-----BEGIN PGP SIGNED MESSAGE-----

===============================================================================
Security Advisory                                                       CERT-NL
===============================================================================
Author/Source : Teun Nijssen & Don Stikvoort                Index  :    S-95-06
Distribution  : World                                       Page   :          1
Classification: External                                    Version:          2
Subject       : Kerberos/Telnet Encryption Vulnerability    Date   :  09-Mar-95
===============================================================================

By courtesy of CERT/CC we received the following information about
vulnerabilities in Kerberized Telnet encryption, SUPERSEDING THE PREVIOUS 
AND INCOMPLETE version of this advisory:

=============================================================================
CA-95:03a                         CERT Advisory
                                  March 3, 1995
                   REVISED  Telnet Encryption Vulnerability
- -----------------------------------------------------------------------------

                   *** THIS IS A REVISED CERT ADVISORY ***
    *** A portion of the patch was accidentally omitted from Appendix B 
    in the original release of CA-95:03. This revision contains a new,
    complete Appendix B.***

The CERT Coordination Center has received reports of a serious security
problem in the Berkeley Telnet clients that provide support for the
experimental Telnet encryption option using the Kerberos V4 authentication.
All known released versions of the BSD Telnet that support Kerberos V4
authentication and encryption are affected.

We recommend that all sites that use encrypted telnet in conjunction with
Kerberos V4 obtain a patch or upgraded version of Telnet according to the
instructions in Section III below.

As we receive additional information relating to this advisory, CERT-NL will
place it, along with any clarifications, in a S-95-06.APPENDIX file. CERT-NL
advisories and their associated APPENDIX files are available at:
  ftp://ftp.nic.surfnet.nl/surfnet/net-security/cert-nl/docs/bulletin
  http://www.nic.surfnet.nl/surfnet/security/cert-nl.html

- ---------------------------------------------------------------------------

I.   Description

     There is a vulnerability in Berkeley Telnet clients that support
     encryption and Kerberos V4 authentications. This vulnerability
     substantially reduces the effectiveness of the encryption.

II.  Impact

     Anyone who can access and read packets that make up the encrypted
     Telnet session can easily decrypt the session. This is possible, for
     example, when an intruder uses a packet sniffer on the network to
     intercept the Telnet sessions.

III. Solution

     Obtain and install the appropriate patch according to the instructions
     included with the patch.

     In Appendix A is a summary of the vendors who have reported to us and 
     the status they provided, including how to obtain patches.  This 
     information is reproduced in the APPENDIX file associated with this 
     advisory.  We will update the APPENDIX file as we receive more 
     information from vendors.
     
- ---------------------------------------------------------------------------
The CERT Coordination Center wishes to thank Theodore Ts'o of the
Massachusetts Institute of Technology for identifying and developing a
solution to this problem. We also thank Douglas Engert of Argonne National
Laboratory for pointing out the omission in our original Appendix B.
- ---------------------------------------------------------------------------

If you believe that your system has been compromised, contact your local 
CERT/security-team or CERT-NL.

.............................................................................

Appendix A: Vendor Information

See file S-95-06.APPENDIX for updated information.  
Issue date: March 13, 1995

Appendix B: Patch for Vulnerability in Telnet Encryption Option
Omission error corrected March 3, 1995
See file S-95-06.APPENDIX for updated information.  
==============================================================================
CERT-NL is the Computer Emergency Response Team for SURFnet customers. 
SURFnet is the Dutch network for educational, research and related institutes.
CERT-NL is a member of the Forum of Incident Response and Security Teams 
(FIRST). 

All CERT-NL material is available under:
  http://www.surfnet.nl/surfnet/security/cert-nl.html
  ftp://ftp.surfnet.nl/surfnet/net-security 
  
In case of computer or network security problems please contact your 
local CERT/security-team or CERT-NL  (if your institute is NOT a SURFnet 
customer please address the appropriate (local) CERT/security-team).

CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer,
i.e. UTC+0100 in winter and UTC+0200 in summer (DST).
   Email:     cert-nl@surfnet.nl
   Phone:     +31 302 305 305
   Fax:       +31 302 305 329
   Snailmail: SURFnet bv
              Attn. CERT-NL
              P.O. Box 19035
              NL - 3501 DA  UTRECHT
              The Netherlands
   A 7 * 24 hours phone number is available to SURFnet SSC's and FIRST
   members on request.
==============================================================================
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i

iQCVAwUBMML9gh68tkuRYDgtAQEp5wP7BHJ4m5cfebEecovjE2U4/MtPn6rvnCcR
17jgY8ciGwMtNqQkZ4l87RW9B+SFus0IWnCyQwBeMViX3qJ3fltaxPY+L+nxxC//
yUZN0vy/kVmOpwMa1ZQnNBHyPHv2d1DKMsAFiEI/He7nX9VPUleUoNFppDVVjpNU
9Fa4lTTzfzE=
=SRDl
-----END PGP SIGNATURE-----