North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

CERT Vendor-Initiated Bulletin VB-95:04 (Wietse Venema)

  • From: CERT Bulletin
  • Date: Wed Jun 14 19:07:56 1995

CERT Vendor-Initiated Bulletin VB-95:04
June 14, 1995

Topic:  Logdaemon/FreeBSD vulnerability in S/Key
Source: Wietse Venema (wietse@wzv.win.tue.nl)

To aid in the wide distribution of essential security information, the 
CERT Coordination Center is forwarding the following information from
Wietse Venema, who urges you to act on this information as soon as possible. 
Please contact Wietse Venema if you have any questions or need further 
information.


========================FORWARDED TEXT STARTS HERE============================

A vulnerability exists in my own S/Key software enhancements.  Since
these enhancements are in wide-spread use, a public announcement is 
appropriate.  The vulnerability affects the following products:

        FreeBSD version 1.1.5.1
        FreeBSD version 2.0
        logdaemon versions before 4.9

I recommend that users of this software follow the instructions given
below in section III. 

-----------------------------------------------------------------------------

I.   Description

     An obscure oversight was found in software that I derived from
     the S/Key software from Bellcore (Bell Communications Research).
     Analysis revealed that my oversight introduces a vulnerability.

     Note: the vulnerability is not present in the original S/Key
     software from Bellcore.

II.  Impact

     Unauthorized users can gain privileges of other users, possibly
     including root.

     The vulnerability can be exploited only by users with a valid
     account. It cannot be exploited by arbitrary remote users.

     The vulnerability can affect all FreeBSD 1.1.5.1 and FreeBSD 2.0
     implementations and all Logdaemon versions before 4.9. The problem
     exists only when S/Key logins are supported (which is the default
     for FreeBSD). Sites with S/Key logins disabled are not vulnerable.

III. Solution

     Logdaemon users: 
     ================
        Upgrade to version 4.9

            URL ftp://ftp.win.tue.nl/pub/security/logdaemon-4.9.tar.gz.
            MD5 checksum 3d01ecc63f621f962a0965f13fe57ca6

        To plug the hole, build and install the ftpd, rexecd and login
        programs. If you installed the keysu and skeysh commands, these
        need to be replaced too.

     FreeBSD 1.1.5.1 and FreeBSD 2.0 users: 
     ======================================
        Retrieve the corrected files that match the system you are
        running:

            URL ftp://ftp.cdrom.com/pub/FreeBSD/CERT/libskey-1.1.5.1.tgz
            MD5 checksum bf3a8e8e10d63da9de550b0332107302

            URL ftp://ftp.cdrom.com/pub/FreeBSD/CERT/libskey-2.0.tgz
            MD5 checksum d58a17f4216c3ee9b9831dbfcff93d29

        Unpack the tar archive and follow the instructions in the
        README file.

     FreeBSD current users:  
     ======================
        Update your /usr/src/lib/libskey sources and rebuild and
        install libskey (both shared and non-shared versions).

        The vulnerability has been fixed with FreeBSD 2.0.5.

-----------------------------------------------------------------------------

S/KEY is a trademark of Bellcore (Bell Communications Research).

Wietse Venema appreciates helpful assistance with the resolution of
this vulnerability from CERT/CC; Rodney W.  Grimes, FreeBSD Core Team
Member; Guido van Rooij, Philips Communication and Processing Services;
Walter Belgers.



=========================FORWARDED TEXT ENDS HERE=============================


CERT bulletins, CERT advisories, information about FIRST representatives, and
other information related to computer security are available for anonymous FTP
from info.cert.org. 

CERT advisories and bulletins are also posted on the USENET newsgroup
comp.security.announce. If you would like to have future advisories and
bulletins mailed to you or to a mail exploder at your site, please send mail
to cert-advisory-request@cert.org.

If you wish to send sensitive incident or vulnerability information to
CERT staff by electronic mail, we strongly advise that the e-mail be
encrypted.  The CERT Coordination Center can support a shared DES key, PGP
(public key available via anonymous FTP on info.cert.org), or PEM (contact
CERT staff for details).

Internet email: cert@cert.org
Telephone: +1 412-268-7090 (24-hour hotline)
           CERT personnel answer 8:30 a.m.-5:00 p.m. EST(GMT-5)/EDT(GMT-4),
           and are on call for emergencies during other hours.
Fax: +1 412-268-6989

CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213-3890
USA


CERT is a service mark of Carnegie Mellon University.