[ SOURCE: http://www.secureroot.com/security/advisories/9641751616.html ] A vulnerability exists in my own S/Key software enhancements. Since these enhancements are in wide-spread use, a public announcement is appropriate. The vulnerability affects the following products: FreeBSD version 1.1.5.1 FreeBSD version 2.0 logdaemon versions before 4.9 I recommend that users of this software follow the instructions given below in section III. - ----------------------------------------------------------------------------- I. Description An obscure oversight was found in software that I derived from the S/Key software from Bellcore (Bell Communications Research). Analysis revealed that my oversight introduces a vulnerability. Note: the vulnerability is not present in the original S/Key software from Bellcore. II. Impact Unauthorized users can gain privileges of other users, possibly including root. The vulnerability can be exploited only by users with a valid account. It cannot be exploited by arbitrary remote users. The vulnerability can affect all FreeBSD 1.1.5.1 and FreeBSD 2.0 implementations and all Logdaemon versions before 4.9. The problem exists only when S/Key logins are supported (which is the default for FreeBSD). Sites with S/Key logins disabled are not vulnerable. III. Solution Logdaemon users: ================ Upgrade to version 4.9 URL ftp://ftp.win.tue.nl/pub/security/logdaemon-4.9.tar.gz. MD5 checksum 3d01ecc63f621f962a0965f13fe57ca6 To plug the hole, build and install the ftpd, rexecd and login programs. If you installed the keysu and skeysh commands, these need to be replaced too. FreeBSD 1.1.5.1 and FreeBSD 2.0 users: ====================================== Retrieve the corrected files that match the system you are running: URL ftp://ftp.cdrom.com/pub/FreeBSD/CERT/libskey-1.1.5.1.tgz MD5 checksum bf3a8e8e10d63da9de550b0332107302 URL ftp://ftp.cdrom.com/pub/FreeBSD/CERT/libskey-2.0.tgz MD5 checksum d58a17f4216c3ee9b9831dbfcff93d29 Unpack the tar archive and follow the instructions in the README file. FreeBSD current users: ====================== Update your /usr/src/lib/libskey sources and rebuild and install libskey (both shared and non-shared versions). The vulnerability has been fixed with FreeBSD 2.0.5.