From owner-doc-jp@jp.freebsd.org  Fri Jul 14 15:28:22 2000
Received: (from daemon@localhost)
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) id PAA71780;
	Fri, 14 Jul 2000 15:28:22 +0900 (JST)
	(envelope-from owner-doc-jp@jp.FreeBSD.org)
Received: from TYO202.gate.nec.co.jp (TYO202.gate.nec.co.jp [202.247.6.41])
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) with ESMTP id PAA71774
	for <doc-jp@jp.freebsd.org>; Fri, 14 Jul 2000 15:28:22 +0900 (JST)
	(envelope-from y-koga@jp.FreeBSD.org)
Received: from mailsv4.nec.co.jp (mailsv4-le1 [192.168.1.93])
	by TYO202.gate.nec.co.jp (8.9.3/3.7W00052210) with ESMTP id PAA20212
	for <doc-jp@jp.freebsd.org>; Fri, 14 Jul 2000 15:28:21 +0900 (JST)
Received: from mmssv.mms.mt.nec.co.jp (mmssv.mms.mt.nec.co.jp [133.201.63.216]) by mailsv4.nec.co.jp (8.9.3/3.7W-MAILSV4-NEC) with ESMTP
	id PAA23678 for <doc-jp@jp.freebsd.org>; Fri, 14 Jul 2000 15:28:20 +0900 (JST)
Received: from koga.do.mms.mt.nec.co.jp (koga.do.mms.mt.nec.co.jp [10.16.5.16]) by mmssv.mms.mt.nec.co.jp (8.8.4+2.7Wbeta4/3.4W3MMS96052011) with ESMTP id PAA29799 for <doc-jp@jp.freebsd.org>; Fri, 14 Jul 2000 15:22:10 +0900 (JST)
Received: from localhost (localhost [127.0.0.1])
	by koga.do.mms.mt.nec.co.jp (8.10.2/3.7W-00052406) with ESMTP id e6E6SJR23572;
	Fri, 14 Jul 2000 15:28:19 +0900 (JST)
Message-Id: <200007140628.e6E6SJR23572@koga.do.mms.mt.nec.co.jp>
To: doc-jp@jp.freebsd.org
In-Reply-To: <200007122236.PAA18508@freefall.freebsd.org>
References: <200007122236.PAA18508@freefall.freebsd.org>
X-Mailer: Mew version 1.94.2 on Emacs 19.34 / Mule 2.3 (SUETSUMUHANA)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit
Date: Fri, 14 Jul 2000 15:28:18 +0900 (JST)
From: Koga Youichirou <y-koga@jp.freebsd.org>
X-Dispatcher: imput version 20000228(IM140)
Lines: 221
Reply-To: doc-jp@jp.freebsd.org
Precedence: list
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+000315
X-Sequence: doc-jp 7557
Subject: [doc-jp 7557] Re: ANNOUNCE: FreeBSD Security Advisory:
 FreeBSD-SA-00:33.kerberosIV
Errors-To: owner-doc-jp@jp.freebsd.org
Sender: owner-doc-jp@jp.freebsd.org
X-Originator: y-koga@jp.freebsd.org

$B:G8e!#(B

BEGIN------------------- $B$3$3$+$i(B ------------------------
 $B$3$N%a!<%k$O(B, announce-jp $B$KN.$l$?(B

  Subject: ANNOUNCE: FreeBSD Security Advisory: FreeBSD-SA-00:33.kerberosIV
  From: FreeBSD Security Advisories <security-advisories@freebsd.org>
  Date: Wed, 12 Jul 2000 15:36:59 -0700 (PDT)
  Message-Id: <200007122236.PAA18508@freefall.freebsd.org>
  X-Sequence: announce-jp 478

 $B$rF|K\8lLu$7$?$b$N$G$9(B. 

 $B86J8$O(B PGP $B=pL>$5$l$F$$$^$9$,(B, $B$3$NF|K\8lLu$O(B PGP $B=pL>$5$l$F$$$^$;$s(B. 
 $B%Q%C%AEy$NFbMF$,2~cb$5$l$F$$$J$$$3$H$r3NG'$9$k$?$a$K(B PGP $B$N%A%'%C%/$r(B
 $B9T$J$&$K$O(B, $B86J8$r;2>H$7$F$/$@$5$$(B. 

 $BF|K\8lLu$O(B FreeBSD $BF|K\8l%I%-%e%a%s%F!<%7%g%s%W%m%8%'%/%H(B(doc-jp)$B$,;29M$N(B
 $B$?$a$KDs6!$9$k$b$N$G(B, doc-jp $B$O(B $B$=$NFbMF$K$D$$$F$$$+$J$kJ]>Z$b$$$?$7$^$;$s(B.
 $BF|K\8lLu$K$D$$$F$N$*Ld$$9g$o$;$O(B doc-jp@jp.FreeBSD.org $B$^$G$*4j$$$7$^$9(B.

--($B$3$3$+$i(B)
=============================================================================
FreeBSD-SA-00:33                                           Security Advisory
                                                                FreeBSD, Inc.

$B%H%T%C%/(B:	kerberosIV distribution contains multiple vulnerabilities
		under FreeBSD 3.x

$BJ,N`(B:		core
$B%b%8%e!<%k(B:	kerberosIV
$B9pCNF|(B:		2000-07-12
$B%/%l%8%C%H(B:	Assar Westerlund <assar@FreeBSD.org>
$B1F6AHO0O(B:	$B=$@5F|$h$jA0$N(B FreeBSD 3.x $B%7%9%F%`(B
$B=$@5F|(B:		2000-07-06
FreeBSD $B$K8GM-$+(B:	NO

I.   $BGX7J(B - Background

KTH Kerberos is an implementation of the Kerberos 4 protocol which
is distributed as an optional component of the base system.

KTH Kerberos $B$O(B, FreeBSD $B$N(B base $B%7%9%F%`$NDI2C%3%s%]!<%M%s%H$H$7$FG[(B
$BIU$5$l$F$$$k(B Kerberos 4 $B%W%m%H%3%k$N<BAu$G$9(B. 

II.  $BLdBj$N>\:Y(B - Problem Description

Vulnerabilities in the MIT Kerberos 5 port were the subject of an
earlier FreeBSD Security Advisory (SA-00:20). At the time it was
believed that the implementation of Kerberos distributed with FreeBSD
was not vulnerable to these problems, but it was later discovered that
FreeBSD 3.x contained an older version of KTH Kerberos 4 which is in
fact vulnerable to at least some of these vulnerabilities. FreeBSD
4.0-RELEASE and later are unaffected by this problem, although FreeBSD
3.5-RELEASE is vulnerable.

$B0JA0(B, FreeBSD Security Advisory (SA-00:20) $B$G(B, MIT Kerberos 5 $B$N(B port 
$B$K$D$$$F$N%;%-%e%j%F%#>e$NLdBj$r<h$j>e$2$^$7$?(B. $B$=$N;~E@$G$O(B, FreeBSD 
$B$K$*$1$k(B Kerberos $B$N<BAu$K$O$=$NLdBj$,$J$$$H9M$($i$l$F$$$^$7$?(B. $B$7$+$7(B, 
$B:G6a$K$J$C$F(B FreeBSD 3.x $B$K4^$^$l$k8E$$%P!<%8%g%s$N(B KTH Kerberos 4 $B$K(B
$B$O(B, $B<B:]$K$O$=$l$i$NLdBj$N$$$/$D$+$,$"$k$3$H$,H=L@$7$^$7$?(B. FreeBSD
4.0-RELEASE $B0J9_$G$O$3$NLdBj$K$h$k1F6A$O$"$j$^$;$s$,(B, FreeBSD
3.5-RELEASE $B$O$3$NLdBj$r4^$s$G$$$^$9(B. 

The exact extent of the vulnerabilities are not known, but are likely
to include local root vulnerabilities on both Kerberos clients and
servers, and remote root vulnerabilities on Kerberos servers. For the
client vulnerabilities, it is not necessary that Kerberos client
functionality be actually configured, merely that the binaries be
present on the system.

$B<eE@$NFbLu$K$D$$$F$O@53N$K$OJ,$+$C$F$$$^$;$s(B. $B$7$+$7(B, $B%m!<%+%k$N%f!<%6(B
$B$,(B Kerberos $B$N%/%i%$%"%s%H$H%5!<%P$NN>J}$N%7%9%F%`>e$G(B root $B8"8B$rC%$&(B
$B$3$H$,$G$-$kLdBj$H(B, $B%j%b!<%H$N%f!<%6$,(B Kerberos $B$N%5!<%P%7%9%F%`>e$G(B 
root $B8"8B$rC%$&$3$H$,$G$-$kLdBj$r4^$s$G$$$k$H9M$($i$l$^$9(B. $B%/%i%$%"%s(B
$B%H$K$D$$$F$O(B, Kerberos $B$N%/%i%$%"%s%H$N5!G=$,<B:]$K@_Dj$5$l$F$$$kI,MW(B
$B$O$J$/(B, $BC1$K%P%$%J%j$,%7%9%F%`>e$K$"$k$@$1$G<eE@$K$J$j$^$9(B. 

III. $B1F6AHO0O(B - Impact

Local or remote users can obtain root access on the system running
Kerberos, whether as client or server.

$B%m!<%+%k$^$?$O%j%b!<%H$N%f!<%6$,(B, Kerberos $B$r%/%i%$%"%s%H$^$?$O%5!<%P(B
$B$H$7$F<B9T$7$F$$$k%7%9%F%`$N(B root $B8"8B$rC%$&$3$H$,$G$-$^$9(B. 

If you have not chosen to install the KerberosIV distribution on your
FreeBSD 3.x system, then your system is not vulnerable to this
problem.

FreeBSD 3.x $B%7%9%F%`$K(B KerberosIV $B$r%$%s%9%H!<%k$7$F$$$J$1$l$P(B, $B$=$N%7(B
$B%9%F%`$K$3$NLdBj$K$D$$$F$N%;%-%e%j%F%#>e$N<eE@$O$"$j$^$;$s(B.

IV.  $BBP1~:v(B - Workaround

Due to the nature of the vulnerability there are several programs and
network services which are affected. The following libraries and
utilities are installed by the KerberosIV distribution and must be
removed or replaced with non-Kerberos versions to disable all
Kerberos-related code.

$B<eE@$N@-<A>e(B, $B1F6A$r<u$1$k%W%m%0%i%`$*$h$S%M%C%H%o!<%/%5!<%S%9$,J#?tB8(B
$B:_$7$^$9(B. $B0J2<$N%i%$%V%i%j$H%f!<%F%#%j%F%#$O(B, KerberosIV $B$G%$%s%9%H!<(B
$B%k$5$l$k$b$N$G$9(B. $B$3$l$i$N%U%!%$%k$O:o=|$J$$$7$OHs(B Kerberos $BHG$N$b$N$K(B
$BCV$-49$($F(B, Kerberos $B4XO"$N%3!<%I$O$9$Y$FL58z$K$7$J$1$l$P$J$j$^$;$s(B. 

bin/rcp (*)
sbin/dump (*)
sbin/restore (*)
usr/bin/kadmin
usr/bin/kauth
usr/bin/kdestroy
usr/bin/kinit
usr/bin/klist
usr/bin/ksrvtgt
usr/bin/telnet (*)
usr/bin/cvs (*)
usr/bin/passwd (*)
usr/bin/rlogin (*)
usr/bin/rsh (*)
usr/bin/su (*)
usr/lib/libacl.a
usr/lib/libacl_p.a
usr/lib/libacl.so.3
usr/lib/libacl.so
usr/lib/libkadm.a
usr/lib/libkadm_p.a
usr/lib/libkadm.so.3
usr/lib/libkadm.so
usr/lib/libkafs.a
usr/lib/libkafs_p.a
usr/lib/libkafs.so.3
usr/lib/libkafs.so
usr/lib/libkdb.a
usr/lib/libkdb_p.a
usr/lib/libkdb.so.3
usr/lib/libkdb.so
usr/lib/libkrb.a
usr/lib/libkrb_p.a
usr/lib/libkrb.so.3
usr/lib/libkrb.so
usr/lib/libtelnet.a
usr/lib/libtelnet_p.a
usr/libexec/kauthd
usr/libexec/kipd
usr/libexec/kpropd
usr/libexec/telnetd (*)
usr/libexec/rlogind (*)
usr/libexec/rshd (*)
usr/sbin/ext_srvtab
usr/sbin/kadmind
usr/sbin/kdb_destroy
usr/sbin/kdb_edit
usr/sbin/kdb_init
usr/sbin/kdb_util
usr/sbin/kerberos
usr/sbin/kip
usr/sbin/kprop
usr/sbin/ksrvutil
usr/sbin/kstash

The files marked with a "(*)" are part of the base FreeBSD system when
the Kerberos distribution is not installed, and are replaced when
Kerberos is installed. Therefore you will need to replace them with
non-Kerberos versions from another system, or perform a recompilation
or reinstallation of FreeBSD after removal, if you wish to continue to
use them.

"(*)" $B$,$D$$$F$$$k%U%!%$%k$O(B, Kerberos $B$r%$%s%9%H!<%k$7$F$$$J$$>l9g(B 
FreeBSD $B$N(B base $B%7%9%F%`$K4^$^$l$F$$$^$9$,(B, Kerberos $B$r%$%s%9%H!<%k$9(B
$B$k$HCV$-49$($i$l$^$9(B. $B$7$?$,$C$F(B, $B$3$l$i$r;HMQ$7B3$1$k>l9g$K$O(B, $BHs(B 
Kerberos $BHG$N$b$N$HCV$-49$($k$+(B, $B0lEY:o=|$7$F$+$i(B FreeBSD $B$r:F%3%s%Q%$(B
$B%k$^$?$O:F%$%s%9%H!<%k$9$kI,MW$,$"$j$^$9(B. 

If you have chosen to install any ports with Kerberos support, such as
the security/ssh port, then you should also remove, or recompile these
with support disabled.

security/ssh $B$N(B port $B$N$h$&$J(B, Kerberos $BBP1~$N(B ports $B$r%$%s%9%H!<%k$7(B
$B$F$$$k>l9g(B, $B$=$l$i$K$D$$$F$b:o=|$9$k$+(B, Kerberos $B$NBP1~$rL58z$K$7$F:F(B
$B%3%s%Q%$%k$9$Y$-$G$9(B. 

As an interim measure, access control measures (either a perimeter
firewall, or a local firewall on the affected machine - see the
ipfw(8) manpage for more information) can be used to prevent remote
systems from connecting to Kerberos services on a vulnerable Kerberos
server.

$B;CDjE*$JA<CV$H$7$F$O(B, $B%"%/%;%9@)8f5!G=$r;HMQ$7$F(B, $B%j%b!<%H$N%7%9%F%`$,(B
$B<eE@$N$"$k(B Kerberos $B%5!<%P$N(B Kerberos $B%5!<%S%9$K@\B3$9$k$N$r5qH]$9$k$3(B
$B$H$,$G$-$^$9(B ($B6-3&%U%!%$%"%&%)!<%k$d1F6A$N$"$k%^%7%s>e$N%m!<%+%k$N%U%!(B
$B%$%"%&%)!<%k$N$I$A$i$+$G9T$J$$$^$9(B. $B>\:Y$O(B ipfw(8) $B$N%^%K%e%"%k;2>H(B). 

V.   $B=$@5=hCV(B - Solution

Upgrade your vulnerable FreeBSD 3.x system to a version of FreeBSD
dated after the correction date (FreeBSD 3.5-STABLE dated after the
correction date, 4.0-RELEASE or 4.0-STABLE). See
http://www.freebsd.org/handbook/makeworld.html for more information
about upgrading FreeBSD from source.

$B<eE@$N$"$k(B FreeBSD 3.x $B%7%9%F%`$r(B, $B=$@5F|0J9_$N$b$N$K%"%C%W%0%l!<%I$9(B
$B$k(B ($B=$@5F|0J9_$N(B FreeBSD 3.5-STABLE $B$+(B, 4.0-RELEASE, 4.0-STABLE). 
FreeBSD $B%7%9%F%`$r%=!<%9$+$i%"%C%W%0%l!<%I$9$kJ}K!$K$D$$$F$O(B, 
http://www.freebsd.org/handbook/makeworld.html $B$K(B, $B>\$7$/:\$C$F$$$^$9(B. 

Be sure to install the Kerberos code when performing an upgrade
(whether by source or by a binary upgrade) to ensure that the old
binaries are no longer present on the system.

$B%"%C%W%0%l!<%I$K:]$7$F$O(B, $B%7%9%F%`>e$K8E$$%P%$%J%j$,3N<B$K;D$i$J$$$h$&(B
$B$K$7$F(B, Kerberos $B$N%3!<%I$r%$%s%9%H!<%k$9$k$h$&$K$7$F$/$@$5$$(B. 

See the note in section IV. above about recompiling ports which were
compiled with Kerberos support.

Kerberos $B$KBP1~$7$F$$$k(B ports $B$N:F%3%s%Q%$%k$K$D$$$F$O(B IV $B>O$r;2>H$7$F(B
$B$/$@$5$$(B. 
END--------------------- $B$3$3$^$G(B ------------------------
----
$B$3$,$h$&$$$A$m$&(B
