-----BEGIN PGP SIGNED MESSAGE----- NetBSD Security Advisory 2002-026 ================================= Topic: Buffer overflow in kadmind daemon Version: NetBSD-current: source prior to October 21 2002 NetBSD-1.6: affected NetBSD-1.5.3: affected NetBSD-1.5.2: affected NetBSD-1.5.1: affected NetBSD-1.5: affected NetBSD-1.4.*: not affected Severity: remote buffer overflow, resulting in root exploit Fixed: NetBSD-current: October 22, 2002 NetBSD-1.6 branch: October 22, 2002 NetBSD-1.5 branch: October 22, 2002 Abstract ======== Kadmind is the server for administrative access to kerberos database, and comes from the Heimdal Kerberos implementation used by NetBSD. In Heimdal releases earlier than 0.5.1 kadmind has a buffer overflow in the kerberos version 4 compatibility code. The kadmind daemon has never been enabled by default in NetBSD; enabling it would require a change in /etc/inetd.conf. Technical Details ================= All versions prior to Heimdal 0.5.1 and 0.4enb1 are vulnerable. NetBSD 1.5, 1.6, and -current (prior to October 21, 2002) ship with a vulnerable version. The problem is a buffer overflow in the kerberos version 4 compatibility layer of kadmind. See also: http://www.pdc.kth.se/heimdal/ Solutions and Workarounds ========================= For most users this is not a vital service and is likely not enabled. The only user of kadmin should be the kdc in a kerberos realm. Since the security of the kerberos server very important, kadmind must be disabled until upgraded. * NetBSD all releases: Check that you don't have kadmind in your /etc/inetd.conf. # grep kadmind /etc/inetd.conf If kadmind is enabled, disable it by commenting out its entry and reloading inetd: # /etc/rc.d/inetd reload Check that kadmind is not running as a service # ps axlwww | grep kadmind If kadmind is running, kill it: # kill * NetBSD-current: Systems running NetBSD-current dated from before 2002-Oct-22 should be upgraded to NetBSD-current dated 2002-Oct-22 or later. The fix is included in crypto/dist/heimdal/kadmin/version4.c, revision 1.2. The following directory needs to be updated from the netbsd-current CVS branch (aka HEAD): crypto/dist/heimdal/kadmin To update from CVS, re-build, and re-install kadmind(8): # cd src # cvs update -d -P crypto/dist/heimdal # cd libexec/kadmind # make cleandir dependall # make install * NetBSD 1.6: The following directory needs to be updated from the netbsd-1-6 CVS branch: crypto/dist/heimdal/kadmin To update from CVS, re-build, and re-install kadmind(8): # cd src # cvs update -d -P -r netbsd-1-6 crypto/dist/heimdal/kadmin # cd libexec/kadmind # make cleandir dependall # make install * NetBSD 1.5: The following directory needs to be updated from the netbsd-1-5 CVS branch: crypto/dist/heimdal/kadmin To update from CVS, re-build, and re-install kadmind(8): # cd src # cvs update -d -P -r netbsd-1-5 crypto/dist/heimdal/kadmin # cd libexec/kadmind # make cleandir dependall # make install Thanks To ========= Love Hoernquist-Astrand for the patch and notification and Johan Danielsson for testing. Revision History ================ 2002-Oct-21 Initial release More Information ================ Advisories may be updated as new information comes to hand. The most recent version of this advisory (PGP signed) can be found at ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-026.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/. Copyright 2002, The NetBSD Foundation, Inc. All Rights Reserved. $NetBSD: NetBSD-SA2002-026.txt,v 1.9 2002/10/21 20:34:06 groo Exp $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (NetBSD) Comment: For info see http://www.gnupg.org iQCVAwUBPbRlij5Ru2/4N2IFAQGcgwQAn2bBxCdA6L0KhD5Pq0DzylaH8V5wHsq+ iguSkTTaj8cfIR/7Nz8LHUx16Sn9BzYM/YbGkHhp0NjasjIXxlL1ulriTly6Ynf1 SOLNqfHP4IlOITGvIYbFBV0EsIgQiRA4uW5jaQT15YJ/gWi8874wioHNWNRCuTm+ rmkN3qBFP04= =2on8 -----END PGP SIGNATURE-----