NetBSD Intel Hardware RNG Failure Encryption Weakness

2006-04-12T05:32:54
ID OSVDB:24577
Type osvdb
Reporter Henrique de Moraes Holschuh(hmh@debian.org)
Modified 2006-04-12T05:32:54

Description

Vulnerability Description

NetBSD contains a flaw that may reduce the quality of random numbers used when encrypting data. The issue is triggered by incorrectly detecting the presence of Intel's 'pchb' random number generator when it is not in fact present. It is possible that the flaw may allow a reduction of quality of random data used by encryption mechanisms resulting in a loss of confidentiality.

Technical Description

The pchb interface is only one source of entropy in the system. Other sources of entropy will greatly mitigate the flaw.

Solution Description

Upgrade to version 2.0.4, 2.1.1, or 3.0.1 or higher, as they have been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

NetBSD contains a flaw that may reduce the quality of random numbers used when encrypting data. The issue is triggered by incorrectly detecting the presence of Intel's 'pchb' random number generator when it is not in fact present. It is possible that the flaw may allow a reduction of quality of random data used by encryption mechanisms resulting in a loss of confidentiality.

References:

Vendor Specific Advisory URL Secunia Advisory ID:19585 Keyword: NetBSD Security Advisory 2006-009 CVE-2006-1833 Bugtraq ID: 17496