[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Remote vulnerability in kadmind

To: heimdal-discuss@sics.se
Subject: Re: Remote vulnerability in kadmind
From: Måns Nilsson <mansaxel@sunet.se>
Date: Fri, 25 Oct 2002 14:16:46 +0200
cc: Dave Love <d.love@dl.ac.uk>
In-Reply-To: <rzqlm4m4w05.fsf@albion.dl.ac.uk>
References: <xoffzuzshys.fsf@blubb.pdc.kth.se><rzq8z0n63yq.fsf@albion.dl.ac.uk><627970000.1035499863@localhost.besserwisser.org><rzqlm4m4w05.fsf@albion.dl.ac.uk>
Sender: owner-heimdal-discuss@sics.se

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --On Friday, October 25, 2002 12:07:38 +0100 Dave Love <d.love@dl.ac.uk>
wrote:

> Måns Nilsson <mansaxel@sunet.se> writes:
> 
>> From the advisory:
> 
> Where should I have seen that?  I've seen a recent MIT advisory on
> bugtraq, which may or may not be about the same thing, but not one for
> Heimdal.  I now realize it's on the web site, but that's not explicit
> about how `you should disable [Kerberos 4 support]'.
> 
> I think it would be useful if announcements were copied to
> heimdal-discuss, which is what I'd expect.

I agree. That is a listmaster question, though. OTOH, apparently Johan felt
this issue was so important that the discuss list *was* adressed, in this
very thread, actually. I fail to see why it could not be the norm, though. 

>> So, if your 0.4 installs are built in v4 compatibility mode, yes, then
>> they are vulnerable.
> 
> The web site implies I can fix the configuration without rebuilding --
> is that false?

Take kadmind out of inetd.conf. That's what I did the night between monday
and tuesday CET as I was recompiling to 0.5.1 on our KDC. Don't forget the
SIGHUP to inetd, and don't forget to reenable the services afterwards. 

>> I'd upgrade anyway. Sensitive box, that KDC.. 
> 
> That's why I'm asking, but it's not that easy to upgrade.

I just (to be safe) made a tar ball of /usr/athena and /usr/heimdal, and a
separate backup of the database, and built things the normal way, with
Kerberos4 first (both build and install) and Heimdal afterwards, pointing
heimdal to /usr/athena in the configure process. I installed, stopped the
services, and started them again. Worked flawlessly. 

Other organisations might have more extensive Q&A or software management
procedures on top of that, though. YMMV. 

- -- 
Måns Nilsson            Systems Specialist
+46 70 681 7204         KTHNOC  MN1334-RIPE

We're sysadmins. To us, data is a protocol-overhead.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (OpenBSD)

iD8DBQE9uTYu02/pMZDM1cURAr6UAJ9imPyYdsSdynDkqMMos6aKrYry+wCglYKK
MJ6MUfYR6fH6nc773agtirA=
=nii7
-----END PGP SIGNATURE-----

Follow-Ups:
- Re: Remote vulnerability in kadmind
  - From: Dave Love <d.love@dl.ac.uk>

References:
- Remote vulnerability in kadmind
  - From: joda@pdc.kth.se (Johan Danielsson)
- Re: Remote vulnerability in kadmind
  - From: Dave Love <d.love@dl.ac.uk>
- Re: Remote vulnerability in kadmind
  - From: Måns Nilsson <mansaxel@sunet.se>
- Re: Remote vulnerability in kadmind
  - From: Dave Love <d.love@dl.ac.uk>

Prev by Date: Re: Remote vulnerability in kadmind
Next by Date: Re: none
Prev by thread: Re: Remote vulnerability in kadmind
Next by thread: Re: Remote vulnerability in kadmind
Index(es):
- Date
- Thread