Bug 94762

Summary: Insecure randomness usage for nonce
Product: dbus Reporter: Michael McConville <mmcco>
Component: GLibAssignee: D-Bus Maintainers <dbus>
Status: RESOLVED NOTOURBUG QA Contact: D-Bus Maintainers <dbus>
Severity: normal    
Priority: medium    
Version: git master   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:

Description Michael McConville 2016-03-31 00:21:13 UTC
There are a few randomness-supplying functions in gio/gdbusauthmechanismsha1.c such as random_blob(), random_ascii(), and random_ascii_string(). They are used for cryptographic nonces and similarly security-relevant values. They all back up to GLib's g_random_int() interface, which uses a simple Mersenne twister and therefore supplies distinctly insecure randomness. The API docs warn about this.

I discussed this with the devs on security@gnome.org, who believe that it's definitely a bug but not a critical problem.

I won't go into details about the danger of each usage because I'm confident that the easiest and most robust solution is to make DBus only use secure randomness.

There are at least a couple other problematic uses in GLib. Some may be in DBus - I'll look back at my notes soon and report as needed. However, this audit will hopefully lead to improvement or replacement of GLib's RNG. In that case, uses won't need to be audited on a per-case basis.
Comment 1 Simon McVittie 2016-03-31 10:30:05 UTC
(In reply to Michael McConville from comment #0)
> There are a few randomness-supplying functions in
> gio/gdbusauthmechanismsha1.c such as random_blob(), random_ascii(), and
> random_ascii_string().

dbus (a software package) is the reference implementation of D-Bus (a protocol), and also the home for the D-Bus specification.

GLib's GDBus component is a compatible reimplementation of D-Bus, whose bugs are not tracked here. Please report GDBus bugs to bugzilla.gnome.org instead.

The D-Bus protocol specification does not require any particular implementation of anything that is described as random.

> I won't go into details about the danger of each usage because I'm confident
> that the easiest and most robust solution is to make DBus only use secure
> randomness.

The equivalent issues in dbus (the reference implementation) are Bug #90414, and I believe they were all fixed before 1.10 (current stable branch).

Mitigation: GDBus is normally used as a client, to connect to a dbus-daemon provided by dbus. In versions of dbus since 1.10, the Unix dbus-daemon only allows EXTERNAL authentication by default; so if these random numbers are predictable, it would only be attackable on custom buses or on Windows.
Comment 2 Michael McConville 2016-04-16 21:33:46 UTC
> > I won't go into details about the danger of each usage because I'm confident
> > that the easiest and most robust solution is to make DBus only use secure
> > randomness.
> 
> The equivalent issues in dbus (the reference implementation) are Bug #90414,
> and I believe they were all fixed before 1.10 (current stable branch).
> 
> Mitigation: GDBus is normally used as a client, to connect to a dbus-daemon
> provided by dbus. In versions of dbus since 1.10, the Unix dbus-daemon only
> allows EXTERNAL authentication by default; so if these random numbers are
> predictable, it would only be attackable on custom buses or on Windows.

"This is only exploitable on weird configurations or the operating system with 80% desktop market share" doesn't seem like much of a mitigation for Windows users.
Comment 3 Simon McVittie 2016-04-18 11:24:26 UTC
I am not arguing that the instance of this in libdbus wasn't a bug: it was, and we fixed it (Bug #90414).

I am also not arguing that the instance of this in GDBus isn't a bug. However, GDBus is part of GLib; GLib bugs are not tracked on bugs.freedesktop.org, and most GLib and GDBus developers will not see your messages here. Please open a similar bug report on https://bugzilla.gnome.org/ if you have not already done so.

(In reply to Michael McConville from comment #2)
> "This is only exploitable on weird configurations or the operating system
> with 80% desktop market share" doesn't seem like much of a mitigation for
> Windows users.

I didn't say it was, but "not much of a mitigation" is still some mitigation. The majority of those 80% don't have or use D-Bus, whereas the majority of Linux installations do, so in fact it's a significant effect on the proportion of D-Bus users that are affected.

Windows does not have AF_UNIX sockets or credentials-passing, which unfortunately makes it something of a second-class citizen in D-Bus. D-Bus was primarily designed for Unix systems and ported to Windows later, and the model of how IPC is expected to work on Windows just doesn't match how things work on Unix very well.
Comment 4 Michael McConville 2016-04-19 01:17:28 UTC
Hi, Simon.

Sorry for being snarky in my last comment. It was impulsive and I wasn't trying to start an argument. I agree that Windows support is a headache and that open source projects should feel comfortable making a lesser priority.

The reason for my frustration is that I was hoping the GNOME security team would address the randomness weaknesses more proactively. I don't develop GNOME/GLib/GTK software and I don't use it much either, so it takes a good deal of time to triage, fix, test, and submit all of the risky g_rand*() uses I found. I understand that you guys are probably as busy as I am, though.

Thanks for your time,
Mike
Comment 5 Simon McVittie 2016-04-19 11:03:25 UTC
(In reply to Michael McConville from comment #4)
> I was hoping the GNOME security team
> would address the randomness weaknesses more proactively.

That's fine, but you are not expressing this hope in a particularly useful place by posting it here. An analogy: Microsoft publish a HTTP server, and Apache publish another HTTP server which is arguably more popular, but you wouldn't ask Microsoft to fix a problem with their HTTP server by reporting it to the Apache bug tracker :-)
Comment 6 Thiago Macieira 2016-04-19 15:26:11 UTC
(In reply to Michael McConville from comment #2)
> "This is only exploitable on weird configurations or the operating system
> with 80% desktop market share" doesn't seem like much of a mitigation for
> Windows users.

By the way, desktop market share is not a valid metric, considering D-Bus is used on servers and embedded/mobile devices too.If you take all of those devices together, I'd venture Windows's market share drops to below 25%.

Still, Simon is right: this is the wrong place to talk about GDBus issues. Their developers are not reading this bugzilla. Thank you for your report and your investigation. To complete it, please file it at bugzilla.gnome.org.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.