OpenBSD ADD weak security

openbsd-add-weak-security (41157) The risk level is classified as LowLow Risk

Description:

OpenBSD and NetBSD could provide weaker than expected security, caused by a vulnerability in the pseudo random number generator (PRNG) that uses ADD and "Algorithm A0", where predictable sequence IDs are generated. By observing some consecutive transaction ID values, a remote attacker could exploit this vulnerability to guess the next IP fragmentation ID or the DNS transaction ID and perform DNS Cache Poisoning and OS fingerprinting.

Platforms Affected:

  • NetBSD, NetBSD 1.6.2
  • NetBSD, NetBSD 2.0
  • NetBSD, NetBSD 2.0.1
  • NetBSD, NetBSD 2.0.2
  • NetBSD, NetBSD 2.0.3
  • NetBSD, NetBSD 2.0.4
  • NetBSD, NetBSD 2.1
  • NetBSD, NetBSD 2.1.1
  • NetBSD, NetBSD 3.0.1
  • NetBSD, NetBSD 3.0.2
  • NetBSD, NetBSD 3.1
  • NetBSD, NetBSD 3.1 rc2
  • NetBSD, NetBSD 3.1 rc1
  • NetBSD, NetBSD 4.0 beta2
  • NetBSD, NetBSD 4.0
  • NetBSD, NetBSD 4.0 beta
  • OpenBSD, OpenBSD 3.5 - 4.2

Remedy:

Apply the appropriate update for your system. See References.

Consequences:

Gain Access

References:

  • OpenBSD Web site, OpenBSD at http://www.openbsd.org/.
  • The NetBSD Project Web site, The NetBSD Project at http://www.netbsd.org/.
  • Trusteer Web site, OpenBSD DNS Cache Poisoning and Multiple O/S Predictable IP ID Vulnerability at http://www.trusteer.com/docs/dnsopenbsd.html.
  • BID-27647: OpenBSD PRNG DNS Cache Poisoning and Predictable IP ID Weakness
  • CVE-2008-1148: A certain pseudo-random number generator (PRNG) algorithm that uses ADD with 0 random hops (aka Algorithm A0), as used in OpenBSD 3.5 through 4.2 and NetBSD 1.6.2 through 4.0, allows remote attackers to guess sensitive values such as (1) DNS transaction IDs or (2) IP fragmentation IDs by observing a sequence of previously generated values. NOTE: this issue can be leveraged for attacks such as DNS cache poisoning, injection into TCP packets, and OS fingerprinting.
  • SA28819: OpenBSD DNS Server PRNG Transaction ID Vulnerability

Reported:

Feb 06, 2008

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page