Date: Thu, 28 Mar 2024 08:42:10 -0400 (EDT) Message-ID: <728513203.475.1711629730037@windcrest.sei.cmu.edu> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_474_1090093425.1711629730035" ------=_Part_474_1090093425.1711629730035 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
A complete revision history is at the end of this file.
The CERT Coordination Center has received reports of a vulnerability in th=
e Kerberos Version 4 server. On unpatched Kerberos 4 systems, under certain=
circumstances, intruders can masquerade as authorized Kerberos users and g=
ain access to services and resources not intended for their use. The CERT t=
eam recommends that you apply one of the solutions given in Section III.
The Kerberos Version 5 server running in Version 4 compatibility mode is= also vulnerable under certain circumstances. The Massachusetts Institute o= f Technology (MIT) is working on the patches for that version.
We will update this advisory as we receive additional information. Pleas= e check advisory files regularly for updates that relate to your site.
IMPORTANT: After running fix_kdb_keys you must kill and restart the kerb= eros server process (it has the old keys cached in memory). Also, if you op= erate any Kerberos slave servers, you need to perform a slave propagation i= mmediately to update the keys on the slaves.
Updated files are now available on "athena-dist.mit.edu" including an up= dated random_patch.md5 file which contains the MD5 checksums of random_patc= h.tar.* The PGP Signature is issued by Jeffrey I. Schiller <jis@mit.edu> using PGP keyid 0x0DBF906D. The fing= erprint is
DD DC 88 AA 92 DC DD D5 BA 0A 6B 59 C1 65 AD 01
The updated files are also available from
ftp:= //ftp.cert.org/pub/vendors/mit/Patches/Kerberos-V4/
The new checksums are
MD5 (random_patch.md5) =3D ecf5412094572e183aa33ae4e5f197b8
MD5 (random_patch.tar.Z) =3D e925b687a05a8c6321b2805026253315
MD5 (random_patch.tar.gz) =3D 003226914427094a642fd1f067f589d2
These files are also available from
ftp://ftp.cert.org/pub/vendors/mit/Patches/Kerberos-V4/random_p= atch.md5
ftp://ftp.cert.org/pub/vendors/mit/Patches/Kerberos-V4/random= _patch.tar.Z
ftp://ftp.cert.org/pub/vendors/mit/Patches/Kerberos-V4/rando= m_patch.tar.gz
The checksums are the same as above.
SCO OpenServer, SCO Open Desktop, SCO UnixWare, SCO Unix, and SCO Xenix = do not support Kerberos.
The SCO Security Server, an add-on product for SCO OpenServer 3 and SCO = OpenServer 5, supports Kerberos V5 authentication. This product cannot be c= onfigured to be Kerberos V4 compatible; therefore, it is not vulnerable.
To obtain the kit, FTP to ECO.TGV.COM, username ANONYMOUS, password eith= er KERBEROS-034 or KERBEROS-035 (depending on the version of MultiNet that = you are running) and download the ECO kit:
ftp://anonymous:ker= beros-035@eco.tgv.com
The kit is available in both VMS BACKUP save set format as well as in a = compressed .ZIP file. Use VMSINSTAL to apply the ECO.
Once you have completed the upgrade, the KITREMARK.VUR file from the ECO= kit will be displayed providing instructions during the installation proce= ss.
If you have any questions, please send an e-mail message to
MultiNet-VMS@Support.TGV= .COM
In light of the COAST work, Transarc is doing a security review of Kerbe= ros 4.0 and AFS. We expect to provide some procedural changes to improve se= curity in new cells, and we will make code changes as necessary. OSF also r= eviewed Kerberos 5.0, and they have released a source patch for Kerberos 5.= 0 that strengthens the random number generator in Kerberos 5.0. This patch = is relevant to all versions of DCE (but not to AFS since it is based on Ker= beros 4.0).
Transarc has this OSF patch available for DCE 1.1 on Solaris 2.4, DCE 1.= 0.3a on Solaris 2.4, DCE 1.0.3a on Solaris 2.3, and DCE 1.0.3a on Sun OS 4.= 1.3. Please contact Transarc Customer Support for access to these patches.<= /p>
Please feel free to contact me directly if you have further questions ab= out this issue.
For pointers and background on these issues please refer to
http://www.transarc.com/afs/transarc.com/public/www/Public/Support/=
security-\ update.html
Liz Hines
Hines@transarc.com=
a>
Copyright 1996 Carnegie Mellon University.
Sep. 24, 1997 Updated copyright statement Aug. 30, 1996 Information previously in the README was inserted into the advisory. Mar. 08, 1996 Appendix, TGV Software & Transarc - added entries Feb. 23, 1996 Sec. III.A - noted a change in the readme.patch file and put new MD5 checksums at the end of the section.