H$r;2>H$7$F$/$@$5$$(B]

# gunzip kernel.gz
# cp /kernel /kernel.old
# chflags noschg /kernel
# cp kernel /kernel
# chflags schg /kernel

1c) Download the kernel source patch and rebuild your FreeBSD/Alpha
kernel, as follows:

1c) $B%+!<%M%k%=!<%9$N%Q%C%A$r%@%&%s%m!<%I$7(B, FreeBSD/Alpha $B%+!<%M%k$r:F(B
$B9=C[$7$^$9(B. $B6qBNE*$K$O(B, $B0J2<$N$h$&$K9T$J$$$^$9(B. 

# fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:25/kernel.sys.diff

Download the detached PGP signature:

$BJL%U%!%$%k$H$7$FDs6!$5$l$F$$$k(B PGP signature $B$r%@%&%s%m!<%I$7$^$9(B. 

# fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:25/kernel.sys.diff.asc

and verify the signature using your PGP utility.

PGP $B%f!<%F%#%j%F%#$r;HMQ$7$F(B PGP signature $B$H>H9g$7$^$9(B. 

Apply the patch:

$B%Q%C%A$rE,MQ$7$^$9(B. 

# cd /usr/src
# patch -p < /path/to/kernel.sys.diff

Rebuild your kernel as described in

http://www.freebsd.org/handbook/kernelconfig.html

and reboot with the new kernel.

$B0J2<$N%Z!<%8$K$7$?$,$C$F%+!<%M%k$r:F9=C[$7(B, $B?7$7$$%+!<%M%k$G%j%V!<%H$7(B
$B$^$9(B. 

http://www.freebsd.org/handbook/kernelconfig.html

NOTE: Because of the significant improvements to the FreeBSD/Alpha
platform in FreeBSD 4.0, it is not planned at this time to backport
the necessary changes to FreeBSD 3.4-STABLE.

$BCm0U(B: Alpha $BHG(B FreeBSD 4.0 $B$G$OBg$-$JJQ99$,$5$l$F$$$k$?$a(B, FreeBSD
3.4-STABLE $B$K$D$$$FI,MW$J=$@5$r$9$k$3$H$O(B, $B8=;~E@$G$OM=Dj$5$l$F$$$^$;(B
$B$s(B. 

2) Immediately regenerate all OpenSSH-generated SSH keys and
OpenSSL-generated SSL certificates, and any other data relying on
cryptographic random numbers which were generated on FreeBSD/Alpha
systems, whose strength cannot be verified. [Note: for most systems,
the only significant vulnerability is likely to be from OpenSSH and
OpenSSL-generated keys and certificates (e.g. for SSL webservers)]

2) OpenSSH $B$G@8@.$7$?$9$Y$F$N(B SSH $B$N80(B, OpenSSL $B$G@8@.$7$?$9$Y$F$N(B SSL 
$B>ZL@=q(B, FreeBSD/Alpha $B>e$G@8@.$5$l$?Mp?t$rMQ$$$F0E9f2=$5$l$?%G!<%?$r:F(B
$B@8@.$7$F$/$@$5$$(B. $B$=$l$i$N%G!<%?$O(B, $B?.Mj$G$-$k$@$1$N0E9f6/EY$r;}$C$F$$(B
$B$k$3$H$r8!>Z$G$-$^$;$s(B. [$BCm0U(B: $B:#2s$NLdBj$K$D$$$F(B, $BBgDq$N%7%9%F%`$G=E(B
$BBg$J<eE@$H$J$k$N$O(B, OpenSSH $B$G$*$h$S(B OpenSSL $B$G@8@.$7$?80$d>ZL@=q(B ($B$?(B
$B$H$($P(B SSL Web $B%5!<%PMQ$N(B) $B$@$1$G$"$k$H9M$($i$l$^$9(B]
END--------------------- $B$3$3$^$G(B ------------------------

----
$B$3$,$h$&$$$A$m$&(B
