Subject: NetBSD Security Advisory 2002-018: Multiple security isses with kfd daemon
To: None <firstname.lastname@example.org>
From: NetBSD Security Officer <email@example.com>
Date: 09/17/2002 12:56:23
-----BEGIN PGP SIGNED MESSAGE-----
NetBSD Security Advisory 2002-018
Topic: Multiple security isses with kfd daemon
Version: NetBSD-current: source prior to September 10, 2002
NetBSD 1.6: affected
NetBSD-1.4.*: not affected
Severity: remote buffer overrun, possibly resulting in root exploit
Fixed: NetBSD-current: September 11, 2002
NetBSD-1.6 branch: not yet
NetBSD-1.5 branch: September 11, 2002
Kf and kfd are used to forward Kerberos credentials in a stand-alone
fashion, and come from the Heimdal Kerberos implementation used by
NetBSD. In Heimdal releases earlier than 0.5, these programs have
multiple security issues, including possible buffer overruns.
The kfd daemon has never been enabled by default in NetBSD; enabling
it would have required a port name to be added to /etc/services.
The client sent information about user and files without integrity
protection, making it possible to overwrite any file the user had
access to. The server also passed some of this data to other functions
without checking that strings were zero terminated, possibly resulting
in root exploit.
All versions prior to Heimdal 0.5 are vulnerable. You can tell which
version of kfd you have by running /usr/libexec/kfd --version.
See also: http://www.pdc.kth.se/heimdal/
Solutions and Workarounds
As this is not a vital service, and is very likely unused by most
installations, the straightforward solution is to remove these
programs. This has been done in NetBSD-current sources on September
11, 2002. Note that even after this time, systems may still have
binaries left behind from earlier builds.
Note that sources for the 1.6 release (and branch) still inlcude these
programs. Therefore, a "make build" will re-install vulnerable
binaries into /usr/bin/kf and /usr/libexec/kfd. As noted in the 1.6
LAST_MINUTE release notes, please remove them after each "make build".
* NetBSD all releases:
Check that you don't have kfd in your /etc/inetd.conf.
% grep kfd /etc/inetd.conf
Remove these programs:
# rm /usr/bin/kf
# rm /usr/libexec/kfd
# rm /usr/share/man/cat1/kf.0
# rm /usr/share/man/cat8/kfd.0
# rm /usr/share/man/man1/kf.1
# rm /usr/share/man/man8/kfd.8
firstname.lastname@example.org (Johan Danielsson)
2002-09-16 Initial release
Advisories may be updated as new information comes to hand. The most
recent version of this advisory (PGP signed) can be found at
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.
Copyright 2002, The NetBSD Foundation, Inc. All Rights Reserved.
$NetBSD: NetBSD-SA2002-018.txt,v 1.9 2002/09/16 22:59:39 dan Exp $
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----