TUCoPS :: Unix :: General :: ciacg013.txt

Kerberos V4 Vulnerability



             __________________________________________________________

                       The U.S. Department of Energy
                    Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

                      Kerberos 4 Key Server Vulnerability

February 23, 1996 15:00 GMT                                        Number G-13
______________________________________________________________________________
PROBLEM:       A problem with Kerberos Version 4. 
PLATFORM:      Kerberos Version 4 Server and/or Kerberos Version 5 Server
               running in Version 4 compatibility mode. 
DAMAGE:        Intruders can masquerade as authorized Kerberos users and gain 
               access to services and resources not intended for their use. 
SOLUTION:      Install proper patch depending on source or binary 
               distributions. 
______________________________________________________________________________
VULNERABILITY  Knowledge of how to exploit this vulnerability is becoming  
ASSESSMENT:    widely known.                                                               
______________________________________________________________________________

CIAC has obtained information from COAST describing a vulnerability in
the Kerberos Version 4. If you are currently running Kerberos Version 4
server, you should install the proper patch.

[ Start of COAST Notification ]
 
Personnel at the COAST Laboratory (Computer Operations, Audit, and
Security Technology) at Purdue University have discovered some
unexepected weaknesses in the Kerberos security system.  Graduate
students Steve Lodin and Bryn Dole, working with Professor Eugene
Spafford, have discovered a method whereby someone without privileged
access to most implementations of a Kerberos 4 server can nonetheless
break secret session keys issued to users.  This means that it is
possible to gain unauthorized access to distributed services available
to a user without knowing that user's password. This method has been
demonstrated to work in under 5 minutes, on average, using a typical
workstation, and sometimes as quickly as 12 seconds.

{text deleted}

COAST personnel have been informed that MIT has already developed a
fix for the flaw in version 4 Kerberos and is preparing it for
release.  Additionally, COAST researchers are cooperating with MIT
personnel to identify what (if any) fixes are necessary for version 5
Kerberos. Users of either version of Kerberos should contact their
vendors for details of any fixes that may be made available; vendors
of products incorporating Kerberos should contact MIT directly for
details of the problems and fixes.

[ End COAST Notification]


[  Start CERT Bulletin ]

I.   Description

     The Kerberos Version 4 server is using a weak random number generator
     to produce session keys. On a computer of average speed, the session key
     for a ticket can be broken in a maximum of 2-4 minutes, and sometimes in
     much less time. This means that usable session keys can be manufactured
     without a user first being authorized by Kerberos.

II.  Impact

     Under certain circumstances, intruders can masquerade as authorized
     Kerberos users and gain access to services and resources not intended for
     their use. 

III. Solution
    
     If you are running Kerberos Version 4 and have built Kerberos from a
     source distribution, use solution A. If you have obtained Kerberos 4
     binaries from a vendor, use solution B. If you are now using Kerberos
     Version 5, be aware that MIT is working on patches for that version.
     Notice will be made when the patches are available.

     A. Solution for Source Distributions

        If you have built Kerberos Version 4 from source, follow these
        instructions to retrieve the fixes necessary to correct this problem:
      
          Use anonymous FTP to athena-dist.mit.edu. Change directory to
          /pub/kerberos, fetch and read "README.KRB4" found in that
          directory. It will provide the name of the distribution directory
          (which is otherwise hidden and cannot be found by listing its
          parent directory). Change directory to the hidden distribution
          directory. There you will find the original Kerberos distribution
          plus a new file named "random_patch.tar.Z" (and random_patch.tar.gz
          for those with "gzip"). This tar file contains two files, the patch
          itself and a README.PATCH file. Read this file carefully before
          proceeding.

          The distribution hidden directory also contains a file
          "random_patch.md5" which is a PGP clear-signed file containing the
          MD5 checksums of random_patch.tar.Z and random_patch.tar.gz.

          The PGP Signature is issued by Jeffrey I. Schiller <jis@mit.edu>
          using PGP keyid 0x0DBF906D. The fingerprint is

                DD DC 88 AA 92 DC DD D5  BA 0A 6B 59 C1 65 AD 01
        
          The MD5 checksums for these files are

                MD5 (random_patch.md5) = 9b9e3faac75f235cf967f595226192aa
                MD5 (random_patch.tar.Z) = 265e43ad0a055e610a0ba601141a47d4
                MD5 (random_patch.tar.gz) = 9b0d209f74c89b8395b156299fe7df79

   These files are also available from

   ftp://info.cert.org/pub/vendors/mit/Patches/Kerberos-V4/random_patch.md5
   ftp://info.cert.org/pub/vendors/mit/Patches/Kerberos-V4/random_patch.tar.Z
   ftp://info.cert.org/pub/vendors/mit/Patches/Kerberos-V4/random_patch.tar.gz
        
          The checksums are the same as above.

     B. Solution for Binary Distributions

        Contact your vendor. 
        Some vendors who provide Kerberos are sending the CERT Coordination
        Center information about their patches. Thus far, we have received
        information from one vendor and placed it in the appendix of this
        advisory. We will put all vendor information in the CA-96.03.README
        file, updating that file as we hear from vendors. 



_______________________________
     
Appendix A: Vendor Information
_______________________________

Current as of February 21, 1996
See CA-96.03.README for updated information.

Below is information we have received from vendors concerning the
vulnerability described in this bulletin. If you do not see your vendor's
name, please contact the vendor directly for information.


The Santa Cruz Operation, Inc.
------------------------------
The Kerberos 4 problem does not affect SCO.

SCO OpenServer, SCO Open Desktop, SCO UnixWare, SCO Unix, and SCO Xenix
do not support Kerberos.

The SCO Security Server, an add-on product for SCO OpenServer 3 and SCO
OpenServer 5, supports Kerberos V5 authentication. This product cannot be
configured to be Kerberos V4 compatible; therefore, it is not vulnerable.

[ End CERT Bulletin ]

_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of COAST, MIT, and CERT for the 
information contained in this bulletin.
_______________________________________________________________________________


CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy (DOE) and the
National Institute of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding member of
FIRST, the Forum of Incident Response and Security Teams, a global organization
established to foster cooperation and coordination among computer security 
teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be
contacted at:
    Voice:    +1 510-422-8193
    FAX:      +1 510-423-8002
    STU-III:  +1 510-423-2604
    E-mail:   ciac@llnl.gov

For emergencies and off-hour assistance, DOE, DOE contractor sites, and the NIH
may contact CIAC 24-hours a day. During off hours (5PM - 8AM PST), call the
CIAC voice number 510-422-8193 and leave a message, or call 800-759-7243
(800-SKY-PAGE) to send a Sky Page. CIAC has two Sky Page PIN numbers, the
primary PIN number, 8550070, is for the CIAC duty person, and the secondary
PIN number, 8550074 is for the CIAC Project Leader.

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://ciac.llnl.gov/
   Anonymous FTP:       ciac.llnl.gov (128.115.19.53)
   Modem access:        +1 (510) 423-4753 (28.8K baud)
                        +1 (510) 423-3331 (28.8K baud)

CIAC has several self-subscribing mailing lists for electronic publications:
1. CIAC-BULLETIN for Advisories, highest priority - time critical information
   and Bulletins, important computer security information;
2. CIAC-NOTES for Notes, a collection of computer security articles;
3. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI)
   software updates, new features, distribution and availability;
4. SPI-NOTES, for discussion of problems and solutions regarding the use of
   SPI products.

Our mailing lists are managed by a public domain software package called
ListProcessor, which ignores E-mail header subject lines. To subscribe (add
yourself) to one of our mailing lists, send the following request as the
E-mail message body, substituting CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE or
SPI-NOTES for list-name and valid information for LastName FirstName and
PhoneNumber when sending

E-mail to       ciac-listproc@llnl.gov:
        subscribe list-name LastName, FirstName PhoneNumber
  e.g., subscribe ciac-notes OHara, Scarlett W. 404-555-1212 x36

You will receive an acknowledgment containing address, initial PIN, and
information on how to change either of them, cancel your subscription, or
get help.

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these communities,
please contact your agency's response team to report incidents. Your agency's
team will coordinate with CIAC. The Forum of Incident Response and Security 
Teams (FIRST) is a world-wide organization. A list of FIRST member 
organizations and their constituencies can be obtained by sending email to 
docserver@first.org with an empty subject line and a message body containingt
the line: send first-contacts.

This document was prepared as an account of work sponsored by an agency of the
United States Government. Neither the United States Government nor the
University of California nor any of their employees, makes any warranty,
express or implied, or assumes any legal liability or responsibility for the
accuracy, completeness, or usefulness of any information, apparatus, product,
or process disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products, process,
or service by trade name, trademark, manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation or favoring by
the United States Government or the University of California. The views and
opinions of authors expressed herein do not necessarily state or reflect those
of the United States Government or the University of California, and shall not
be used for advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

(G-3)   AOLGOLD Trojan Program
(G-4)   X Authentication Vulnerability
(G-5)   HP-UX FTP Vulnerability Bulletin
(G-6)	Windows 95 Vulnerability
(G-7)	SGI Object Server Vulnerability
(G-8)	splitvt(1) Vulnerability
(G-9b)	Unix sendmail Vulnerability
(G-10a)	Winword Macro Viruses
(G-11)	HP Syslog Vulnerability
(G-12)	SGI ATT Packaging Utility Security Vulnerability

RECENT CIAC NOTES ISSUED (Previous Notes available from CIAC)

Notes 07 - 3/29/95   A comprehensive review of SATAN

Notes 08 - 4/4/95    A Courtney update

Notes 09 - 4/24/95   More on the "Good Times" virus urban legend

Notes 10 - 6/16/95   PKZ300B Trojan, Logdaemon/FreeBSD, vulnerability
                     in S/Key, EBOLA Virus Hoax, and Caibua Virus

Notes 11 - 7/31/95   Virus Update, Hats Off to Administrators,
                     America On-Line Virus Scare, SPI 3.2.2 Released,
                     The Die_Hard Virus

Notes 12 - 9/12/95   Securely configuring Public Telnet Services, X Windows,
                     beta release of Merlin, Microsoft Word Macro Viruses,
                     Allegations of Inappropriate Data Collection in Win95



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH