From owner-freebsd-security Wed Jun 14 20:07:45 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id UAA17173 for security-outgoing; Wed, 14 Jun 1995 20:07:45 -0700 Received: from aries.ibms.sinica.edu.tw ([140.109.40.248]) by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id UAA17161 for ; Wed, 14 Jun 1995 20:07:39 -0700 Received: (from taob@localhost) by aries.ibms.sinica.edu.tw (8.6.11/8.6.9) id LAA02848; Thu, 15 Jun 1995 11:07:11 +0800 Date: Wed, 14 Jun 1995 18:57:17 -0400 Message-Id: <199506142257.SAA03643@why.cert.org> From: CERT Bulletin To: cert-advisory@cert.org Subject: CERT Vendor-Initiated Bulletin VB-95:04 (Wietse Venema) Reply-To: cert-advisory-request@cert.org Organization: CERT Coordination Center - 412-268-7090 content-length: 4638 ReSent-Date: Thu, 15 Jun 1995 11:07:04 +0800 (CST) ReSent-From: Brian Tao ReSent-To: FREEBSD-SECURITY-L ReSent-Message-ID: Sender: security-owner@freebsd.org Precedence: bulk CERT Vendor-Initiated Bulletin VB-95:04 June 14, 1995 Topic: Logdaemon/FreeBSD vulnerability in S/Key Source: Wietse Venema (wietse@wzv.win.tue.nl) To aid in the wide distribution of essential security information, the CERT Coordination Center is forwarding the following information from Wietse Venema, who urges you to act on this information as soon as possible. Please contact Wietse Venema if you have any questions or need further information. ========================FORWARDED TEXT STARTS HERE============================ A vulnerability exists in my own S/Key software enhancements. Since these enhancements are in wide-spread use, a public announcement is appropriate. The vulnerability affects the following products: FreeBSD version 1.1.5.1 FreeBSD version 2.0 logdaemon versions before 4.9 I recommend that users of this software follow the instructions given below in section III. ----------------------------------------------------------------------------- I. Description An obscure oversight was found in software that I derived from the S/Key software from Bellcore (Bell Communications Research). Analysis revealed that my oversight introduces a vulnerability. Note: the vulnerability is not present in the original S/Key software from Bellcore. II. Impact Unauthorized users can gain privileges of other users, possibly including root. The vulnerability can be exploited only by users with a valid account. It cannot be exploited by arbitrary remote users. The vulnerability can affect all FreeBSD 1.1.5.1 and FreeBSD 2.0 implementations and all Logdaemon versions before 4.9. The problem exists only when S/Key logins are supported (which is the default for FreeBSD). Sites with S/Key logins disabled are not vulnerable. III. Solution Logdaemon users: ================ Upgrade to version 4.9 URL ftp://ftp.win.tue.nl/pub/security/logdaemon-4.9.tar.gz. MD5 checksum 3d01ecc63f621f962a0965f13fe57ca6 To plug the hole, build and install the ftpd, rexecd and login programs. If you installed the keysu and skeysh commands, these need to be replaced too. FreeBSD 1.1.5.1 and FreeBSD 2.0 users: ====================================== Retrieve the corrected files that match the system you are running: URL ftp://ftp.cdrom.com/pub/FreeBSD/CERT/libskey-1.1.5.1.tgz MD5 checksum bf3a8e8e10d63da9de550b0332107302 URL ftp://ftp.cdrom.com/pub/FreeBSD/CERT/libskey-2.0.tgz MD5 checksum d58a17f4216c3ee9b9831dbfcff93d29 Unpack the tar archive and follow the instructions in the README file. FreeBSD current users: ====================== Update your /usr/src/lib/libskey sources and rebuild and install libskey (both shared and non-shared versions). The vulnerability has been fixed with FreeBSD 2.0.5. ----------------------------------------------------------------------------- S/KEY is a trademark of Bellcore (Bell Communications Research). Wietse Venema appreciates helpful assistance with the resolution of this vulnerability from CERT/CC; Rodney W. Grimes, FreeBSD Core Team Member; Guido van Rooij, Philips Communication and Processing Services; Walter Belgers. =========================FORWARDED TEXT ENDS HERE============================= CERT bulletins, CERT advisories, information about FIRST representatives, and other information related to computer security are available for anonymous FTP from info.cert.org. CERT advisories and bulletins are also posted on the USENET newsgroup comp.security.announce. If you would like to have future advisories and bulletins mailed to you or to a mail exploder at your site, please send mail to cert-advisory-request@cert.org. If you wish to send sensitive incident or vulnerability information to CERT staff by electronic mail, we strongly advise that the e-mail be encrypted. The CERT Coordination Center can support a shared DES key, PGP (public key available via anonymous FTP on info.cert.org), or PEM (contact CERT staff for details). Internet email: cert@cert.org Telephone: +1 412-268-7090 (24-hour hotline) CERT personnel answer 8:30 a.m.-5:00 p.m. EST(GMT-5)/EDT(GMT-4), and are on call for emergencies during other hours. Fax: +1 412-268-6989 CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 USA CERT is a service mark of Carnegie Mellon University.