CA-96:03.README Issue date: February 21, 1996 Revision history Mar. 08, 1996 Added vendor information for TGV Software, Inc. and Transarc Feb. 23, 1996 noted change in readme.patch file; new MD5 checksums This file is a supplement to CERT advisory CA-96.03, "Vulnerability in Kerberos 4 Key Server." We update this file as additional information becomes available. Note: We recommend checking with your vendor for current MD5 checksum values. After we publish checksums in advisories and READMEs, the checksums may become obsolete because the files they refer to have been updated. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Added February 23, 1996 MIT has updated the patch described in advisory CA-96.03. The actual patch has not changed, but the README.PATCH file (part of random_patch.tar.*) which contains instructions on how to install the patch has been edited to include the following new paragraph: >IMPORTANT: After running fix_kdb_keys you must kill and restart the >kerberos server process (it has the old keys cached in memory). Also, >if you operate any Kerberos slave servers, you need to perform a slave >propagation immediately to update the keys on the slaves. Updated files are now available on "athena-dist.mit.edu" including an updated random_patch.md5 file which contains the MD5 checksums of random_patch.tar.* and is PGP signed by Jeffrey I. Schiller. The updated files are also available from ftp://info.cert.org/pub/vendors/mit/Patches/Kerberos-V4/ The new checksums are MD5 (random_patch.md5) = ecf5412094572e183aa33ae4e5f197b8 MD5 (random_patch.tar.Z) = e925b687a05a8c6321b2805026253315 MD5 (random_patch.tar.gz) = 003226914427094a642fd1f067f589d2 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The text below the dotted line originally appeared as an appendix in the advisory. .............................................................................. Below is information we have received from vendors concerning the vulnerability described in this advisory. If you do not see your vendor's name, please contact the vendor directly for information. The Santa Cruz Operation, Inc. ------------------------------ The Kerberos 4 problem does not affect SCO. SCO OpenServer, SCO Open Desktop, SCO UnixWare, SCO Unix, and SCO Xenix do not support Kerberos. The SCO Security Server, an add-on product for SCO OpenServer 3 and SCO OpenServer 5, supports Kerberos V5 authentication. This product cannot be configured to be Kerberos V4 compatible; therefore, it is not vulnerable. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Added March 8, 1996 TGV Software, Inc. TGV has made two Kerberos ECO kits available (one for MultiNet V3.4 and one for V3.5) for Anonymous FTP. If you are running Kerberos, we _strongly_ urge you to apply this kit. To obtain the kit, FTP to ECO.TGV.COM, username ANONYMOUS, password either KERBEROS-034 or KERBEROS-035 (depending on the version of MultiNet that you are running) and download the ECO kit: ftp://anonymous:kerberos-035@eco.tgv.com The kit is available in both VMS BACKUP save set format as well as in a compressed .ZIP file. Use VMSINSTAL to apply the ECO. Once you have completed the upgrade, the KITREMARK.VUR file from the ECO kit will be displayed providing instructions during the installation process. If you have any questions, please send an e-mail message to MultiNet-VMS@Support.TGV.COM ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Added March 8, 1996 Transarc Corporation Kerberos Version 4.0 is used in our AFS product (all versions of AFS), while Kerberos Version 5.0 is used in our DCE product (Kerberos Version 5.0 is used in ALL DCE products). In light of the COAST work, Transarc is doing a security review of Kerberos 4.0 and AFS. We expect to provide some procedural changes to improve security in new cells, and we will make code changes as necessary. OSF also reviewed Kerberos 5.0, and they have released a source patch for Kerberos 5.0 that strengthens the random number generator in Kerberos 5.0. This patch is relevant to all versions of DCE (but not to AFS since it is based on Kerberos 4.0). Transarc has this OSF patch available for DCE 1.1 on Solaris 2.4, DCE 1.0.3a on Solaris 2.4, DCE 1.0.3a on Solaris 2.3, and DCE 1.0.3a on Sun OS 4.1.3. Please contact Transarc Customer Support for access to these patches. Please feel free to contact me directly if you have further questions about this issue. For pointers and background on these issues please refer to http://www.transarc.com/afs/transarc.com/public/www/Public/Support/security-\ update.html Liz Hines Hines@transarc.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~