[52] in Security FYI
Athena-specific stuff on the kerberos hole
daemon@ATHENA.MIT.EDU (Tom Yu)
Tue May 16 15:53:34 2000
To: security-fyi@MIT.EDU
From: Tom Yu <tlyu@MIT.EDU>
Date: 16 May 2000 15:42:31 -0400
Message-Id: <ldvu2fy2sew.fsf@saint-elmos-fire.mit.edu>
These messages were sent to release-announce and are worth reading if
you're running the Athena release and don't want to rebuild stuff from
sources.
---Tom
------- Start of forwarded message -------
Date: Tue May 16 15:40:23 2000
From: Greg Hudson <ghudson@MIT.EDU>
Subject: Digested Articles
Topics:
IMPORTANT: Kerberos vulnerability in Athena workstations
Athena 8.3.28 patch release on Monday 2000-05-22
sshd probably not affected by Kerberos vulnerability
----------------------------------------------------------------------
Date: Tue, 16 May 2000 14:38:38 -0400 (EDT)
From: Greg Hudson <ghudson@MIT.EDU>
To: release-announce@MIT.EDU
Subject: IMPORTANT: Kerberos vulnerability in Athena workstations
Message-Id: <200005161838.OAA23004@small-gods.mit.edu>
It has recently been discovered that there are buffer overrun
vulnerabilities in the MIT Kerberos implementation used in the Athena
environment. This vulnerability has not been widely known until right
about now. The impact of the vulnerability is a remote root exploit
of any Athena workstation running any Kerberized daemon. Kerberized
login programs are also vulnerable, although the exploit is much
more difficult.
We have prepared fixed binaries and placed them on the system packs.
If you administer a private Athena 8.3 workstation, you should update
the Kerberos Athena software on the machine as soon as possible by
running (as root):
add release
fixkrb
If you have a private Athena workstation running a release earlier
than 8.3, fixing the vulnerability isn't quite as simple. Updating
the machine to 8.3 will work, of course (it is not necessary to run
fixkrb after updating). If that is not an option, you can copy the
fixed binaries off the 8.3 system packs, at least on Solaris. Contact
ops@mit.edu if you need help in this area.
If you are running other Kerberized daemons than the ones in the
Athena release, please contact ops@mit.edu for assistance.
------------------------------
Date: Tue, 16 May 2000 14:50:23 -0400 (EDT)
From: Greg Hudson <ghudson@MIT.EDU>
To: release-announce@MIT.EDU
Subject: Athena 8.3.28 patch release on Monday 2000-05-22
Message-Id: <200005161850.OAA23048@small-gods.mit.edu>
The Athena 8.3.28 patch release is scheduled for next Monday evening
for the Solaris and IRIX platforms. This patch release fixes the
Kerberos security holes discussed in the previous piece of mail. As
mentioned in that mail, you should run (as root):
add release
fixkrb
to take the fixes early on any private Athena 8.3 machines you
administer.
As always, to take this release manually on a non-autoupdate machine
after the release has gone out, run (as root):
/srvd/update_ws
Please send any questions or comments to release-team@mit.edu.
------------------------------
Date: Tue, 16 May 2000 15:37:52 -0400
From: Greg Hudson <ghudson@MIT.EDU>
To: release-announce@MIT.EDU
Subject: sshd probably not affected by Kerberos vulnerability
Message-Id: <200005161937.PAA01579@egyptian-gods.mit.edu>
Hi. I'd like to correct an error I made in my announcement regarding
the impact of the Kerberos vulnerability. The remotely exploitable
vulnerabilities are in kshd and the krb4 krb_rd_req() library
function; there is no known remote exploit against any functions in
the krb5 library. This means that sshd with krb5 support is not
vulnerable, because it never calls the krb4 krb_rd_req() function.
So, if you a machine running sshd with krb5 support as well as various
Kerberized daemons, and for whatever reason you cannot get fixes, you
can disable the Kerberos daemons (klogind, kshd, telnetd) and leave
sshd enabled.
Sorry to generate so much traffic on this issue.
------------------------------
End of forward195776h2 Digest
*****************************
------- End of forwarded message -------
