f-12.ciac-Kerberos-Telnet-Encryption
99b15970914ef37837e8b36c067bd2ea2f17b93a8531de5e8254ff3e33066f36
_____________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
_____________________________________________________
INFORMATION BULLETIN
Kerberos Telnet Encryption Vulnerability
February 21, 1995 1000 PST Number F-12
_____________________________________________________________________________
PROBLEM: Encrypted Telnet sessions may be decrypted by an intruder.
PLATFORMS: MS-DOS, Macintosh, and Unix systems using Telnet clients
with Kerberos V4 encryption.
DAMAGE: Encrypted session contents may be compromised.
SOLUTION: Obtain patch or upgrade as described below.
_____________________________________________________________________________
VULNERABILITY This vulnerability may disclose sensitive information
ASSESSMENT: transmitted via encrypted Telnet sessions. Affected systems
should be patched as soon as possible.
_____________________________________________________________________________
Critical Information about the Kerberos Telnet Encryption Vulnerability
A serious vulnerability exists in Telnet clients supporting encrypted
sessions using Kerberos V4 authentication. Anyone with the ability to
examine network traffic may easily decode an encrypted session. All sites
using encrypted Telnet with Kerberos V4 should obtain the appropriate patch
or upgrade as described below.
Below is a summary of vendors known to either be vulnerable or not
vulnerable. If you have an encrypting Telnet from another vendor, please
contact that vendor or CIAC for more information.
Vendor Status
------------------------------------ -----------------
Berkeley Software Distribution (BSD) Patch available
Data General Corporation Not affected
FTP Software Patch available
Harris NightHawk System Not affected
Hewlett-Packard Not affected
IBM AIX Not affected
National Center for Supercomputer
Applications (NCSA) Upgrade available
Open Software Foundation Not affected
The Santa Cruz Operation (SCO) Not affected
Sun Microsystems Not affected
Patch Information
-----------------
Berkeley Software A patch, along with the latest version of the domestic
Distribution (BSD) Telnet sources, is available via anonymous FTP at
ftp://net-dist.mit.edu/pub/telnet/. The patch file,
telnet.patch, has an MD5 checksum of
65d56befe3d0f1699d38de5509552578.
FTP Software Sites using an encrypting Telnet from the FTP Software's
PC/TCP or OnNet packages may call FTP technical
support at 1-800-282-4387 and ask for the "tn encrypt
patch."
National Center for NCSA Telnet users should upgrade to version 2.6.1d7
Supercomputer and install the appropriate Kerberos plug-in. These
Applications (NCSA) fixes are available via anonymous FTP at
ftp.ncsa.uiuc.edu.
Two versions of the Telnet program are available in
the directory /Mac/Telnet/Telnet2.6/prerelease/d7/:
Telnet2.6.1d7(68K).sit.hqx
MD5 b34b9fda59421b3b83f8df08a83f83b5
Telnet2.6.1d7(fat).sit.hqx
MD5 877add7c3d298111889fc3f2f272ce6f
The Kerberos plug-ins are found in the directory
/Mac/Telnet/Telnet2.6/prerelease/:
AuthMan.plugin.1.0b1.hqx
MD5 df727eae184b22125f90ef1a31513fd4
Kerberos_Telnet_plugin.sit.hqx
MD5 dbda691efe9038648f234397895c734d
_____________________________________________________________________________
CIAC wishes to acknowledge the contributions of the CERT Coordination Center
in the construction of this bulletin.
_____________________________________________________________________________
For emergencies and off-hour assistance, DOE and DOE contractor sites can
contact CIAC 24-hours a day via an integrated voicemail and SKYPAGE number.
To use this service, dial 1-510-422-8193 or 1-800-759-7243 (SKYPAGE). The
primary SKYPAGE PIN number, 8550070 is for the CIAC duty person. A second
PIN, 8550074 is for the CIAC Project Leader. CIAC's FAX number is
510-423-8002, and the STU-III number is 510-423-2604. Send E-mail to
ciac@llnl.gov.
Previous CIAC notices, anti-virus software, and other information are
available on the Internet via anonymous FTP from ciac.llnl.gov (IP address
128.115.19.53).
CIAC has several self-subscribing mailing lists for electronic publications:
1. CIAC-BULLETIN for Advisories, highest priority - time critical
information, and Bulletins, important computer security information;
2. CIAC-NOTES for Notes, a collection of computer security articles;
3. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI)
software updates, new features, distribution and availability;
4. SPI-NOTES, for discussion of problems and solutions regarding the use of
SPI products.
Our mailing lists are managed by a public domain software package called
ListProcessor, which ignores E-mail header subject lines. To subscribe (add
yourself) to one of our mailing lists, send requests of the following form:
subscribe list-name LastName, FirstName PhoneNumber
as the E-mail message body, substituting CIAC-BULLETIN, CIAC-NOTES,
SPI-ANNOUNCE or SPI-NOTES for "list-name" and valid information for
"LastName" "FirstName" and "PhoneNumber." Send to: ciac-listproc@llnl.gov
not to: ciac@llnl.gov
e.g.,
subscribe ciac-notes O'Hara, Scarlett 404-555-1212 x36
subscribe ciac-bulletin O'Hara, Scarlett 404-555-1212 x36
You will receive an acknowledgment containing address and initial PIN, and
information on how to change either of them, cancel your subscription, or get
help.
_____________________________________________________________________________
PLEASE NOTE: Many users outside of the DOE and ESnet computing communities
receive CIAC bulletins. If you are not part of these communities, please
contact your agency's response team to report incidents. Your agency's team
will coordinate with CIAC. The Forum of Incident Response and Security Teams
(FIRST) is a world-wide organization. A list of FIRST member organizations
and their constituencies can be obtained by sending E-mail to
first-request@first.org with an empty subject line and a message body
containing the line: send first-contacts.
This document was prepared as an account of work sponsored by an agency of
the United States Government. Neither the United States Government nor the
University of California nor any of their employees, makes any warranty,
expressed or implied, or assumes any legal liability or responsibility for
the accuracy, completeness, or usefulness of any information, product, or
process disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products, process,
or service by trade name, trademark manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation, or favoring
by the United States Government or the University of California. The views
and opinions of authors expressed herein do not necessarily state or reflect
those of the United States Government nor the University of California, and
shall not be used for advertising or product endorsement purposes.