US/CIAC Bulletin F-12: Kerberos Telnet Encryption Vulnerability

Steve Weeber (weeber@eek.llnl.gov)
Tue, 21 Feb 1995 13:11:44 -0500 

FYI _vin
            _____________________________________________________
                       The U.S. Department of Energy
                    Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
            _____________________________________________________

                            INFORMATION BULLETIN

                   Kerberos Telnet Encryption Vulnerability

February 21, 1995 1000 PST                                        Number F-12
_____________________________________________________________________________

PROBLEM:       Encrypted Telnet sessions may be decrypted by an intruder.
PLATFORMS:     MS-DOS, Macintosh, and Unix systems using Telnet clients
               with Kerberos V4 encryption.
DAMAGE:        Encrypted session contents may be compromised.
SOLUTION:      Obtain patch or upgrade as described below.
_____________________________________________________________________________

VULNERABILITY  This vulnerability may disclose sensitive information
ASSESSMENT:    transmitted via encrypted Telnet sessions.  Affected systems
               should be patched as soon as possible.
_____________________________________________________________________________

   Critical Information about the Kerberos Telnet Encryption Vulnerability

A serious vulnerability exists in Telnet clients supporting encrypted
sessions using Kerberos V4 authentication.  Anyone with the ability to
examine network traffic may easily decode an encrypted session.  All sites
using encrypted Telnet with Kerberos V4 should obtain the appropriate patch
or upgrade as described below.

Below is a summary of vendors known to either be vulnerable or not
vulnerable.  If you have an encrypting Telnet from another vendor, please
contact that vendor or CIAC for more information.

   Vendor                                 Status
   ------------------------------------   -----------------
   Berkeley Software Distribution (BSD)   Patch available
   Data General Corporation               Not affected
   FTP Software                           Patch available
   Harris NightHawk System                Not affected
   Hewlett-Packard                        Not affected
   National Center for Supercomputer
     Applications (NCSA)                  Upgrade available
   Open Software Foundation               Not affected
   The Santa Cruz Operation (SCO)         Not affected
   Sun Microsystems                       Not affected


Patch Information
-----------------

Berkeley Software     A patch, along with the latest version of the domestic
Distribution (BSD)    Telnet sources, is available via anonymous FTP at
                      ftp://net-dist.mit.edu/pub/telnet/.  The patch file,
                      telnet.patch, has an MD5 checksum of
                      65d56befe3d0f1699d38de5509552578.


FTP Software          Sites using an encrypting Telnet from the FTP Software's
                      PC/TCP or OnNet packages may call FTP technical
                      support at 1-800-282-4387 and ask for the "tn encrypt
                      patch."


National Center for   NCSA Telnet users should upgrade to version 2.6.1d7
Supercomputer         and install the appropriate Kerberos plug-in.  These
Applications (NCSA)   fixes are available via anonymous FTP at
                      ftp.ncsa.uiuc.edu.

                      Two versions of the Telnet program are available in
                      the directory /Mac/Telnet/Telnet2.6/prerelease/d7/:

                         Telnet2.6.1d7(68K).sit.hqx
                         MD5 b34b9fda59421b3b83f8df08a83f83b5

                         Telnet2.6.1d7(fat).sit.hqx
                         MD5 877add7c3d298111889fc3f2f272ce6f

                      The Kerberos plug-ins are found in the directory
                      /Mac/Telnet/Telnet2.6/prerelease/:

                         AuthMan.plugin.1.0b1.hqx
                         MD5 df727eae184b22125f90ef1a31513fd4

                         Kerberos_Telnet_plugin.sit.hqx
                         MD5 dbda691efe9038648f234397895c734d

_____________________________________________________________________________

CIAC wishes to acknowledge the contributions of the CERT Coordination Center
in the construction of this bulletin.
_____________________________________________________________________________

For emergencies and off-hour assistance, DOE and DOE contractor sites can
contact CIAC 24-hours a day via an integrated voicemail and SKYPAGE number.
To use this service, dial 1-510-422-8193 or 1-800-759-7243 (SKYPAGE). The
primary SKYPAGE PIN number, 8550070 is for the CIAC duty person. A second
PIN, 8550074 is for the CIAC Project Leader.  CIAC's FAX number is
510-423-8002, and the STU-III number is 510-423-2604.  Send E-mail to
ciac@llnl.gov.

Previous CIAC notices, anti-virus software, and other information are
available on the Internet via anonymous FTP from ciac.llnl.gov (IP address
128.115.19.53).

CIAC has several self-subscribing mailing lists for electronic publications:
1.  CIAC-BULLETIN for Advisories, highest priority - time critical
    information, and Bulletins, important computer security information;
2.  CIAC-NOTES for Notes, a collection of computer security articles;
3.  SPI-ANNOUNCE for official news about Security Profile Inspector (SPI)
    software updates, new features, distribution and availability;
4.  SPI-NOTES, for discussion of problems and solutions regarding the use of
    SPI products.

Our mailing lists are managed by a public domain software package called
ListProcessor, which ignores E-mail header subject lines. To subscribe (add
yourself) to one of our mailing lists, send requests of the following form:

subscribe list-name LastName, FirstName PhoneNumber

as the E-mail message body, substituting CIAC-BULLETIN, CIAC-NOTES,
SPI-ANNOUNCE or SPI-NOTES for "list-name" and valid information for
"LastName" "FirstName" and "PhoneNumber."  Send to: ciac-listproc@llnl.gov
not to: ciac@llnl.gov

e.g.,
subscribe ciac-notes O'Hara, Scarlett 404-555-1212 x36
subscribe ciac-bulletin O'Hara, Scarlett 404-555-1212 x36

You will receive an acknowledgment containing address and initial PIN, and
information on how to change either of them, cancel your subscription, or get
help.
_____________________________________________________________________________

PLEASE NOTE: Many users outside of the DOE and ESnet computing communities
receive CIAC bulletins. If you are not part of these communities, please
contact your agency's response team to report incidents. Your agency's team
will coordinate with CIAC. The Forum of Incident Response and Security Teams
(FIRST) is a world-wide organization. A list of FIRST member organizations
and their constituencies can be obtained by sending E-mail to
first-request@first.org with an empty subject line and a message body
containing the line: send first-contacts.

This document was prepared as an account of work sponsored by an agency of
the United States Government. Neither the United States Government nor the
University of California nor any of their employees, makes any warranty,
expressed or implied, or assumes any legal liability or responsibility for
the accuracy, completeness, or usefulness of any information, product, or
process disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products, process,
or service by trade name, trademark manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation, or favoring
by the United States Government or the University of California. The views
and opinions of authors expressed herein do not necessarily state or reflect
those of the United States Government nor the University of California, and
shall not be used for advertising or product endorsement purposes.