[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: NetBSD Security Advisory 2003-006: Cryptographic weaknesses inKerberos v4 protocol
- Subject: Re: NetBSD Security Advisory 2003-006: Cryptographic weaknesses inKerberos v4 protocol
- From: Yuji Yamano <yyamano@kt.rim.or.jp>
- To: announce-ja@jp.netbsd.org, netbsd@re.soum.co.jp
- Date: Mon, 14 Apr 2003 03:14:00 +0900 (JST)
- Message-Id: <20030414.031400.98965825.yyamano@kt.rim.or.jp>
- In-Reply-To: <20030404164411.GG22049@vex>
- References: <20030404164411.GG22049@vex>
- Delivered-To: mailing list announce-ja@jp.netbsd.org
- Delivered-To: moderator for announce-ja@jp.netbsd.org
- Mailing-List: contact announce-ja-help@jp.netbsd.org; run by ezmlm-idx
NetBSD ¥»¥¥å¥ê¥Æ¥£¡¼´«¹ð ÆüËܸìÌõ
=============================================================================
NetBSD Security Advisory 2003-006 (2003/04/04)
* Cryptographic weaknesses in Kerberos v4 protocol
=============================================================================
¤³¤Î¥á¡¼¥ë¤Ï, netbsd-announce ¤Ëή¤ì¤¿
Subject: NetBSD Security Advisory 2003-006: Cryptographic weaknesses in Kerberos v4 protocol
From: NetBSD Security Officer <security-officer@netbsd.org>
Date: Fri, 4 Apr 2003 11:43:44 -0500
Message-Id: <20030404164344.GE22049@vex>
¤ò¡¢www.NetBSD.ORG ËÝÌõ¥×¥í¥¸¥§¥¯¥È¤¬ÆüËܸìÌõ¤·¤¿¤â¤Î¤Ç¤¹
(ÆüËܸìÌõ¤Ï NetBSD-SA2003-006.txt,v 1.7 ¤Ë´ð¤Å¤¤¤Æ¤¤¤Þ¤¹)¡£
¸¶Ê¸¤Ï PGP ½ð̾¤µ¤ì¤Æ¤¤¤Þ¤¹¤¬¡¢¤³¤ÎÆüËܸìÌõ¤Ï PGP ½ð̾¤µ¤ì¤Æ¤¤¤Þ¤»¤ó¡£
½¤Àµ¥Ñ¥Ã¥ÁÅù¤ÎÆâÍƤ¬²þ¤¶¤ó¤µ¤ì¤Æ¤¤¤Ê¤¤¤³¤È¤ò³Îǧ¤¹¤ë¤¿¤á¤Ë PGP ½ð̾¤Î
¥Á¥§¥Ã¥¯¤ò¹Ô¤Ê¤¦¤Ë¤Ï¡£¸¶Ê¸¤ò»²¾È¤·¤Æ¤¯¤À¤µ¤¤¡£
------------------------------- ¤³¤³¤«¤é ------------------------------------
NetBSD Security Advisory 2003-006
=================================
¥È¥Ô¥Ã¥¯: Kerberos v4 ¥×¥í¥È¥³¥ë¤Ë¤ª¤±¤ë°Å¹æ¤Î¼åÅÀ
(Cryptographic weaknesses in Kerberos v4 protocol)
¥Ð¡¼¥¸¥ç¥ó: NetBSD-current: 2003 ǯ 3 ·î 20 Æü¤è¤êÁ°¤Î¥½¡¼¥¹
NetBSD 1.6: ±Æ¶Á¤¢¤ê
NetBSD-1.5.3: ±Æ¶Á¤¢¤ê
NetBSD-1.5.2: ±Æ¶Á¤¢¤ê
NetBSD-1.5.1: ±Æ¶Á¤¢¤ê
NetBSD-1.5: ±Æ¶Á¤¢¤ê
pkgsrc: kth-krb4-1.2.1 ¤è¤êÁ°¤Î¤â¤Î¤ª¤è¤Ó¡¢
heimdal-0.5.1 ¤è¤êÁ°¤Î¤â¤Î¤Ï±Æ¶Á¤¢¤ê
±Æ¶ÁÈÏ°Ï: Kerberos 4 ¥Í¥Ã¥È¥ï¡¼¥¯¤Î¤¹¤Ù¤Æ¤Î¥æ¡¼¥¶¡¼¤Î¸¢¸Â¤¬
ÉÔÀµ¤Ë»ÈÍѤµ¤ì¤ë²ÄǽÀ¤¬¤¢¤ë¡£
(Every user on a Kerberos 4 network can be compromised)
½¤ÀµÆü: NetBSD-current: 2003 ǯ 3 ·î 20 Æü
NetBSD-1.6 branch: 2003 ǯ 3 ·î 22 Æü (1.6.1 ¤Ï½¤Àµ¤º¤ß)
NetBSD-1.5 branch: 2003 ǯ 4 ·î 1 Æü
pkgsrc: kth-krb4-1.2.2 ¤ª¤è¤Ó¡¢
heimdal-0.5.2 ¤Ç½¤Àµ¡£
³µÍ× - Abstract
===============
Kerberos ¥×¥í¥È¥³¥ë¤Î¥Ð¡¼¥¸¥ç¥ó 4 ¤Î°Å¹æ¤Ë¤Ï¡¢ÁªÂòʿʸ¹¶·â
(chosen-plaintext attack) ¤Ë¤è¤Ã¤Æ¡¢¹¶·â¼Ô¤¬¥ì¥ë¥à (realm) ¤Ë
¤¢¤ë¤¹¤Ù¤Æ¤Î¥×¥ê¥ó¥·¥Ñ¥ë (principal) ¤Ë¤Ê¤ê¤¹¤Þ¤¹¤³¤È¤¬¤Ç¤¤ë¤È¤¤¤¦¼åÅÀ¤¬
¸ºß¤·¤Þ¤¹¡£¤³¤Î¹¶·â¤òÍøÍѤ¹¤ë¤È¡¢¤½¤Î¥µ¥¤¥È¤Î Kerberos
ǧ¾Ú¥·¥¹¥Æ¥à¤Îµ¡Ç½¤ò´°Á´¤Ë̵Îϲ½¤¹¤ë¤³¤È¤¬²Äǽ¤Ç¤¹¡£
Kerberos ¥Ð¡¼¥¸¥ç¥ó 5 ¤Ë¤Ï¡¢¤³¤Î°Å¹æ¤Î¼åÅÀ¤Ï´Þ¤Þ¤ì¤Æ¤¤¤Þ¤»¤ó¡£
Kerberos ¥Ð¡¼¥¸¥ç¥ó 4 ¤Îµ¡Ç½¤ò´°Á´¤Ë̵¸ú¤Ë¤·¤Æ¤¤¤ë¥µ¥¤¥È¤Ë¤Ï¡¢
±Æ¶Á¤Ï¤¢¤ê¤Þ¤»¤ó¡£Kerberos ¥Ð¡¼¥¸¥ç¥ó 4 ¤Îµ¡Ç½¤È¤Ï¡¢krb5 ¤Ë¤ª¤±¤ë
krb4 ¸ß´¹µ¡Ç½¤Ê¤É¤â´Þ¤Þ¤ì¤Þ¤¹¡£
µ»½ÑŪ¤Ê¾ÜºÙ - Technical Details
================================
¹¶·â¼Ô¤Ï krb4 ¶¦Í¥¯¥í¥¹¥ì¥ë¥à¸°¤ò»È¤¤¡¢¥ê¥â¡¼¥È¤Î¥ì¥ë¥à¤Ë¸ºß¤¹¤ë
¤¢¤é¤æ¤ë¥µ¡¼¥Ó¥¹¤ËÂФ¹¤ë¤¹¤Ù¤Æ¤Î¥×¥ê¥ó¥·¥Ñ¥ë¤òº¾¾Î¤¹¤ë¤³¤È¤¬²Äǽ¤Ç¤¹¡£
¤³¤ì¤Ë¤è¤ê KDC ¤Î root ¸¢¸Â¤¬ÉÔÀµ»ÈÍѤµ¤ì¤ë¤À¤±¤Ç¤Ê¤¯¡¢
¤½¤Î KDC ¤¬Ä󶡤·¤Æ¤¤¤ëǧ¾Úµ¡Ç½¤Ë°Í¸¤¹¤ë¡¢¤¹¤Ù¤Æ¤Î¥Û¥¹¥È¤¬ÉÔÀµ¤Ë
»ÈÍѤµ¤ì¤ë²ÄǽÀ¤¬¤¢¤ê¤Þ¤¹¡£
¤³¤Î¹¶·â¤Ï¥¯¥í¥¹¥ì¥ë¥à¥×¥ê¥ó¥·¥Ñ¥ë¤ËÂФ·¤Æ¼Â¹Ô¤µ¤ì¤ë²ÄǽÀ¤â¤¢¤ê¤Þ¤¹¡£
¤Ä¤Þ¤ê¡¢¹¶·â¼Ô¤ÏÊ£¿ô¤Î¥ì¥ë¥à´Ö¤ò·Ðͳ¤¹¤ë¤³¤È¤¬¤Ç¤¡¢¹¶·â¼Ô¤Î
¥í¡¼¥«¥ë¥ì¥ë¥à¤È¥¯¥í¥¹¥ì¥ë¥à¸°¤ò¶¦Í¤¹¤ë¡¢¤¹¤Ù¤Æ¤Î¥ì¥ë¥à¤¬
¹¶·â¤Î¶¼°Ò¤Ë¤µ¤é¤µ¤ì¤ë¤È¤¤¤¦¤³¤È¤Ç¤¹¡£
¤Þ¤¿¡¢¼Â¸½¤Ï¤«¤Ê¤êº¤Æñ¤Ç¤¹¤¬¡¢¶¦Í¥¯¥í¥¹¥ì¥ë¥à¸°¤òÍøÍѤ·¤Ê¤¤¹¶·â¤â
¹Í¤¨¤é¤ì¤Þ¤¹¡£¹¶·â¼Ô¤«¤é¤Ï¾¯¤Ê¤¯¤È¤â¡¢¹¶·âÂоݤΥì¥ë¥à¤Ë¸ºß¤¹¤ë
Ǥ°Õ¤Î¥×¥ê¥ó¥·¥Ñ¥ë̾¤ËÂФ¹¤ë¹¶·â¤ò¹Ô¤Ê¤¦¤³¤È¤¬²Äǽ¤Ç¤¹¡£
¤¢¤ë̤ȯɽ¤ÎÏÀʸ¤Ë¤Ï¡¢krb4 ¥×¥í¥È¥³¥ë¤Ë¾Ü¤·¤¤¹¶·â¼Ô¤Ç¤¢¤ì¤Ð¡¢
°ÍÑÊýË¡¤ò¼ÂÁõ¤¹¤ë¤³¤È¤¬´Êñ¤Ë¤Ç¤¤ëÄøÅ٤ˡ¢¤³¤Î¼åÅÀ¤Î¾ÜºÙ¤¬
½ñ¤«¤ì¤Æ¤¤¤Þ¤¹¡£¤¿¤À¤·¡¢¤³¤Î´«¹ð¤Î¸ø³«»þÅÀ¤Ç¤Ï¡¢¤Þ¤À¶ñÂÎŪ¤Ê
°ÍÑÊýË¡¤Ï¹¤¯ÃΤé¤ì¤Æ¤¤¤Þ¤»¤ó¡£
¤³¤ì¤é¤Ï¡Ö¥×¥í¥È¥³¥ë¾å¤Î¡×¼åÅÀ¤Ç¤¹¡£½¤Àµ¤ò¹Ô¤Ê¤¦¤È¡¢ËÜÍè¤Î
¥×¥í¥È¥³¥ë¤¬»ý¤Ã¤Æ¤¤¤ëµ¡Ç½¤Ë°ìÄê¤ÎÀ©¸Â¤¬²Ã¤ï¤ê¤Þ¤¹¡£
½¤Àµ¤Ï KDC ¤È¤Ê¤Ã¤Æ¤¤¤ë¥Þ¥·¥ó¤Ç¹Ô¤Ê¤¦É¬Íפ¬¤¢¤ê¤Þ¤¹¡£¥µ¡¼¥Ð¡¼¾å¤Ç
¥Ð¡¼¥¸¥ç¥ó 4 ¤Îµ¡Ç½¤¬Ìµ¸ú¤Ë¤Ê¤Ã¤Æ¤¤¤ì¤Ð¡¢¥¯¥é¥¤¥¢¥ó¥È¦¤Ë
½¤Àµ¥Ñ¥Ã¥Á¤òŬÍѤ¹¤ëɬÍפϤ¢¤ê¤Þ¤»¤ó¡£
²óÈòÊýË¡¤È²ò·èºö - Solutions and Workarounds
============================================
¿·¤·¤¤¥Ð¡¼¥¸¥ç¥ó¤Ë¥¢¥Ã¥×¥°¥ì¡¼¥É¤¹¤ë¤³¤È¤¬¤Ç¤¤Ê¤±¤ì¤Ð¡¢
¥¯¥í¥¹¥ì¥ë¥àµ¡Ç½¤ò¤¹¤Ù¤Æ̵¸ú¤Ë¤·¡¢¥¯¥í¥¹¥ì¥ë¥à¸°¤òºï½ü¤¹¤ë¤«¥é¥ó¥À¥à²½
¤·¤Æ¤¯¤À¤µ¤¤¡£
``kinit --version'' ¤ò¼Â¹Ô¤¹¤ë¤È¡¢¥·¥¹¥Æ¥à¤Ë¼åÅÀ¤¬Â¸ºß¤¹¤ë¤«¤É¤¦¤«
Ä´¤Ù¤ë¤³¤È¤¬¤Ç¤¤Þ¤¹¡£
current:
kinit (Heimdal 0.5nb2, KTH-KRB 1.2)
Copyright (c) 1999-2002 Kungliga Tekniska Höçskolan
Send bug-reports to heimdal-bugs@pdc.kth.se
¤Èɽ¼¨¤µ¤ì¤Æ¤¤¤ì¤Ð¡¢º£²ó¤ÎÌäÂê¤Ï¤¢¤ê¤Þ¤»¤ó¡£
¼¡¤Ë¼¨¤¹¼ê½ç¤Ï¡¢¥½¡¼¥¹¥Ä¥ê¡¼¤ò¹¹¿·¤·¤ÆºÆ¹½ÃÛ¤·¡¢¿·¤·¤¤¥Ð¡¼¥¸¥ç¥ó¤Î
Heimdal ¤ò¥¤¥ó¥¹¥È¡¼¥ë¤¹¤ë¤³¤È¤Ç¡¢ÌäÂê¤Î¤¢¤ë¥Ð¥¤¥Ê¥ê¡¼¤ò¥¢¥Ã¥×¥°¥ì¡¼¥É
¤¹¤ëÊýË¡¤òÀâÌÀ¤·¤¿¤â¤Î¤Ç¤¹¡£
* NetBSD-current:
2003 ǯ 3 ·î 20 Æü¤è¤êÁ°¤Î NetBSD-current ¤Ï¡¢
2003 ǯ 3 ·î 21 Æü¡¢¤â¤·¤¯¤Ï¤½¤ì°Ê¹ß¤Î NetBSD-current ¤Ë
¥¢¥Ã¥×¥°¥ì¡¼¥É¤¹¤ëɬÍפ¬¤¢¤ê¤Þ¤¹¡£
CVS ¥Ö¥é¥ó¥Á netbsd-current (ÊÌ̾ HEAD) ¤Ë¤ª¤¤¤Æ
¹¹¿·¤¬É¬Íפʥǥ£¥ì¥¯¥È¥ê¤Ï¡¢¼¡¤Î¤È¤ª¤ê¤Ç¤¹¡£
crypto/dist/heimdal/kdc
include/heimdal
CVS ¤ò»È¤Ã¤Æ¥Õ¥¡¥¤¥ë¤ò¹¹¿·¤·¡¢KDC ¥Ð¥¤¥Ê¥ê¡¼¤ò
ºÆ¹½ÃÛ¡¦ºÆ¥¤¥ó¥¹¥È¡¼¥ë¤¹¤ë¤Ë¤Ï¡¢¼¡¤Î¥³¥Þ¥ó¥É¤ò¼Â¹Ô¤·¤Æ¤¯¤À¤µ¤¤¡£
# cd src
# cvs update -d -P crypto/dist/heimdal/kdc include/heimdal
# cd usr.sbin/kdc
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
* NetBSD 1.6:
NetBSD 1.6 ¤Î¥Ð¥¤¥Ê¥ê¡¼ÇÛÉÛʪ¤Ë¤Ï¡¢¤³¤Î¥»¥¥å¥ê¥Æ¥£¡¼¾å¤Î¼åÅÀ¤¬
´Þ¤Þ¤ì¤Æ¤¤¤Þ¤¹¡£
2003 ǯ 3 ·î 22 Æü¤è¤êÁ°¤Î NetBSD 1.6 ¤Î¥½¡¼¥¹¤Ï¡¢
2003 ǯ 3 ·î 23 Æü¡¢¤â¤·¤¯¤Ï¤½¤ì°Ê¹ß¤Î NetBSD 1.6 ¤Î¥½¡¼¥¹¤Ë
¥¢¥Ã¥×¥°¥ì¡¼¥É¤¹¤ëɬÍפ¬¤¢¤ê¤Þ¤¹¡£
NetBSD 1.6.1 ¤Ë¤Ï¡¢¤³¤Î¼åÅÀ¤ËÂФ¹¤ë½¤Àµ¤¬´Þ¤Þ¤ì¤ëͽÄê¤Ç¤¹¡£
CVS ¥Ö¥é¥ó¥Á netbsd-1-6 ¤Ë¤ª¤¤¤Æ
¹¹¿·¤¬É¬Íפʥե¡¥¤¥ë¤Ï¡¢¼¡¤Î¤È¤ª¤ê¤Ç¤¹¡£
crypto/dist/heimdal/kdc
include/heimdal
CVS ¤ò»È¤Ã¤Æ¥Õ¥¡¥¤¥ë¤ò¹¹¿·¤·¡¢KDC ¥Ð¥¤¥Ê¥ê¡¼¤ò
ºÆ¹½ÃÛ¡¦ºÆ¥¤¥ó¥¹¥È¡¼¥ë¤¹¤ë¤Ë¤Ï¡¢¼¡¤Î¥³¥Þ¥ó¥É¤ò¼Â¹Ô¤·¤Æ¤¯¤À¤µ¤¤¡£
# cd src
# cvs update -d -P -r netbsd-1-6 crypto/dist/heimdal/kdc \
include/heimdal
# cd usr.sbin/kdc
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
* NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3:
NetBSD 1.5.3 ¤Î¥Ð¥¤¥Ê¥ê¡¼ÇÛÉÛʪ¤Ë¤Ï¡¢¤³¤Î¥»¥¥å¥ê¥Æ¥£¡¼¾å¤Î¼åÅÀ¤¬
´Þ¤Þ¤ì¤Æ¤¤¤Þ¤¹¡£
2003 ǯ 3 ·î 31 Æü¤è¤êÁ°¤Î NetBSD-1.5¡¢NetBSD-1.5.1¡¢
NetBSD-1.5.2¡¢NetBSD-1.5.3 ¤Î¤¤¤º¤ì¤«¤Î¥½¡¼¥¹¤ò
»È¤Ã¤Æ¤¤¤ë¥·¥¹¥Æ¥à¤Ï¡¢2003 ǯ 4 ·î 1 Æü¡¢¤â¤·¤¯¤Ï¤½¤ì°Ê¹ß¤Î
NetBSD-1.5.* ¤Î¥½¡¼¥¹¤Ë¥¢¥Ã¥×¥°¥ì¡¼¥É¤¹¤ëɬÍפ¬¤¢¤ê¤Þ¤¹¡£
CVS ¥Ö¥é¥ó¥Á netbsd-1-5 ¤Ë¤ª¤¤¤Æ
¹¹¿·¤¬É¬Íפʥե¡¥¤¥ë¤Ï¡¢¼¡¤Î¤È¤ª¤ê¤Ç¤¹¡£
crypto/dist/heimdal/kdc
include/heimdal
CVS ¤ò»È¤Ã¤Æ¥Õ¥¡¥¤¥ë¤ò¹¹¿·¤·¡¢KDC ¥Ð¥¤¥Ê¥ê¡¼¤ò
ºÆ¹½ÃÛ¡¦ºÆ¥¤¥ó¥¹¥È¡¼¥ë¤¹¤ë¤Ë¤Ï¡¢¼¡¤Î¥³¥Þ¥ó¥É¤ò¼Â¹Ô¤·¤Æ¤¯¤À¤µ¤¤¡£
# cd src
# cvs update -d -P -r netbsd-1-5 crypto/dist/heimdal/kdc \
include/heimdal
# cd crypto/dist/heimdal/kdc
# make cleandir dependall
# make install
¼Õ¼ - Thanks To
================
Sam Hartman ¤ª¤è¤Ó Tom Yu »á: ºÇ½é¤ËÌäÂê¤ò»ØŦ¤·¡¢¤³¤Î´«¹ð¤Î¸¶°Æ¤ò
Ä󶡤·¤Æ¤¯¤ì¤Þ¤·¤¿¡£
Steve Bellovin »á: MIT ¤Î¿Í¤¿¤Á¤¬¼åÅÀ¤òȯ¸«¤¹¤ë¤¤Ã¤«¤±¤È¤Ê¤Ã¤¿¾ðÊó¤ò
Ä󶡤·¤Æ¤¯¤ì¤Þ¤·¤¿¡£
Love Hornquist-Astrand »á: ¾ðÊó¸ò´¹¤Î¼êÇÛ¤ò¤·¤Æ¤¯¤ì¤Þ¤·¤¿¡£
Josef T. Burger »á: ¹½ÃÛ¼ê½ç¤Î½¤Àµ¤ò»ØŦ¤·¤Æ¤¯¤ì¤Þ¤·¤¿¡£
²þÄûÍúÎò - Revision History
===========================
2003-04-04 ½éÈǸø³«
2003-04-04 ¹½ÃÛ¼ê½ç¤Î `cd' ¤ÎÉôʬ¤ò½¤Àµ
¾ÜºÙ¤È»²¹Í»ñÎÁ - More Information
=================================
¿·¤·¤¤¾ðÊó¤¬È½ÌÀ¤·¤¿¾ì¹ç¡¢¥»¥¥å¥ê¥Æ¥£¡¼´«¹ð¤Ï¹¹¿·¤µ¤ì¤ë¤³¤È¤¬¤¢¤ê¤Þ¤¹¡£
PGP ½ð̾¤µ¤ì¤¿¤³¤Î´«¹ð¤ÎºÇ¿·ÈǤϡ¢¼¡¤Î¾ì½ê¤«¤éÆþ¼ê¤Ç¤¤Þ¤¹¡£
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2003-006.txt.asc
NetBSD ¤ª¤è¤Ó NetBSD ¤Î¥»¥¥å¥ê¥Æ¥£¡¼¤Ë´Ø¤¹¤ë¾ðÊó¤Ï¡¢¼¡¤Î¾ì½ê¤«¤éÆþ¼ê¤Ç¤¤Þ¤¹¡£
http://www.NetBSD.ORG/
http://www.NetBSD.ORG/Security/
Copyright 2003, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.
$NetBSD: NetBSD-SA2003-006.txt,v 1.7 2003/04/04 17:56:28 david Exp $