FYI _vin _____________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ _____________________________________________________ INFORMATION BULLETIN Kerberos Telnet Encryption Vulnerability February 21, 1995 1000 PST Number F-12 _____________________________________________________________________________ PROBLEM: Encrypted Telnet sessions may be decrypted by an intruder. PLATFORMS: MS-DOS, Macintosh, and Unix systems using Telnet clients with Kerberos V4 encryption. DAMAGE: Encrypted session contents may be compromised. SOLUTION: Obtain patch or upgrade as described below. _____________________________________________________________________________ VULNERABILITY This vulnerability may disclose sensitive information ASSESSMENT: transmitted via encrypted Telnet sessions. Affected systems should be patched as soon as possible. _____________________________________________________________________________ Critical Information about the Kerberos Telnet Encryption Vulnerability A serious vulnerability exists in Telnet clients supporting encrypted sessions using Kerberos V4 authentication. Anyone with the ability to examine network traffic may easily decode an encrypted session. All sites using encrypted Telnet with Kerberos V4 should obtain the appropriate patch or upgrade as described below. Below is a summary of vendors known to either be vulnerable or not vulnerable. If you have an encrypting Telnet from another vendor, please contact that vendor or CIAC for more information. Vendor Status ------------------------------------ ----------------- Berkeley Software Distribution (BSD) Patch available Data General Corporation Not affected FTP Software Patch available Harris NightHawk System Not affected Hewlett-Packard Not affected National Center for Supercomputer Applications (NCSA) Upgrade available Open Software Foundation Not affected The Santa Cruz Operation (SCO) Not affected Sun Microsystems Not affected Patch Information ----------------- Berkeley Software A patch, along with the latest version of the domestic Distribution (BSD) Telnet sources, is available via anonymous FTP at ftp://net-dist.mit.edu/pub/telnet/. The patch file, telnet.patch, has an MD5 checksum of 65d56befe3d0f1699d38de5509552578. FTP Software Sites using an encrypting Telnet from the FTP Software's PC/TCP or OnNet packages may call FTP technical support at 1-800-282-4387 and ask for the "tn encrypt patch." National Center for NCSA Telnet users should upgrade to version 2.6.1d7 Supercomputer and install the appropriate Kerberos plug-in. These Applications (NCSA) fixes are available via anonymous FTP at ftp.ncsa.uiuc.edu. Two versions of the Telnet program are available in the directory /Mac/Telnet/Telnet2.6/prerelease/d7/: Telnet2.6.1d7(68K).sit.hqx MD5 b34b9fda59421b3b83f8df08a83f83b5 Telnet2.6.1d7(fat).sit.hqx MD5 877add7c3d298111889fc3f2f272ce6f The Kerberos plug-ins are found in the directory /Mac/Telnet/Telnet2.6/prerelease/: AuthMan.plugin.1.0b1.hqx MD5 df727eae184b22125f90ef1a31513fd4 Kerberos_Telnet_plugin.sit.hqx MD5 dbda691efe9038648f234397895c734d _____________________________________________________________________________ CIAC wishes to acknowledge the contributions of the CERT Coordination Center in the construction of this bulletin. _____________________________________________________________________________ For emergencies and off-hour assistance, DOE and DOE contractor sites can contact CIAC 24-hours a day via an integrated voicemail and SKYPAGE number. To use this service, dial 1-510-422-8193 or 1-800-759-7243 (SKYPAGE). The primary SKYPAGE PIN number, 8550070 is for the CIAC duty person. A second PIN, 8550074 is for the CIAC Project Leader. CIAC's FAX number is 510-423-8002, and the STU-III number is 510-423-2604. Send E-mail to ciac@llnl.gov. Previous CIAC notices, anti-virus software, and other information are available on the Internet via anonymous FTP from ciac.llnl.gov (IP address 128.115.19.53). CIAC has several self-subscribing mailing lists for electronic publications: 1. CIAC-BULLETIN for Advisories, highest priority - time critical information, and Bulletins, important computer security information; 2. CIAC-NOTES for Notes, a collection of computer security articles; 3. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI) software updates, new features, distribution and availability; 4. SPI-NOTES, for discussion of problems and solutions regarding the use of SPI products. Our mailing lists are managed by a public domain software package called ListProcessor, which ignores E-mail header subject lines. To subscribe (add yourself) to one of our mailing lists, send requests of the following form: subscribe list-name LastName, FirstName PhoneNumber as the E-mail message body, substituting CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE or SPI-NOTES for "list-name" and valid information for "LastName" "FirstName" and "PhoneNumber." Send to: ciac-listproc@llnl.gov not to: ciac@llnl.gov e.g., subscribe ciac-notes O'Hara, Scarlett 404-555-1212 x36 subscribe ciac-bulletin O'Hara, Scarlett 404-555-1212 x36 You will receive an acknowledgment containing address and initial PIN, and information on how to change either of them, cancel your subscription, or get help. _____________________________________________________________________________ PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending E-mail to first-request@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes.