-----BEGIN PGP SIGNED MESSAGE-----
FreeBSD-SA-00:33 Security Advisory
Topic: kerberosIV distribution contains multiple vulnerabilities
under FreeBSD 3.x
Credits: Assar Westerlund <assar@FreeBSD.org>
Affects: FreeBSD 3.x systems prior to the correction date
FreeBSD only: NO
KTH Kerberos is an implementation of the Kerberos 4 protocol which
is distributed as an optional component of the base system.
II. Problem Description
Vulnerabilities in the MIT Kerberos 5 port were the subject of an
earlier FreeBSD Security Advisory (SA-00:20). At the time it was
believed that the implementation of Kerberos distributed with FreeBSD
was not vulnerable to these problems, but it was later discovered that
FreeBSD 3.x contained an older version of KTH Kerberos 4 which is in
fact vulnerable to at least some of these vulnerabilities. FreeBSD
4.0-RELEASE and later are unaffected by this problem, although FreeBSD
3.5-RELEASE is vulnerable.
The exact extent of the vulnerabilities are not known, but are likely
to include local root vulnerabilities on both Kerberos clients and
servers, and remote root vulnerabilities on Kerberos servers. For the
client vulnerabilities, it is not necessary that Kerberos client
functionality be actually configured, merely that the binaries be
present on the system.
Local or remote users can obtain root access on the system running
Kerberos, whether as client or server.
If you have not chosen to install the KerberosIV distribution on your
FreeBSD 3.x system, then your system is not vulnerable to this
Due to the nature of the vulnerability there are several programs and
network services which are affected. The following libraries and
utilities are installed by the KerberosIV distribution and must be
removed or replaced with non-Kerberos versions to disable all
The files marked with a "(*)" are part of the base FreeBSD system when
the Kerberos distribution is not installed, and are replaced when
Kerberos is installed. Therefore you will need to replace them with
non-Kerberos versions from another system, or perform a recompilation
or reinstallation of FreeBSD after removal, if you wish to continue to
If you have chosen to install any ports with Kerberos support, such as
the security/ssh port, then you should also remove, or recompile these
with support disabled.
As an interim measure, access control measures (either a perimeter
firewall, or a local firewall on the affected machine - see the
ipfw(8) manpage for more information) can be used to prevent remote
systems from connecting to Kerberos services on a vulnerable Kerberos
Upgrade your vulnerable FreeBSD 3.x system to a version of FreeBSD
dated after the correction date (FreeBSD 3.5-STABLE dated after the
correction date, 4.0-RELEASE or 4.0-STABLE). See
for more information
about upgrading FreeBSD from source.
Be sure to install the Kerberos code when performing an upgrade
(whether by source or by a binary upgrade) to ensure that the old
binaries are no longer present on the system.
See the note in section IV. above about recompiling ports which were
compiled with Kerberos support.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----