Re: SSRT3555 Potential Security Vulnerability in kermit

From: Frank da Cruz (fdc_at_columbia.edu)
Date: 05/19/03


Date: 19 May 2003 11:20:51 -0400

In article <3ec8ed8d$1_2@hpb10302.boi.hp.com>,
Security Alert <secure@cup.hp.com> wrote:
: PROBLEM: Potential security vulnerability in kermit
:
What version of Kermit?

: IMPACT: Potential increase in privilege.
:
: PLATFORM: HP9000 Series 700/800 running HP-UX releases 10.20
: and 11.00.
:
: SOLUTION: Until a fix is available remove suid permissions
: from /usr/bin/kermit.
:
If I'm not mistaken, this report refers to buffer overflow
vulnerabilities in C-Kermit 6.0 from 1996, or C-Kermit 7.0 from 2000.

A thorough audit of buffer-overflow vulnerabilities was performed for
C-Kermit 8.0, which was released in 2001 and furnished to HP at that
time. If you have HP-UX 11.22, then you also have C-Kermit 8.0 --
problem solved.

But if you have HP-UX 11.11, you have C-Kermit 7.0.

And If you have HP-UX 11.00 or earlier, you still have C-Kermit 6.0.

Thus the problem is that HP does not make new C-Kermit releases available
for previous HP-UX releases. There is no excuse for this. I furnish all
new C-Kermit releases to HP and include them in the development cycle. I
ensure that each new version of C-Kermit builds and runs correctly on every
version of HP-UX from 5.21 to the very latest, and I make prebuilt binaries
available for more than SIXTY (60) different combinations of HP hardware and
HP-UX version.

Therefore the "patch" for the above mentioned "problem" is to install an
up-to-date version of Kermit, which is available for all to download right
here:

  http://www.columbia.edu/kermit/ckermit.html

Prebuilt HP-UX binaries can be found here:

  http://www.columbia.edu/kermit/ck80binaries.html#hp

- Frank



Relevant Pages