-----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:33 Security Advisory FreeBSD, Inc. Topic: kerberosIV distribution contains multiple vulnerabilities under FreeBSD 3.x Category: core Module: kerberosIV Announced: 2000-07-12 Credits: Assar Westerlund Affects: FreeBSD 3.x systems prior to the correction date Corrected: 2000-07-06 FreeBSD only: NO I. Background KTH Kerberos is an implementation of the Kerberos 4 protocol which is distributed as an optional component of the base system. II. Problem Description Vulnerabilities in the MIT Kerberos 5 port were the subject of an earlier FreeBSD Security Advisory (SA-00:20). At the time it was believed that the implementation of Kerberos distributed with FreeBSD was not vulnerable to these problems, but it was later discovered that FreeBSD 3.x contained an older version of KTH Kerberos 4 which is in fact vulnerable to at least some of these vulnerabilities. FreeBSD 4.0-RELEASE and later are unaffected by this problem, although FreeBSD 3.5-RELEASE is vulnerable. The exact extent of the vulnerabilities are not known, but are likely to include local root vulnerabilities on both Kerberos clients and servers, and remote root vulnerabilities on Kerberos servers. For the client vulnerabilities, it is not necessary that Kerberos client functionality be actually configured, merely that the binaries be present on the system. III. Impact Local or remote users can obtain root access on the system running Kerberos, whether as client or server. If you have not chosen to install the KerberosIV distribution on your FreeBSD 3.x system, then your system is not vulnerable to this problem. IV. Workaround Due to the nature of the vulnerability there are several programs and network services which are affected. The following libraries and utilities are installed by the KerberosIV distribution and must be removed or replaced with non-Kerberos versions to disable all Kerberos-related code. bin/rcp (*) sbin/dump (*) sbin/restore (*) usr/bin/kadmin usr/bin/kauth usr/bin/kdestroy usr/bin/kinit usr/bin/klist usr/bin/ksrvtgt usr/bin/telnet (*) usr/bin/cvs (*) usr/bin/passwd (*) usr/bin/rlogin (*) usr/bin/rsh (*) usr/bin/su (*) usr/lib/libacl.a usr/lib/libacl_p.a usr/lib/libacl.so.3 usr/lib/libacl.so usr/lib/libkadm.a usr/lib/libkadm_p.a usr/lib/libkadm.so.3 usr/lib/libkadm.so usr/lib/libkafs.a usr/lib/libkafs_p.a usr/lib/libkafs.so.3 usr/lib/libkafs.so usr/lib/libkdb.a usr/lib/libkdb_p.a usr/lib/libkdb.so.3 usr/lib/libkdb.so usr/lib/libkrb.a usr/lib/libkrb_p.a usr/lib/libkrb.so.3 usr/lib/libkrb.so usr/lib/libtelnet.a usr/lib/libtelnet_p.a usr/libexec/kauthd usr/libexec/kipd usr/libexec/kpropd usr/libexec/telnetd (*) usr/libexec/rlogind (*) usr/libexec/rshd (*) usr/sbin/ext_srvtab usr/sbin/kadmind usr/sbin/kdb_destroy usr/sbin/kdb_edit usr/sbin/kdb_init usr/sbin/kdb_util usr/sbin/kerberos usr/sbin/kip usr/sbin/kprop usr/sbin/ksrvutil usr/sbin/kstash The files marked with a "(*)" are part of the base FreeBSD system when the Kerberos distribution is not installed, and are replaced when Kerberos is installed. Therefore you will need to replace them with non-Kerberos versions from another system, or perform a recompilation or reinstallation of FreeBSD after removal, if you wish to continue to use them. If you have chosen to install any ports with Kerberos support, such as the security/ssh port, then you should also remove, or recompile these with support disabled. As an interim measure, access control measures (either a perimeter firewall, or a local firewall on the affected machine - see the ipfw(8) manpage for more information) can be used to prevent remote systems from connecting to Kerberos services on a vulnerable Kerberos server. V. Solution Upgrade your vulnerable FreeBSD 3.x system to a version of FreeBSD dated after the correction date (FreeBSD 3.5-STABLE dated after the correction date, 4.0-RELEASE or 4.0-STABLE). See http://www.freebsd.org/handbook/makeworld.html for more information about upgrading FreeBSD from source. Be sure to install the Kerberos code when performing an upgrade (whether by source or by a binary upgrade) to ensure that the old binaries are no longer present on the system. See the note in section IV. above about recompiling ports which were compiled with Kerberos support. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOWzyeVUuHi5z0oilAQFJEwP/ZaecQhuSYfdR4ckwsDtGF86AvmRuqkTo 8A55zz2DeBUPKAVrvJAEuzM15zEL4+w+dofCep9gMAPWlgpNoNHRs4H3BLUjMiXc UpFgKDYtY/gwYXZKOLVbe4as++G2Polk+oQXrRItV1LGKbjrtjuozPRGmkwCYwOk /rUWX1tCNLI= =ysen -----END PGP SIGNATURE-----