Re: SSRT3555 Potential Security Vulnerability in kermit
From: Frank da Cruz (fdc_at_columbia.edu)
Date: 19 May 2003 11:20:51 -0400
In article <firstname.lastname@example.org>,
Security Alert <email@example.com> wrote:
: PROBLEM: Potential security vulnerability in kermit
What version of Kermit?
: IMPACT: Potential increase in privilege.
: PLATFORM: HP9000 Series 700/800 running HP-UX releases 10.20
: and 11.00.
: SOLUTION: Until a fix is available remove suid permissions
: from /usr/bin/kermit.
If I'm not mistaken, this report refers to buffer overflow
vulnerabilities in C-Kermit 6.0 from 1996, or C-Kermit 7.0 from 2000.
A thorough audit of buffer-overflow vulnerabilities was performed for
C-Kermit 8.0, which was released in 2001 and furnished to HP at that
time. If you have HP-UX 11.22, then you also have C-Kermit 8.0 --
But if you have HP-UX 11.11, you have C-Kermit 7.0.
And If you have HP-UX 11.00 or earlier, you still have C-Kermit 6.0.
Thus the problem is that HP does not make new C-Kermit releases available
for previous HP-UX releases. There is no excuse for this. I furnish all
new C-Kermit releases to HP and include them in the development cycle. I
ensure that each new version of C-Kermit builds and runs correctly on every
version of HP-UX from 5.21 to the very latest, and I make prebuilt binaries
available for more than SIXTY (60) different combinations of HP hardware and
Therefore the "patch" for the above mentioned "problem" is to install an
up-to-date version of Kermit, which is available for all to download right
Prebuilt HP-UX binaries can be found here: