-----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:20 Security Advisory FreeBSD, Inc. Topic: krb5 port contains remote and local root exploits. Category: ports Module: krb5 Announced: 2000-05-26 Credits: Jeffrey I. Schiller Affects: Ports collection prior to the correction date Corrected: 2000-05-17 Vendor status: Patch released FreeBSD only: NO I. Background MIT Kerberos 5 is an implementation of the Kerberos 5 protocol which is available in the FreeBSD ports collection as the security/krb5 port. FreeBSD also includes separately-developed Kerberos 4 and 5 implementations from KTH, which are optionally installed as part of the base system (KTH Heimdal, the Kerberos 5 implementation, is currently considered "experimental" software). II. Problem Description The MIT Kerberos 5 port, versions 1.1.1 and earlier, contains several remote and local buffer overflows which can lead to root compromise. Note that the implementations of Kerberos shipped in the FreeBSD base system are separately-developed software to MIT Kerberos and are believed not to be vulnerable to these problems. However, a very old release of FreeBSD dating from 1997 (FreeBSD 2.2.5) did ship with a closely MIT-derived Kerberos implementation ("eBones") and may be vulnerable to attacks of the kind described here. Any users still using FreeBSD 2.2.5 and who have installed the optional Kerberos distribution are urged to upgrade to 2.2.8-STABLE or later. Note however that FreeBSD 2.x is no longer an officially supported version, nor are security fixes always provided. The krb5 port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains nearly 3300 third-party applications in a ready-to-install format. The ports collection shipped with FreeBSD 4.0 contains this problem since it was discovered after the release. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Local or remote users can obtain root access on the system running krb5. If you have not chosen to install the krb5 port, then your system is not vulnerable to this problem. IV. Workaround Due to the nature of the vulnerability there are several programs and network services which are affected. If recompiling the port is not practical, please see the MIT Kerberos advisory for suggested workarounds (including the disabling or adjustment of services and removal of setuid permissions on vulnerable binaries). The advisory can be found at the following location: http://web.mit.edu/kerberos/www/advisories/krb4buf.txt V. Solution 1) Upgrade your entire ports collection and rebuild the krb5 port. A package is not provided for this port for export control reasons. 2) download a new port skeleton for the krb5 port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 3) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/devel/portcheckout-1.0.tgz -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOS626lUuHi5z0oilAQHUWAP+LqSso3fDe+k7/6EJMc5iH9JgbrD2JARh mQOV6m9qUgZbcaEc9oUrsEJIurFGGukCAbGA82dPHGWpNFzbzL3pXgqcswVvHIqV qoZuzLyLV5+1NaurwovmXD2hQH56Cgaa+N4byxuxs+cnIbfJNF8DEYjhnPqVHc9l sP0RelxSDuk= =yPXe -----END PGP SIGNATURE-----