Vulnerability

    Kerberos V

Affected

    Any system running the Kerberos V 1.0 telnet daemon

Description

    The  following  info  is  based  on  Secure Networks Inc. Security
    Advisory.

    Systems running the Kerberos V  telnet daemon are vulnerable to  a
    buffer  overflow  in  the  Kerberized  telnet daemon.  This buffer
    overflow can allow remote root access to unauthorized users.

    The problem  lies in  the kerberized  telnet daemon  which due  to
    improper bounds checking of the  TERM variable is vulnerable to  a
    remote buffer overflow.

    The following function start_login() in sys_term.c illustrates the
    problem :

     ...
                    char speed[128];
     ....
                    sprintf(speed, "%s/%d", (cp = getenv("TERM")) ? cp : "",
                            (def_rspeed > 0) ? def_rspeed : 9600);
     ...

    By this, remote individuals can gain root access to hosts  running
    the Kerberos V telnet daemon.

Solution

    The problems described  in Kerberos V  are fixed by  updating your
    Kerberos installation to Kerberos V 1.0 patch level 1. Information
    about obtaining the update to Kerberos V can be found at:

        http://web.mit.edu/kerberos/www/krb5-1.0/announce.html

   The MIT Kerberos Team announced the availability of MIT Kerberos V5
   Release 1.0.2.  This release is a bug-fix release only and it fixes
   a  potential  security  vulnerability  in  telnetd that may allow a
   remote  user  to  gain  root  privileges  on  systems with a broken
   tgetent()  library  function.   The  simplest  way  to  get the new
   patchlevel 1 release is via the Web.  Use the following URL:

        http://web.mit.edu/network/kerberos-form.html

    OpenBSD users  should update  to OpenBSD-current  via anoncvs, and
    recompile their kerberos libraries.

    Cygnus  plans  to   release  patches  for   the  Cygnus   Kerberos
    distributions shortly.