From owner-freebsd-security Sat Feb 17 14:08:21 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id OAA01970 for security-outgoing; Sat, 17 Feb 1996 14:08:21 -0800 (PST) Received: from umbc7.umbc.edu (pauld@f-umbc7.umbc.edu [130.85.3.7]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id OAA01961 for ; Sat, 17 Feb 1996 14:08:09 -0800 (PST) Received: (from pauld@localhost) by umbc7.umbc.edu (8.6.12/Umbc) id RAA19739; Sat, 17 Feb 1996 17:08:08 -0500 Date: Sat, 17 Feb 1996 17:08:08 -0500 (EST) From: Paul Danckaert To: freebsd-security@FreeBSD.org Subject: Kerberos Insecurities (COAST Announcement) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.org Precedence: bulk Does anybody know if this effects the ebones-based kerberos package? If so, is there any info on a bug-fix? Thanks, paul --- From: COAST To: COAST Watch Date: Fri, 16 Feb 1996 20:09:36 -0500 (EST) We were going to announce this later, but events have changed that. Please don't contact us asking for the gory details -- we'll be releasing a paper on this after MIT and the vendors publish their fix(es). --spaf -----BEGIN PGP SIGNED MESSAGE----- Personnel at the COAST Laboratory (Computer Operations, Audit, and Security Technology) at Purdue University have discovered some unexepected weaknesses in the Kerberos security system. Graduate students Steve Lodin and Bryn Dole, working with Professor Eugene Spafford, have discovered a method whereby someone without privileged access to most implementations of a Kerberos 4 server can nonetheless break secret session keys issued to users. This means that it is possible to gain unauthorized access to distributed services available to a user without knowing that user's password. This method has been demonstrated to work in under 5 minutes, on average, using a typical workstation, and sometimes as quickly as 12 seconds. The Kerberos system was developed at MIT in the mid-1980s, and has been widely adopted for security in distributed systems worldwide. Kerberos is most often used on UNIX platforms by various vendors, and is often enhanced, sold and supported by 3rd-party vendors for use in academic, government, and commercial environments. The same researchers at COAST have also found a small, theoretical weakness in Kerberos version 5 that would allow similar access, given some additional information and considerable preliminary computation. Kerberos version 5 does not exhibit the same weakness as described above for Kerberos version 4. The researchers at COAST had intended to release the specific details of the problem to affected vendors and incident response teams during the week of February 19, prior to making a public announcement of their findings. However, as rumors have begun to circulate and several representatives of the news media have apparently received indication of the problem, we are releasing this preliminary announcement at this time. Government and industry sponsors of the COAST Laboratory were made aware of the preliminary details of these findings in January (full sponsors receive early notification of significant discoveries as a result of COAST research). Other affiliates of COAST as well as the world-wide network of FIRST computer incident response teams were made aware of the general nature of the findings during the week of February 5. The original plan at COAST was to release specific details only to FIRST (Forum of Incident Response and Security Teams) teams and to MIT prior to announcement by affected vendors of a fix for these weaknesses. The flaw in Kerberos version 4 is significant enough that disclosure of its details prior to a fix would allow someone with moderate programming skills to exploit it; there is currently no reason to believe that others know the details of the flaw and are exploiting it, so there is no immediate danger to the public that would warrant release of the details at this time. COAST personnel have been informed that MIT has already developed a fix for the flaw in version 4 Kerberos and is preparing it for release. Additionally, COAST researchers are cooperating with MIT personnel to identify what (if any) fixes are necessary for version 5 Kerberos. Users of either version of Kerberos should contact their vendors for details of any fixes that may be made available; vendors of products incorporating Kerberos should contact MIT directly for details of the problems and fixes. COAST is a research group of faculty and students dedicated to research into information security and computer crime investigation, and education in computer and network security. It is the largest such university-based group in the United States. Information on COAST may be found on the WWW at http://www.cs.purdue.edu/coast Information on FIRST teams may be found on the WWW at http://www.first.org Information on MIT's Kerberos may be found on the WWW at ftp://athena-dist.mit.edu/pub/kerberos/doc/KERBEROS.FAQ -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Key @ ftp://ftp.cs.purdue.edu/pub/spaf/pers/pgpkey.asc iQCVAwUBMSUnIspvK4P8DALVAQFhEwP6Aojp7tclxnOcodaY6st4Ej2UUglWqEyb aFMl+WeNWSnC/HR0S/Jjxya/jLsEnXBn38EwplAl102HvbY68MLv08WnBdnejUYZ kCCtQ2mTsuC8L3YNYOqI/8P5y8vNx9s7pytHP0GczBA/vxuXvUOf6m976lIjleqn 6ZLnOM2CHjc= =K1IP -----END PGP SIGNATURE----- ------- End of Forwarded Message