OpenBSD Downplays PRNG Vulnerability in LibreSSL

LibreSSL, the open-source implementation of the SSL/TLS protocol forked from OpenSSL, is unsafe on Linux due to a flaw in the pseudorandom number generator (PRNG), a researcher said this week. However, the OpenBSD Project, which develops LibreSSL, believes the issue has been overblown.

According to Andrew Ayer, founder of secure backup service Opsmate, the PRNG in LibreSSL is less safe than the one in OpenSSL. The expert developed a test program which he linked to both OpenSSL and LibreSSL. In each case, he made two different calls to the RAND_bytes method, but in the case of LibreSSL, the same data was retuned both times, which according to Ayer, is “a catastrophic failure of the PRNG.”

Representatives of the OpenBSD Project have confirmed that it is a real issue, but they believe it’s far from being a “catastrophe,” arguing that the test code which demonstrates the problem is “very much unlike real server code.”

“Real software just isn’t written like the test code, so it’s very difficult to find a realistic situation where PID wrap would be an issue, more so to find a way that it would be realistically exploitable. So saying this is ‘unsafe’ on Linux, while technically correct, is a bit of a stretch. A ‘catastrophe’ – well, that’s pretty far out there, especially when compared to the recent OpenSSL issues,” OpenBSD developer Bob Beck told SecurityWeek.

Ayer admits that the program he created might be unrealistic, but he points out that “attackers often find extremely creative ways to manufacture scenarios favorable for attacks, even when those scenarios are unlikely to occur under normal circumstances.”

On Wednesday, the OpenBSD Project released LibreSSL 2.0.2 portable to patch the vulnerability. OpenBSD founder Theo De Raadt told SecurityWeek that the bug has been fixed by adding an additional mechanism to detect process rollover.

“We’re happy to have issues like this found – we expect to have small issues like this crop up, we want the code out there so they can be found and we can fix them, and in this case we already have,” Beck said.

“The LibreSSL-portable releases are still being handed out as trials, precisely to get reports like this and then fix them,” De Raadt explained.

LibreSSL has been in the works since April, shortly after the existence of the OpenSSL vulnerability known as Heartbleed came to light. Over 90,000 lines of code were removed from OpenSSL in the first week, including unused code and support for older operating systems. The first release of LibreSSL portable, version 2.0.0, was made available on July 11, when the OpenBSD Project urged the community to start using it and provide feedback.

In June, Google announced its intention to fork OpenSSL to create its own security library, dubbed BoringSSL. At the time, Google and OpenBSD agreed to collaborate.