snake-oil-security writes "Amit Klein from Trusteer has found serious weakness in OpenBSD PRNG (pseudorandom number generator), which allows an attacker to predict the next DNS transaction ID. The same flavor of this PRNG is used in other places like OpenBSD kernel network stack. Interestingly enough several other BSD operating systems copied the OpenBSD code for their own PRNG, so they're vulnerable too. This is particularly so with Apple's Mac OS X, Mac OS X Server and Darwin, but also with NetBSD, FreeBSD and DragonFlyBSD. The interesting part here is that all the above mentioned vendors were contacted November 2007. FreeBSD, NetBSD and DragonFlyBSD committed a fix to their respective source code trees, Apple refused to provide any schedule for such fix, but OpenBSD decided not to fix it. OpenBSDs coordinator stated, in an email, that OpenBSD is completely uninterested in the problem and that the problem is completely irrelevant in the real world. This is in direct contrast to statements and opinions made by the OpenBSD team recently."
This discussion was created for logged-in users only, but now has been archived.
No new comments can be posted.
more info (Score:2)