-----BEGIN PGP SIGNED MESSAGE----- =============================================================================== Security Advisory CERT-NL =============================================================================== Author/Source : Nico de Koo Index : S-95-13 Distribution : World Page : 1 Classification: External Version: 1 Subject : Logdaemon/FreeBSD vulnerability in S/Key Date : 15-Jun-95 =============================================================================== CERT-NL received the following bulletin, issued by CERT as: CERT Vendor-Initiated Bulletin VB-95:04 June 14, 1995 Topic: Logdaemon/FreeBSD vulnerability in S/Key Source: Wietse Venema (wietse@wzv.win.tue.nl) To aid in the wide distribution of essential security information, the CERT Coordination Center is forwarding the following information from Wietse Venema, who urges you to act on this information as soon as possible. Please contact Wietse Venema if you have any questions or need further information. ========================FORWARDED TEXT STARTS HERE============================ A vulnerability exists in my own S/Key software enhancements. Since these enhancements are in wide-spread use, a public announcement is appropriate. The vulnerability affects the following products: FreeBSD version 1.1.5.1 FreeBSD version 2.0 logdaemon versions before 4.9 I recommend that users of this software follow the instructions given below in section III. - ----------------------------------------------------------------------------- I. Description An obscure oversight was found in software that I derived from the S/Key software from Bellcore (Bell Communications Research). Analysis revealed that my oversight introduces a vulnerability. Note: the vulnerability is not present in the original S/Key software from Bellcore. II. Impact Unauthorized users can gain privileges of other users, possibly including root. The vulnerability can be exploited only by users with a valid account. It cannot be exploited by arbitrary remote users. The vulnerability can affect all FreeBSD 1.1.5.1 and FreeBSD 2.0 implementations and all Logdaemon versions before 4.9. The problem exists only when S/Key logins are supported (which is the default for FreeBSD). Sites with S/Key logins disabled are not vulnerable. III. Solution Logdaemon users: ================ Upgrade to version 4.9 URL ftp://ftp.win.tue.nl/pub/security/logdaemon-4.9.tar.gz. MD5 checksum 3d01ecc63f621f962a0965f13fe57ca6 To plug the hole, build and install the ftpd, rexecd and login programs. If you installed the keysu and skeysh commands, these need to be replaced too. FreeBSD 1.1.5.1 and FreeBSD 2.0 users: ====================================== Retrieve the corrected files that match the system you are running: URL ftp://ftp.cdrom.com/pub/FreeBSD/CERT/libskey-1.1.5.1.tgz MD5 checksum bf3a8e8e10d63da9de550b0332107302 URL ftp://ftp.cdrom.com/pub/FreeBSD/CERT/libskey-2.0.tgz MD5 checksum d58a17f4216c3ee9b9831dbfcff93d29 Unpack the tar archive and follow the instructions in the README file. FreeBSD current users: ====================== Update your /usr/src/lib/libskey sources and rebuild and install libskey (both shared and non-shared versions). The vulnerability has been fixed with FreeBSD 2.0.5. - ----------------------------------------------------------------------------- S/KEY is a trademark of Bellcore (Bell Communications Research). Wietse Venema appreciates helpful assistance with the resolution of this vulnerability from CERT/CC; Rodney W. Grimes, FreeBSD Core Team Member; Guido van Rooij, Philips Communication and Processing Services; Walter Belgers. =========================FORWARDED TEXT ENDS HERE============================= We thank Wietse Venema and CERT/CC for providing us the information regarding this Security Bulletin ============================================================================== CERT-NL is the Computer Emergency Response Team for SURFnet customers. SURFnet is the Dutch network for educational, research and related institutes. CERT-NL is a member of the Forum of Incident Response and Security Teams (FIRST). All CERT-NL material is available under: http://www.surfnet.nl/surfnet/security/cert-nl.html ftp://ftp.surfnet.nl/surfnet/net-security In case of computer or network security problems please contact your local CERT/security-team or CERT-NL (if your institute is NOT a SURFnet customer please address the appropriate (local) CERT/security-team). CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer, i.e. UTC+0100 in winter and UTC+0200 in summer (DST). Email: cert-nl@surfnet.nl Phone: +31 302 305 305 Fax: +31 302 305 329 Snailmail: SURFnet bv Attn. CERT-NL P.O. Box 19035 NL - 3501 DA UTRECHT The Netherlands A 7 * 24 hours phone number is available to SURFnet SSC's and FIRST members on request. ============================================================================== -----BEGIN PGP SIGNATURE----- Version: 2.6.2i iQCVAwUBMML+BB68tkuRYDgtAQFa+wP9GThR25KAeowEf91MTiEI8xtZoiGlRlEv G7SNUwoZ0NoSFwJJ1u94Yi9JJWP0fonCf05DMPSxG80TmzKsW/2qe5fUOLDrpRh4 Rqwt9qL3xKaZN8g+b9V6t4gkawzA555q7CDSikSbQDvaMd6rX7Qypn06tVGznr6z FkhCr9g5FYk= =B3li -----END PGP SIGNATURE-----