|
Vulnerability Kerberos V Affected Any system running the Kerberos V 1.0 telnet daemon Description The following info is based on Secure Networks Inc. Security Advisory. Systems running the Kerberos V telnet daemon are vulnerable to a buffer overflow in the Kerberized telnet daemon. This buffer overflow can allow remote root access to unauthorized users. The problem lies in the kerberized telnet daemon which due to improper bounds checking of the TERM variable is vulnerable to a remote buffer overflow. The following function start_login() in sys_term.c illustrates the problem : ... char speed[128]; .... sprintf(speed, "%s/%d", (cp = getenv("TERM")) ? cp : "", (def_rspeed > 0) ? def_rspeed : 9600); ... By this, remote individuals can gain root access to hosts running the Kerberos V telnet daemon. Solution The problems described in Kerberos V are fixed by updating your Kerberos installation to Kerberos V 1.0 patch level 1. Information about obtaining the update to Kerberos V can be found at: http://web.mit.edu/kerberos/www/krb5-1.0/announce.html The MIT Kerberos Team announced the availability of MIT Kerberos V5 Release 1.0.2. This release is a bug-fix release only and it fixes a potential security vulnerability in telnetd that may allow a remote user to gain root privileges on systems with a broken tgetent() library function. The simplest way to get the new patchlevel 1 release is via the Web. Use the following URL: http://web.mit.edu/network/kerberos-form.html OpenBSD users should update to OpenBSD-current via anoncvs, and recompile their kerberos libraries. Cygnus plans to release patches for the Cygnus Kerberos distributions shortly.