-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===============================================================================
>>                                                      CERT-NL, 01-Mar-2000 <<
>> All CERT-NL information has been moved to http://cert.surfnet.nl.  Links  <<
>> to CERT-NL information contained in this advisory are therefore outdated. <<
>>                                                                           <<
>> CERT-NL also has stopped the CERT-CC-Mirror service.  Due to this the     <<
>> links to the CERT-CC mirror are obsolete. Visit the CERT-CC site for the  <<
>> complete CERT-CC advisory texts:                     http://www.cert.org  <<
===============================================================================
===============================================================================
Security Advisory                                                       CERT-NL
===============================================================================
Author/Source : Nico de Koo                                 Index  :    S-95-13
Distribution  : World                                       Page   :          1
Classification: External                                    Version:          1
Subject       : Logdaemon/FreeBSD vulnerability in S/Key    Date   :  15-Jun-95
===============================================================================

CERT-NL received the following bulletin, issued by CERT as: 

CERT Vendor-Initiated Bulletin VB-95:04
June 14, 1995

Topic:  Logdaemon/FreeBSD vulnerability in S/Key
Source: Wietse Venema (wietse@wzv.win.tue.nl)

To aid in the wide distribution of essential security information, the 
CERT Coordination Center is forwarding the following information from
Wietse Venema, who urges you to act on this information as soon as possible. 
Please contact Wietse Venema if you have any questions or need further 
information.


========================FORWARDED TEXT STARTS HERE============================

A vulnerability exists in my own S/Key software enhancements.  Since
these enhancements are in wide-spread use, a public announcement is 
appropriate.  The vulnerability affects the following products:

        FreeBSD version 1.1.5.1
        FreeBSD version 2.0
        logdaemon versions before 4.9

I recommend that users of this software follow the instructions given
below in section III. 

- -----------------------------------------------------------------------------

I.   Description

     An obscure oversight was found in software that I derived from
     the S/Key software from Bellcore (Bell Communications Research).
     Analysis revealed that my oversight introduces a vulnerability.

     Note: the vulnerability is not present in the original S/Key
     software from Bellcore.

II.  Impact

     Unauthorized users can gain privileges of other users, possibly
     including root.

     The vulnerability can be exploited only by users with a valid
     account. It cannot be exploited by arbitrary remote users.

     The vulnerability can affect all FreeBSD 1.1.5.1 and FreeBSD 2.0
     implementations and all Logdaemon versions before 4.9. The problem
     exists only when S/Key logins are supported (which is the default
     for FreeBSD). Sites with S/Key logins disabled are not vulnerable.

III. Solution

     Logdaemon users: 
     ================
        Upgrade to version 4.9

            URL ftp://ftp.win.tue.nl/pub/security/logdaemon-4.9.tar.gz.
            MD5 checksum 3d01ecc63f621f962a0965f13fe57ca6

        To plug the hole, build and install the ftpd, rexecd and login
        programs. If you installed the keysu and skeysh commands, these
        need to be replaced too.

     FreeBSD 1.1.5.1 and FreeBSD 2.0 users: 
     ======================================
        Retrieve the corrected files that match the system you are
        running:

            URL ftp://ftp.cdrom.com/pub/FreeBSD/CERT/libskey-1.1.5.1.tgz
            MD5 checksum bf3a8e8e10d63da9de550b0332107302

            URL ftp://ftp.cdrom.com/pub/FreeBSD/CERT/libskey-2.0.tgz
            MD5 checksum d58a17f4216c3ee9b9831dbfcff93d29

        Unpack the tar archive and follow the instructions in the
        README file.

     FreeBSD current users:  
     ======================
        Update your /usr/src/lib/libskey sources and rebuild and
        install libskey (both shared and non-shared versions).

        The vulnerability has been fixed with FreeBSD 2.0.5.

- -----------------------------------------------------------------------------

S/KEY is a trademark of Bellcore (Bell Communications Research).

Wietse Venema appreciates helpful assistance with the resolution of
this vulnerability from CERT/CC; Rodney W.  Grimes, FreeBSD Core Team
Member; Guido van Rooij, Philips Communication and Processing Services;
Walter Belgers.



=========================FORWARDED TEXT ENDS HERE=============================

We thank Wietse Venema and CERT/CC for providing us the information regarding 
this Security Bulletin
==============================================================================
CERT-NL is the Computer Emergency Response Team for SURFnet customers. SURFnet
is the Dutch network for educational, research and related institutes. CERT-NL
is a member of the Forum of Incident Response and Security Teams (FIRST).

All CERT-NL material is available under:
  http://cert.surfnet.nl/

In case of computer or network security problems please contact your local
CERT/security-team or CERT-NL  (if your institute is NOT a SURFnet customer
please address the appropriate (local) CERT/security-team).

CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer,
i.e. UTC+0100 in winter and UTC+0200 in summer (DST).

   Email:     cert-nl@surfnet.nl     ATTENDED REGULARLY ALL DAYS
   Phone:     +31 302 305 305        BUSINESS HOURS ONLY
   Fax:       +31 302 305 329        BUSINESS HOURS ONLY
   Snailmail: SURFnet bv
              Attn. CERT-NL
              P.O. Box 19035
              NL - 3501 DA  UTRECHT
              The Netherlands

NOODGEVALLEN:    06 22 92 35 64      ALTIJD BEREIKBAAR
EMERGENCIES : +31 6 22 92 35 64      ATTENDED AT ALL TIMES
CERT-NL'S EMERGENCY PHONENUMBER IS ONLY TO BE USED IN CASE OF EMERGENCIES:
THE SURFNET HELPDESK OPERATING THE EMERGENCY NUMBER HAS A *FIXED*
PROCEDURE FOR DEALING WITH YOUR ALERT AND WILL IN REGULAR CASES RELAY IT
TO CERT-NL IN AN APPROPRIATE MANNER. CERT-NL WILL THEN CONTACT YOU.
===============================================================================

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1i

iQA/AwUBOL6IFTSYjBqwfc9jEQJcdgCgusqZONz+u8jPn04oZlV3DkbLUrkAoLI4
6ljckLhN2n9QylZpyeNOLJMA
=1L49
-----END PGP SIGNATURE-----