Date: Fri, 29 Mar 2024 08:20:52 -0400 (EDT) Message-ID: <448270214.27.1711714852890@windcrest.sei.cmu.edu> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_26_960377697.1711714852886" ------=_Part_26_960377697.1711714852886 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
A complete revision history is at the end of this file. This advisory= supersedes CA-95.03.
The CERT Coordination Center has received reports of a serious security = problem in the Berkeley Telnet clients that provide support for the experim= ental Telnet encryption option using the Kerberos V4 authentication. All kn= own released versions of the BSD Telnet that support Kerberos V4 authentica= tion and encryption are affected.
We recommend that all sites that use encrypted telnet in conjunction wit= h Kerberos V4 obtain a patch or upgraded version of Telnet according to the= instructions in Section III below.
We will update this advisory as we receive additional information. Pleas= e check advisory files regularly for updates that relate to your site.
In Appendix A is a summary of the vendors who have reported to us and th= e status they provided, including how to obtain patches. We will update the= appendix as we receive more information from vendors.
If you have an encrypting Telnet from a vendor who is not listed, please= contact that vendor for information regarding how to get a fixed version.<= /p>
Vendor or Source | Status |
---|---|
|
|
Berkeley SW Distribution (BSD) | source-code patch available from Berkeley; also in Appendix B of this advisory |
Data General Corporation | not affected by the vulnerability |
Digital Equipment Corporation | not affected by the vulnerability |
FTP Software, Inc. | patch available |
Harris NightHawk System | not affected by the vulnerability |
Hewlett-Packard Company | not affected by the vulnerability |
Nat'l. Center for Supercomputer Applications (NCSA) |
upgrade available |
Open Software Foundation | not affected by the vulnerability |
The Santa Cruz Operation, Inc.(SCO) | not affected by the vulnerability |
Sequent Computer Systems | not affected by the vulnerability |
Sun Microsystems, Inc. | not affected by the vulnerability |
A source-code patch, along with the domestic version of the most recentl= y released Telnet sources from Berkeley, are available by anonymous FTP fro= m
net-dist.mit.=
edu:/pub/telnet/telnet.patch
MD5 65d56befe3d0f1699d38de5509552578
There is also a PGP ASCII signature file for the patch in
net-dist.= mit.edu:/pub/telnet/telnet.patch.sig
This patch can also be found in CERT Advisory CA-95.03a, Appendix B. (Note: Do not calculate a checksum for Appendix B alone. It will not ma= tch the checksum of the FTP version of the patch because the tabs in the FT= P copy have been replaced with blank spaces in the CA-95.03a Appendix B cop= y.)
Upgrade
/Mac/Telnet/Telnet2.6/prerelease/d7/Telnet2.6.1d7=
(68K).sit.hqx
MD5 b34b9fda59421b3b83f8df08a83f83b5
/Mac/Telnet/Telnet2.6/prerelease/d7/Telnet2.6.1d7=
(fat).sit.hqx
MD5 877add7c3d298111889fc3f2f272ce6f
Kerberos plug-ins
/Mac/Telnet/Telnet2.6/prerelease/AuthMan.plugin.1.0b1.=
hqx
MD5 df727eae184b22125f90ef1a31513fd4
/Mac/Telnet/Telnet2.6/prerelease/Kerberos_Telnet=
_plugin.sit.hqx
MD5 dbda691efe9038648f234397895c734d
Questions regarding NCSA Telnet should be directed to
mactel@ncsa.uiuc.edu
RCS file: /mit/krb5/.cvsroot/src/appl/telnet/libtelnet/auth.c,v retrieving revision 5.5 retrieving revision 5.7 diff -u -r5.5 -r5.7 --- auth.c 1994/08/18 21:06:45 5.5 +++ auth.c 1994/11/08 04:39:02 5.7 @@ -244,7 +244,7 @@ { register int x; - if (strcasecmp(type, AUTHTYPE_NAME(0))) { + if (!strcasecmp(type, AUTHTYPE_NAME(0))) { *maskp =3D -1; return(1); } @@ -260,14 +260,14 @@ int auth_enable(type) - - int type; + char * type; { return(auth_onoff(type, 1)); } int auth_disable(type) - - int type; + char * type; { return(auth_onoff(type, 0)); } @@ -277,15 +277,20 @@ char *type; int on; { - - int mask =3D -1; + int i, mask =3D -1; Authenticator *ap; if (!strcasecmp(type, "?") || !strcasecmp(type, "help")) { printf("auth %s 'type'\n", on ? "enable" : "disable"); printf("Where 'type' is one of:\n"); printf("\t%s\n", AUTHTYPE_NAME(0)); - - for (ap =3D authenticators; ap->type; ap++) + mask =3D 0; + for (ap =3D authenticators; ap->type; ap++) { + if ((mask & (i =3D typemask(ap->type))) !=3D= 0) + continue; + mask |=3D i; printf("\t%s\n", AUTHTYPE_NAME(ap->type)); + } return(0); } @@ -293,7 +298,6 @@ printf("%s: invalid authentication type\n", type); return(0); } - - mask =3D getauthmask(type, &mask); if (on) i_wont_support &=3D ~mask; else @@ -317,16 +321,22 @@ auth_status() { Authenticator *ap; + int i, mask; if (i_wont_support =3D=3D -1) printf("Authentication disabled\n"); else printf("Authentication enabled\n"); - - for (ap =3D authenticators; ap->type; ap++) + mask =3D 0; + for (ap =3D authenticators; ap->type; ap++) { + if ((mask & (i =3D typemask(ap->type))) !=3D 0) + continue; + mask |=3D i; printf("%s: %s\n", AUTHTYPE_NAME(ap->type), (i_wont_support & typemask(ap->type)) ? "disabled" : "enabled"); + } return(1); }Index: kerberos.c
RCS file: /mit/krb5/.cvsroot/src/appl/telnet/libtelnet/kerberos.c,v retrieving revision 5.5 retrieving revision 5.8 diff -u -r5.5 -r5.8 - --- kerberos.c 1994/08/18 21:07:02 5.5 +++ kerberos.c 1994/11/14 21:33:58 5.8 @@ -225,9 +225,10 @@ register int i; des_key_sched(cred.session, sched); - - des_set_random_generator_seed(cred.session); - - des_new_random_key(challenge); - - des_ecb_encrypt(challenge, session_key, sched, 1); + des_init_random_number_generator(cred.session); + des_new_random_key(session_key); + des_ecb_encrypt(session_key, session_key, sched, 0); + des_ecb_encrypt(session_key, challenge, sched, 0); /* * Increment the challenge by 1, and encrypt it for * later comparison. @@ -320,6 +321,11 @@ break; } + /* + * Initialize the random number generator since it's + * used later on by the encryption routine. + */ + des_init_random_number_generator(session_key); des_key_sched(session_key, sched); memcpy((void *)datablock, (void *)data, sizeof(Block)); /* @@ -337,7 +343,7 @@ * increment by one, re-encrypt it and send it back. */ des_ecb_encrypt(datablock, challenge, sched, 0); - - for (r =3D 7; r >=3D 0; r++) { + for (r =3D 7; r >=3D 0; r--) { register int t; t =3D (unsigned int)challenge[r] + 1; challenge[r] =3D t; /* ignore overflow */Index: commands.c
RCS file: /mit/krb5/.cvsroot/src/appl/telnet/telnet/commands.c,v retrieving revision 5.14 retrieving revision 5.16 diff -u -r5.14 -r5.16 - --- commands.c 1994/08/18 21:07:37 5.14 +++ commands.c 1994/11/08 06:42:49 5.16 @@ -1919,8 +1919,8 @@ }; extern int - - auth_enable P((int)), - - auth_disable P((int)), + auth_enable P((char *)), + auth_disable P((char *)), auth_status P((void)); static int auth_help P((void)); @@ -1959,6 +1959,12 @@ { struct authlist *c; + if (argc < 2) { + fprintf(stderr, + "Need an argument to 'auth' command. 'auth ?' for help.\n"); + return 0; + } + c =3D (struct authlist *) genget(argv[1], (char **) AuthList, sizeof(struct authlist)= ); if (c =3D=3D 0) { @@ -2015,7 +2021,7 @@ EncryptEnable, 1, 1, 2 }, { "disable", "Disable encryption. ('encrypt enable ?' for more)", EncryptDisable, 0, 1, 2 }, - - { "type", "Set encryptiong type. ('encrypt type ?' for more)", + { "type", "Set encryption type. ('encrypt type ?' for more)", EncryptType, 0, 1, 1 }, { "start", "Start encryption. ('encrypt start ?' for more)", EncryptStart, 1, 0, 1 }, @@ -2058,6 +2064,12 @@ char *argv[]; { struct encryptlist *c; + + if (argc < 2) { + fprintf(stderr, + "Need an argument to 'encrypt' command. 'encrypt ?' for help.\= n"); + return 0; + } c =3D (struct encryptlist *) genget(argv[1], (char **) EncryptList, sizeof(struct encryp= tlist));
Copyright 1995, 1996 Carnegie Mellon University.
Sep. 23. 1997 Updated copyright information Aug. 30, 1996 Information previously in the README was inserted into the advisory. Mar. 03, 1995 Appendix A summary list - Digital Equipment and Sequent add= ed as "not affected by the vulnerability" Mar. 03, 1995 This advisory superseded CA-95.03, which had a portion of t= he patch missing from Appendix B.