205777 CVE-2008-0299 2008-01-14 11:09 0000 dev-python/paramiko < 1.7.2 insecure use of RandomPool (CVE-2008-0299) 2008-03-03 21:43:57 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All All RESOLVED FIXED http://www.lag.net/pipermail/paramiko/2008-January/000599.html B3? [glsa] P2 minor --- 1 david+gentoo@guerizec.net security@gentoo.org python@gentoo.org david+gentoo@guerizec.net 2008-01-14 11:09:12 0000 Programs using paramiko that meet _either_ (or both) of the following criteria may be vulnerable to attacks on paramiko's random number generator: 1. The program maintains multiple simultaneous paramiko connections (Transport instances) via forking or threading; or 2. The program uses certain Win32 builds of PyCrypto, where the Crypt.Util.winrandom module is missing, thus preventing the RandomPool instance from being initialized with sufficient entropy. This message deals with primarily with the first criterion. paramiko generates random numbers using a single instance of PyCrypto's RandomPool class. Unfortunately, neither paramiko nor PyCrypto ensure that: 1. after fork(), that the output of randpool.get_bytes() in the parent cannot be used to predict the output of randpool.get_bytes() in the child, or vice versa; or 2. that the state of the RandomPool instance is not corrupted by multiple threads accessing it at the same time. Consider the following Python program, which generates three separate RSA keys in three different child processes, and outputs the keys' fingerprints: # -------[ snip here ]------------------------ from paramiko import RSAKey import os import time # time.time() and time.clock() are predictable from a cryptographic standpoint, # but make them REALLY predictable for the purposes of this demonstration. class PredictableTime(object): def __init__(self): self.n = 0 def __call__(self): self.n += 1 return self.n time.time = PredictableTime() time.clock = PredictableTime() def fork_and_generate_key(): pid = os.fork() if pid != 0: # parent process os.waitpid(pid, 0) return else: # Child process k = RSAKey.generate(512) print "[PID %d] %s" % (os.getpid(), k.get_fingerprint().encode('hex')) os._exit(0) fork_and_generate_key() fork_and_generate_key() fork_and_generate_key() # -------[ snip here ]------------------------ Theoretically, each key generated using this program should be independent, regardless of whether the outputs of time.clock() and time.time() are predictable. In reality, the program's output looks something like this: [PID 18872] bff46933095489d81af86493e4e9ba2f [PID 18873] bff46933095489d81af86493e4e9ba2f [PID 18874] bff46933095489d81af86493e4e9ba2f This means that if you're using (for example) Python's SocketServer.ForkingTCPServer class to build an SSH server using paramiko, then supposedly "random" data from one session can be used to predict "random" data in another session. We could try to make a thread-safe wrapper around RandomPool, and we could provide some API to let users randomize the pool after a fork(), but that's error-prone. Also, because of a bug in PyCrypto 2.0.1 (where winrandom is not built), this would not be sufficient to fix the problem on Win32. A better thing to do would be to let the operating system generate our random numbers for us, since it is in a far better position than we are to guarantee that RNG state is not leaked or reused. The attached patch creates a new OSRandomPool class that provides a RandomPool-like interface, but gets its random numbers directly from the operating system. It also works around the recently-published Windows CryptGenRandom vulnerabilities (see http://eprint.iacr.org/2007/419). Reproducible: Always please see related thread on paramiko's mailing list archives: http://www.lag.net/pipermail/paramiko/2008-January/000599.html rbu@gentoo.org 2008-01-15 15:24:07 0000 Seems like lag.net is currently down. rbu@gentoo.org 2008-01-15 16:03:11 0000 As long as the site is down, the patch can also be found here: http://people.debian.org/~nion/nmu-diff/paramiko-1.6.4-1_1.6.4-1.1.patch david+gentoo@guerizec.net 2008-01-17 16:14:20 0000 A CVE seems to have been created: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0299 py@gentoo.org 2008-01-17 16:33:09 0000 (In reply to comment #2) > As long as the site is down, the patch can also be found here: > http://people.debian.org/~nion/nmu-diff/paramiko-1.6.4-1_1.6.4-1.1.patch > python herd, please provide an updated ebuild. david+gentoo@guerizec.net 2008-01-24 20:06:26 0000 Please note that a new paramiko release is available, fixing this issue. see http://www.lag.net/pipermail/paramiko/2008-January/000604.html jakub@gentoo.org 2008-01-24 20:38:34 0000 *** Bug 207312 has been marked as a duplicate of this bug. *** hawking@gentoo.org 2008-01-31 15:32:41 0000 paramiko-1.7.2 is in CVS. py@gentoo.org 2008-01-31 16:20:20 0000 > paramiko-1.7.2 is in CVS. Arches, please test and mark stable. Target "amd64 ~hppa ia64 ~ppc sparc x86 ~x86-fbsd" fauli@gentoo.org 2008-01-31 18:40:27 0000 x86 stable armin76@gentoo.org 2008-01-31 19:09:58 0000 ia64/sparc stable coldwind@gentoo.org 2008-02-11 00:09:56 0000 amd64 stable, closing. py@gentoo.org 2008-02-11 10:57:17 0000 please don't close security bugs... time for GLSA decision. I vote YES. jaervosz@gentoo.org 2008-02-11 18:32:14 0000 Voting YES and filing. pva@gentoo.org 2008-02-23 18:17:55 0000 Fixed in release snapshot. py@gentoo.org 2008-03-03 21:43:57 0000 GLSa 200803-07