[54] in Security FYI
Kerberos vulnerability fix still needed on many MIT hosts
daemon@ATHENA.MIT.EDU (mhpower@MIT.EDU)
Thu May 25 16:57:55 2000
From: mhpower@MIT.EDU
Message-Id: <20000525205755.72806.qmail@customer-care.infrastructure.org>
Date: Thu, 25 May 2000 16:57:55 -0400
To: security-fyi@MIT.EDU
Reply-To: net-security@MIT.EDU
-----BEGIN PGP SIGNED MESSAGE-----
There were some announcements sent last Tuesday about security
problems affecting various daemons that support Kerberos-authenticated
access, such as kshd and klogind, e.g., see
http://www.mit.edu:8008/menelaus/security-fyi/51
http://www.mit.edu:8008/menelaus/security-fyi/52
http://www.cert.org/advisories/CA-2000-06.html
There are many affected MIT machines that have not yet been updated to
fix these security problems, and these machines remain vulnerable to
remote root compromise.
Three major categories of machines are:
(1) Machines that are running any version of Athena that was ever
supplied by MIT Information Systems. If the machine is able
to run Athena release 8.3, then it can be updated to the
latest version, 8.3.29, which fixes the Kerberos security
problem that was announced last week. For some machines (the
"AUTOUPDATE=true" machines), 8.3.29 will automatically be
installed if all users log out and the machine remains idle
for several minutes. For other machines ("AUTOUPDATE=false"),
see http://web.mit.edu/olh/Private/Private.html#REF41379 for
instructions on updating to 8.3.29. (This description is
not applicable to machines that are in an Athena beta test.)
(2) Machines that are running the RedHat-Athena Linux that was
packaged by SIPB (this is the software that was installed
from a server named sipb-nfs.mit.edu or small-gods.mit.edu).
http://www.mit.edu:8008/charon/linux-athena/137 has update
instructions for these machines.
(3) Machines on which Kerberos was installed by building from MIT's
Kerberos source-code distribution. For these machines, obtain
Kerberos 1.1.1 from http://web.mit.edu/kerberos/www/, and ALSO
obtain the http://web.mit.edu/kerberos/www/advisories/index.html
security patches, then apply the patches and rebuild.
Since this message will not reach all relevant persons at MIT, the
Network Security team will be running vulnerability checks on all
mit.edu hosts to try to locate the ones that still have the Kerberos
security problem (some of these checks have been done already as
part of assessing the scope of the problem). The web page
http://web.mit.edu/net-security/www/faq.html#legitimate-probes has
a few additional details about this type of vulnerability scanning.
There have been a few reports over the past week of potential
intruders scanning networks outside of MIT for hosts with Kerberos
vulnerabilities. It seems likely that intruders will soon be looking
to break into any MIT hosts that have Kerberos vulnerabilities.
Matt Power
Network Security team, MIT Information Systems
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBOS2TaKXcG113/1BtAQHDqwQAiNgZ9GLQj5K2780uZajf1beweE+iU/xp
GTnZXSVwDINbUTXoID9fHiXdYHnxcEDzJRTJvQJOJG1rybOelJp2PLFU3jj7MfHd
d4EP4U3n8wkWXYjNdu5sezzImo43A003By9Bvda62+YzqBg/z8GkvPjIZFcQ0Byz
5v2ydzs8BiY=
=dvxK
-----END PGP SIGNATURE-----
