From owner-freebsd-security Wed Jun 14 18:29:16 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id SAA14148 for security-outgoing; Wed, 14 Jun 1995 18:29:16 -0700 Received: from beta.wsl.sinica.edu.tw (beta.wsl.sinica.edu.tw [140.109.7.2]) by freefall.cdrom.com (8.6.10/8.6.6) with SMTP id SAA14137 for ; Wed, 14 Jun 1995 18:28:55 -0700 From: ywliu@beta.wsl.sinica.edu.tw Message-Id: <199506150128.SAA14137@freefall.cdrom.com> Received: by beta.wsl.sinica.edu.tw (1.37.109.8/16.2) id AA14258; Thu, 15 Jun 1995 09:23:24 +0800 Date: Thu, 15 Jun 1995 09:23:24 +0800 To: security@freebsd.org Subject: FreeBSD vulnerability in S/Key Newsgroups: comp.security.announce Sender: security-owner@freebsd.org Precedence: bulk Hi, I read the following on comp.security.announce >CERT Vendor-Initiated Bulletin VB-95:04 >June 14, 1995 > >Topic: Logdaemon/FreeBSD vulnerability in S/Key >Source: Wietse Venema (wietse@wzv.win.tue.nl) > >A vulnerability exists in my own S/Key software enhancements. Since >these enhancements are in wide-spread use, a public announcement is >appropriate. The vulnerability affects the following products: > > FreeBSD version 1.1.5.1 > FreeBSD version 2.0 > logdaemon versions before 4.9 I am not familiar with S/Key, so my question is : I am using MD5 rather than DES, is this relevent ? Am I supposed to patch my system ? Also, is this fixed in 2.0.5 ? -- Yen-Wei Liu Internet e-mail address:ywliu@beta.wsl.sinica.edu.tw ywliu@gate.sinica.edu.tw FAX: +886-2-783-6444 From owner-freebsd-security Wed Jun 14 20:07:45 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id UAA17173 for security-outgoing; Wed, 14 Jun 1995 20:07:45 -0700 Received: from aries.ibms.sinica.edu.tw ([140.109.40.248]) by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id UAA17161 for ; Wed, 14 Jun 1995 20:07:39 -0700 Received: (from taob@localhost) by aries.ibms.sinica.edu.tw (8.6.11/8.6.9) id LAA02848; Thu, 15 Jun 1995 11:07:11 +0800 Date: Wed, 14 Jun 1995 18:57:17 -0400 Message-Id: <199506142257.SAA03643@why.cert.org> From: CERT Bulletin To: cert-advisory@cert.org Subject: CERT Vendor-Initiated Bulletin VB-95:04 (Wietse Venema) Reply-To: cert-advisory-request@cert.org Organization: CERT Coordination Center - 412-268-7090 content-length: 4638 ReSent-Date: Thu, 15 Jun 1995 11:07:04 +0800 (CST) ReSent-From: Brian Tao ReSent-To: FREEBSD-SECURITY-L ReSent-Message-ID: Sender: security-owner@freebsd.org Precedence: bulk CERT Vendor-Initiated Bulletin VB-95:04 June 14, 1995 Topic: Logdaemon/FreeBSD vulnerability in S/Key Source: Wietse Venema (wietse@wzv.win.tue.nl) To aid in the wide distribution of essential security information, the CERT Coordination Center is forwarding the following information from Wietse Venema, who urges you to act on this information as soon as possible. Please contact Wietse Venema if you have any questions or need further information. ========================FORWARDED TEXT STARTS HERE============================ A vulnerability exists in my own S/Key software enhancements. Since these enhancements are in wide-spread use, a public announcement is appropriate. The vulnerability affects the following products: FreeBSD version 1.1.5.1 FreeBSD version 2.0 logdaemon versions before 4.9 I recommend that users of this software follow the instructions given below in section III. ----------------------------------------------------------------------------- I. Description An obscure oversight was found in software that I derived from the S/Key software from Bellcore (Bell Communications Research). Analysis revealed that my oversight introduces a vulnerability. Note: the vulnerability is not present in the original S/Key software from Bellcore. II. Impact Unauthorized users can gain privileges of other users, possibly including root. The vulnerability can be exploited only by users with a valid account. It cannot be exploited by arbitrary remote users. The vulnerability can affect all FreeBSD 1.1.5.1 and FreeBSD 2.0 implementations and all Logdaemon versions before 4.9. The problem exists only when S/Key logins are supported (which is the default for FreeBSD). Sites with S/Key logins disabled are not vulnerable. III. Solution Logdaemon users: ================ Upgrade to version 4.9 URL ftp://ftp.win.tue.nl/pub/security/logdaemon-4.9.tar.gz. MD5 checksum 3d01ecc63f621f962a0965f13fe57ca6 To plug the hole, build and install the ftpd, rexecd and login programs. If you installed the keysu and skeysh commands, these need to be replaced too. FreeBSD 1.1.5.1 and FreeBSD 2.0 users: ====================================== Retrieve the corrected files that match the system you are running: URL ftp://ftp.cdrom.com/pub/FreeBSD/CERT/libskey-1.1.5.1.tgz MD5 checksum bf3a8e8e10d63da9de550b0332107302 URL ftp://ftp.cdrom.com/pub/FreeBSD/CERT/libskey-2.0.tgz MD5 checksum d58a17f4216c3ee9b9831dbfcff93d29 Unpack the tar archive and follow the instructions in the README file. FreeBSD current users: ====================== Update your /usr/src/lib/libskey sources and rebuild and install libskey (both shared and non-shared versions). The vulnerability has been fixed with FreeBSD 2.0.5. ----------------------------------------------------------------------------- S/KEY is a trademark of Bellcore (Bell Communications Research). Wietse Venema appreciates helpful assistance with the resolution of this vulnerability from CERT/CC; Rodney W. Grimes, FreeBSD Core Team Member; Guido van Rooij, Philips Communication and Processing Services; Walter Belgers. =========================FORWARDED TEXT ENDS HERE============================= CERT bulletins, CERT advisories, information about FIRST representatives, and other information related to computer security are available for anonymous FTP from info.cert.org. CERT advisories and bulletins are also posted on the USENET newsgroup comp.security.announce. If you would like to have future advisories and bulletins mailed to you or to a mail exploder at your site, please send mail to cert-advisory-request@cert.org. If you wish to send sensitive incident or vulnerability information to CERT staff by electronic mail, we strongly advise that the e-mail be encrypted. The CERT Coordination Center can support a shared DES key, PGP (public key available via anonymous FTP on info.cert.org), or PEM (contact CERT staff for details). Internet email: cert@cert.org Telephone: +1 412-268-7090 (24-hour hotline) CERT personnel answer 8:30 a.m.-5:00 p.m. EST(GMT-5)/EDT(GMT-4), and are on call for emergencies during other hours. Fax: +1 412-268-6989 CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 USA CERT is a service mark of Carnegie Mellon University. From owner-freebsd-security Wed Jun 14 20:32:07 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id UAA18080 for security-outgoing; Wed, 14 Jun 1995 20:32:07 -0700 Received: from gndrsh.aac.dev.com (gndrsh.aac.dev.com [198.145.92.241]) by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id UAA18074 for ; Wed, 14 Jun 1995 20:32:04 -0700 Received: (from rgrimes@localhost) by gndrsh.aac.dev.com (8.6.11/8.6.9) id UAA02199; Wed, 14 Jun 1995 20:26:16 -0700 From: "Rodney W. Grimes" Message-Id: <199506150326.UAA02199@gndrsh.aac.dev.com> Subject: Re: FreeBSD vulnerability in S/Key To: ywliu@beta.wsl.sinica.edu.tw Date: Wed, 14 Jun 1995 20:26:16 -0700 (PDT) Cc: security@freebsd.org In-Reply-To: <199506150128.SAA14137@freefall.cdrom.com> from "ywliu@beta.wsl.sinica.edu.tw" at Jun 15, 95 09:23:24 am X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1144 Sender: security-owner@freebsd.org Precedence: bulk > > Hi, > > I read the following on comp.security.announce > > >CERT Vendor-Initiated Bulletin VB-95:04 > >June 14, 1995 > > > >Topic: Logdaemon/FreeBSD vulnerability in S/Key > >Source: Wietse Venema (wietse@wzv.win.tue.nl) > > > >A vulnerability exists in my own S/Key software enhancements. Since > >these enhancements are in wide-spread use, a public announcement is > >appropriate. The vulnerability affects the following products: > > > > FreeBSD version 1.1.5.1 > > FreeBSD version 2.0 > > logdaemon versions before 4.9 > > I am not familiar with S/Key, so my question is : I am using MD5 rather than > DES, is this relevent ? No, that is not relevant, is what is relevant is if you are using S/Key (ie you have an /etc/skeykeys file) you should do what the CERT advisory tells you to do. > Am I supposed to patch my system ? Propably not, since you don't know what skey is you are probably not using it. > > Also, is this fixed in 2.0.5 ? Yes. -- Rod Grimes rgrimes@gndrsh.aac.dev.com Accurate Automation Company Custom computers for FreeBSD From owner-freebsd-security Wed Jun 14 22:35:33 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id WAA25371 for security-outgoing; Wed, 14 Jun 1995 22:35:33 -0700 Received: from aries.ibms.sinica.edu.tw ([140.109.40.248]) by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id WAA25365 for ; Wed, 14 Jun 1995 22:35:31 -0700 Received: (from taob@localhost) by aries.ibms.sinica.edu.tw (8.6.11/8.6.9) id NAA03498; Thu, 15 Jun 1995 13:34:21 +0800 Date: Thu, 15 Jun 1995 13:34:21 +0800 (CST) From: Brian Tao To: ywliu@beta.wsl.sinica.edu.tw cc: security@freebsd.org Subject: Re: FreeBSD vulnerability in S/Key In-Reply-To: <199506150128.SAA14137@freefall.cdrom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: security-owner@freebsd.org Precedence: bulk On Thu, 15 Jun 1995 ywliu@beta.wsl.sinica.edu.tw wrote: > > I am not familiar with S/Key, so my question is : I am using MD5 rather than > DES, is this relevent ? Am I supposed to patch my system ? Only if you use the S/Key one-time password system (which isn't enabled by default). If you don't know what S/Key is, then chances are your system isn't using them either. > Also, is this fixed in 2.0.5 ? Yes, it is: > FreeBSD current users: > ====================== > Update your /usr/src/lib/libskey sources and rebuild and > install libskey (both shared and non-shared versions). > > The vulnerability has been fixed with FreeBSD 2.0.5. -- Brian ("Though this be madness, yet there is method in't") Tao taob@gate.sinica.edu.tw <-- work ........ play --> taob@io.org