A bug involving the Random Number Generator has been found in FreeBSD. Check out the article for more details.

The latest vulnerability-with-a-snazzy-name is YARNBUG, and it affects the most recent version of FreeBSD.

Actually, it’s not really called YARNBUG – we just made that up to stand for “Yet Another Random Number Bug.”

We’ve written about problems with randomness many times on Naked Security, because randomness is actually much more important that many people realise.

Loosely put, computer security as good as depends on randomness, and that means something of a paradox: access to a reliable supply of completely unpredictable numbers.

For example, imagine that you encrypt the same document multiple times with the same secret key: you need to “seed” the encryption each time with a random number, or else you’ll keep getting the same encrypted output.

Even though that wouldn’t tell an attacker what’s inside the document, it would needlessly signal that the encrypted files were identical, which isn’t supposed to happen.

Of course, whenever you need a random number, it really must be random.

If it can be guessed or predicted, even a bit, then, well, it simply isn’t random, and you’ll end up with patterns that can be anticipated in data that’s supposed to be entirely empty of meaning until it’s decrypted.

Full announcement: https://nakedsecurity.sophos.com/2015/02/19/freebsd-and-the-yarnbug-more-trouble-at-the-random-number-mill/