OpenBSD PRNG DNS Cache Poisoning and Predictable IP ID Weakness

A PRNG originating in OpenBSD is prone to a weakness that exposes DNS cache-poisoning and predictable IP ID sequence issues. This issue stems from a flaw in the linear congruential generator (LCG) pseudo-random number generator (PRNG) algorithm.

An attacker may leverage this issue to manipulate DNS cache data, potentially facilitating man-in-the-middle, site-impersonation, or denial-of-service attacks. The attacker may also predict IP ID sequences, allowing them to perform OS fingerprinting, network idle-scanning, and potentially TCP blind data-injection attacks.

The BIND 9 server included in OpenBSD 3.3 through to 4.2 is vulnerable to this issue. The vulnerable PRNG algorithm and variants are also used in the IP ID sequence generation in OpenBSD 2.6 through to 4.2.

The vulnerable PRNG has also been ported to other operating systems, including:

Mac OS X and Mac OS X Server 10.0 through to 10.5.1
Darwin 1.0 through to 9.1
FreeBSD 4.4 through to 7.0
NetBSD 1.6.2 through to 4.0
DragonFlyBSD 1.0 through to 1.10.1.

FreeBSD, NetBSD, and DragonFlyBSD are affected only if they enable the PRNG's use through the 'net.inet.ip.random_id' sysctl to 1. This is a nondefault configuration change.

Other operating systems and versions may also be affected.


Privacy Statement
Copyright 2010, SecurityFocus