Bug 205777 - dev-python/paramiko < 1.7.2 insecure use of RandomPool (CVE-2008-0299)
|
Bug#:
205777
(CVE-2008-0299)
|
Product: Gentoo Security
|
Version: unspecified
|
Platform: All
|
|
OS/Version: All
|
Status: RESOLVED
|
Severity: minor
|
Priority: P2
|
|
Resolution: FIXED
|
Assigned To: security@gentoo.org
|
Reported By: david+gentoo@guerizec.net
|
|
Component: Vulnerabilities
|
|
|
URL:
http://www.lag.net/pipermail/paramiko/2008-January/000599.html
|
|
Summary: dev-python/paramiko < 1.7.2 insecure use of RandomPool (CVE-2008-0299)
|
|
Keywords:
|
|
Status Whiteboard: B3? [glsa]
|
|
Opened: 2008-01-14 11:09 0000
|
Programs using paramiko that meet _either_ (or both) of the following
criteria may be vulnerable to attacks on paramiko's random number
generator:
1. The program maintains multiple simultaneous paramiko connections
(Transport instances) via forking or threading; or
2. The program uses certain Win32 builds of PyCrypto, where the
Crypt.Util.winrandom module is missing, thus preventing the
RandomPool instance from being initialized with sufficient entropy.
This message deals with primarily with the first criterion.
paramiko generates random numbers using a single instance of PyCrypto's
RandomPool class. Unfortunately, neither paramiko nor PyCrypto ensure
that:
1. after fork(), that the output of randpool.get_bytes() in the parent
cannot be used to predict the output of randpool.get_bytes() in the
child, or vice versa; or
2. that the state of the RandomPool instance is not corrupted by
multiple threads accessing it at the same time.
Consider the following Python program, which generates three separate RSA
keys in three different child processes, and outputs the keys'
fingerprints:
# -------[ snip here ]------------------------
from paramiko import RSAKey
import os
import time
# time.time() and time.clock() are predictable from a cryptographic standpoint,
# but make them REALLY predictable for the purposes of this demonstration.
class PredictableTime(object):
def __init__(self):
self.n = 0
def __call__(self):
self.n += 1
return self.n
time.time = PredictableTime()
time.clock = PredictableTime()
def fork_and_generate_key():
pid = os.fork()
if pid != 0:
# parent process
os.waitpid(pid, 0)
return
else:
# Child process
k = RSAKey.generate(512)
print "[PID %d] %s" % (os.getpid(), k.get_fingerprint().encode('hex'))
os._exit(0)
fork_and_generate_key()
fork_and_generate_key()
fork_and_generate_key()
# -------[ snip here ]------------------------
Theoretically, each key generated using this program should be independent,
regardless of whether the outputs of time.clock() and time.time() are
predictable. In reality, the program's output looks something like this:
[PID 18872] bff46933095489d81af86493e4e9ba2f
[PID 18873] bff46933095489d81af86493e4e9ba2f
[PID 18874] bff46933095489d81af86493e4e9ba2f
This means that if you're using (for example) Python's
SocketServer.ForkingTCPServer class to build an SSH server using paramiko,
then supposedly "random" data from one session can be used to predict
"random" data in another session.
We could try to make a thread-safe wrapper around RandomPool, and we could
provide some API to let users randomize the pool after a fork(), but that's
error-prone. Also, because of a bug in PyCrypto 2.0.1 (where winrandom is
not built), this would not be sufficient to fix the problem on Win32.
A better thing to do would be to let the operating system generate our
random numbers for us, since it is in a far better position than we are to
guarantee that RNG state is not leaked or reused.
The attached patch creates a new OSRandomPool class that provides a
RandomPool-like interface, but gets its random numbers directly from the
operating system. It also works around the recently-published Windows
CryptGenRandom vulnerabilities (see http://eprint.iacr.org/2007/419).
Reproducible: Always
please see related thread on paramiko's mailing list archives:
http://www.lag.net/pipermail/paramiko/2008-January/000599.html
Seems like lag.net is currently down.
*** Bug 207312 has been marked as a duplicate of this bug. ***
paramiko-1.7.2 is in CVS.
> paramiko-1.7.2 is in CVS.
Arches, please test and mark stable. Target "amd64 ~hppa ia64 ~ppc sparc x86
~x86-fbsd"
please don't close security bugs...
time for GLSA decision. I vote YES.
Fixed in release snapshot.
