|
 |
CERT® Advisory CA-1995-03 Telnet Encryption VulnerabilityOriginal issue date: March 3, 1995Last revised: September 23, 1997 Updated copyright statement A complete revision history is at the end of this file. This advisory supersedes CA-95.03. The CERT Coordination Center has received reports of a serious security problem in the Berkeley Telnet clients that provide support for the experimental Telnet encryption option using the Kerberos V4 authentication. All known released versions of the BSD Telnet that support Kerberos V4 authentication and encryption are affected. We recommend that all sites that use encrypted telnet in conjunction with Kerberos V4 obtain a patch or upgraded version of Telnet according to the instructions in Section III below. We will update this advisory as we receive additional information. Please check advisory files regularly for updates that relate to your site.
I. DescriptionThere is a vulnerability in Berkeley Telnet clients that support encryption and Kerberos V4 authentications. This vulnerability substantially reduces the effectiveness of the encryption.
II. ImpactAnyone who can access and read packets that make up the encrypted Telnet session can easily decrypt the session. This is possible, for example, when an intruder uses a packet sniffer on the network to intercept the Telnet sessions.
III. SolutionObtain and install the appropriate patch according to the instructions included with the patch.In Appendix A is a summary of the vendors who have reported to us and the status they provided, including how to obtain patches. We will update the appendix as we receive more information from vendors.
Appendix A: Vendor InformationBelow is information we have received from vendors who have patches available or upcoming, along with names of vendors who have reported that their products do not have the problem.If you have an encrypting Telnet from a vendor who is not listed, please contact that vendor for information regarding how to get a fixed version.
PATCH INFORMATIONBerkeley Software Distribution (BSD)A source-code patch, along with the domestic version of the most recently released Telnet sources from Berkeley, are available by anonymous FTP from
net-dist.mit.edu:/pub/telnet/telnet.patch There is also a PGP ASCII signature file for the patch in net-dist.mit.edu:/pub/telnet/telnet.patch.sig This patch can also be found in CERT Advisory CA-95.03a, Appendix B. (Note: Do not calculate a checksum for Appendix B alone. It will not match the checksum of the FTP version of the patch because the tabs in the FTP copy have been replaced with blank spaces in the CA-95.03a Appendix B copy.)
FTP Software, Inc.Customers of FTP Software with an encrypting telnet (provided in the PC/TCP or OnNet packages) should call the FTP technical support line at 1-800-282-4387 and ask for the "tn encrypt patch".
National Center for Supercomputer Applications (NCSA)Users of NCSA Telnet should upgrade to the NCSA Telnet 2.6.1d7, AND install the appropriate Kerberos plug-in which are available by anonymous FTP from ftp.ncsa.uiuc.eduUpgrade
/Mac/Telnet/Telnet2.6/prerelease/d7/Telnet2.6.1d7(68K).sit.hqx
/Mac/Telnet/Telnet2.6/prerelease/d7/Telnet2.6.1d7(fat).sit.hqx Kerberos plug-ins
/Mac/Telnet/Telnet2.6/prerelease/AuthMan.plugin.1.0b1.hqx
/Mac/Telnet/Telnet2.6/prerelease/Kerberos_Telnet_plugin.sit.hqx Questions regarding NCSA Telnet should be directed to
Appendix B: Patch for Vulnerability in Telnet Encryption OptionIndex: auth.c
RCS file: /mit/krb5/.cvsroot/src/appl/telnet/libtelnet/auth.c,v
retrieving revision 5.5
retrieving revision 5.7
diff -u -r5.5 -r5.7
--- auth.c 1994/08/18 21:06:45 5.5
+++ auth.c 1994/11/08 04:39:02 5.7
@@ -244,7 +244,7 @@
{
register int x;
- if (strcasecmp(type, AUTHTYPE_NAME(0))) {
+ if (!strcasecmp(type, AUTHTYPE_NAME(0))) {
*maskp = -1;
return(1);
}
@@ -260,14 +260,14 @@
int
auth_enable(type)
- - int type;
+ char * type;
{
return(auth_onoff(type, 1));
}
int
auth_disable(type)
- - int type;
+ char * type;
{
return(auth_onoff(type, 0));
}
@@ -277,15 +277,20 @@
char *type;
int on;
{
- - int mask = -1;
+ int i, mask = -1;
Authenticator *ap;
if (!strcasecmp(type, "?") || !strcasecmp(type, "help")) {
printf("auth %s 'type'\n", on ? "enable" : "disable");
printf("Where 'type' is one of:\n");
printf("\t%s\n", AUTHTYPE_NAME(0));
- - for (ap = authenticators; ap->type; ap++)
+ mask = 0;
+ for (ap = authenticators; ap->type; ap++) {
+ if ((mask & (i = typemask(ap->type))) != 0)
+ continue;
+ mask |= i;
printf("\t%s\n", AUTHTYPE_NAME(ap->type));
+ }
return(0);
}
@@ -293,7 +298,6 @@
printf("%s: invalid authentication type\n", type);
return(0);
}
- - mask = getauthmask(type, &mask);
if (on)
i_wont_support &= ~mask;
else
@@ -317,16 +321,22 @@
auth_status()
{
Authenticator *ap;
+ int i, mask;
if (i_wont_support == -1)
printf("Authentication disabled\n");
else
printf("Authentication enabled\n");
- - for (ap = authenticators; ap->type; ap++)
+ mask = 0;
+ for (ap = authenticators; ap->type; ap++) {
+ if ((mask & (i = typemask(ap->type))) != 0)
+ continue;
+ mask |= i;
printf("%s: %s\n", AUTHTYPE_NAME(ap->type),
(i_wont_support & typemask(ap->type)) ?
"disabled" : "enabled");
+ }
return(1);
}
The CERT Coordination Center wishes to thank Theodore Ts'o of the Massachusetts Institute of Technology for identifying and developing a solution to this problem. We also thank Douglas Engert of Argonne National Laboratory for pointing out the omission in our original Appendix B. This document is available from: http://www.cert.org/advisories/CA-1995-03.html CERT/CC Contact Information
Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryptionWe strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from If you prefer to use DES, please call the CERT hotline for more information. Getting security informationCERT publications and other security information are available from our web site
* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.
NO WARRANTY Conditions for use, disclaimers, and sponsorship information
Copyright 1995, 1996 Carnegie Mellon University. Revision History
Sep. 23. 1997 Updated copyright information
Aug. 30, 1996 Information previously in the README was inserted
into the advisory.
Mar. 03, 1995 Appendix A summary list - Digital Equipment and Sequent added
as "not affected by the vulnerability"
Mar. 03, 1995 This advisory superseded CA-95.03, which had a portion of the
patch missing from Appendix B.
|
