Slashdot Mirror

← Back to Stories (view on slashdot.org)

Critical Kerberos Flaw Revealed

Posted by CowboyNeal on from the locking-down-the-network dept.

doi writes "ZD Net is carrying a story about '...a critical flaw that could allow hackers to circumvent the secure networking system...The problem lies with software in MIT Kerberos 5 called kadmind4 (Kerberos v4 compatibility administration daemon), which allows compatibility with older administrative clients. A buffer stack overflow allows an attacker to use a specially formed request to gain access to the KDC with the privileges of a user running kadmind4.' It affects all MIT-derived versions of Kerberos 4 and 5."

17 of 197 comments (clear)

  1. Re:M$FT too? by Anonymous Coward · · Score: 2, Funny

    Well, how does it affect the BSD implementation? There's your answer.

  2. Guess I was wrong... by domninus.DDR · · Score: 1, Funny

    And I had faith in MIT since they taught Time Cube..

  3. Kerberos Authentication by chickenmonger · · Score: 4, Funny

    As a user on a network that uses Kerberos authentication, it's good to know about these security flaws. That way, we can email the admin to find out if we should unplug our CAT5. :-)

    1. Re:Kerberos Authentication by Bobulusman · · Score: 2, Funny

      Amen to this. I just finished e-mailing my admin. Seriously. :)

      --
      Cogito ergo sum in Slashdot.
  4. Re:Question by c13v3rm0nk3y · · Score: 5, Funny
    What the flaming fuck does kerberos do anyway?

    Kerberos makes it really difficult to do any work at MIT. It's a software product designed by faculty to slow up research projects by students.

    The reasons for this are twofold: ensure longer paths to tenure, and keep smart students from publishing too quickly and making their profs look bad.

    --
    -- clvrmnky
  5. Re:it is only MIT Specific � by Anonymous Coward · · Score: 1, Funny

    And you know, I was going to mod you up for it too...

  6. Re:Question by Anonymous Coward · · Score: 2, Funny

    It guards hades... oh, wait, you mean the *other* Kerberos...

  7. Important considerations! by the_other_one · · Score: 3, Funny

    Is this just a warning of a potential hole.

    Or has somebody actually made an exploit.

    Does anybody know of a warez site from which I can get the security patch for free.

    --
    134340: I am not a number. I am a free planet!
  8. Re:A distinction... by delta407 · · Score: 4, Funny
    For a minute, I almost wondered if the actual cryptosystem had been broken
    My pulse actually shot up when I read the headline!

    Breathe... breathe... it's just a buffer overflow... ...I'll be okay, just give me a few minutes.
  9. a first in the security world by carpe_noctem · · Score: 5, Funny

    Well, Microsoft is currently working on their own implementation of Kerberos, Microsoft Kerberos. I've seen about a half-dozen root exploits for MIT kerberos, but none yet for MS kerb. I guess this is really a first for the boys in blue. ;]

    --
    "Quoting famous computer scientists out of context is the root of all evil (or at least most of it) in programming." - K
  10. Re:Question by Waffle+Iron · · Score: 5, Funny
    What the flaming fuck does kerberos do anyway?

    Kerberos is a three-headed dog that guards the gates of hell. A flaw in Kerberos is a serious situation because if it fails, all hell could break loose.

  11. Re:Is this really pertinent? by carpe_noctem · · Score: 5, Funny

    I completely agree. I say that people wait until the respective worm comes out for the said vulnerability, then post an article about that, where hundreds of /. comments will mock stupid people for not patching their systems. =)

    --
    "Quoting famous computer scientists out of context is the root of all evil (or at least most of it) in programming." - K
  12. Nawww.... by WetCat · · Score: 4, Funny

    Stack overflow, stack overflow... Better create an architecture and/or compiler where is NO stack at all! Be much more secure then.

    ---
    How is everybody spent todays' slashdot meetup?

  13. If only... by Chester+K · · Score: 4, Funny

    If only we were all using Windows this could have been avoided. :(

    --

    NO CARRIER
  14. Re:nah by Anonymous+DWord · · Score: 4, Funny

    If you did your thesis on buffer overflows, you'd be halfway done already.

    --
    "If he thinks he can hide and run from the United States and our allies, he's sorely mistaken." Bush on bin Laden
  15. Security is Pointless by Gregg+Alan · · Score: 4, Funny

    It doesn't matter what you do...some part of your security solution is going be broken by some hackers at some point. Get used to it, deal with it.

    Me, I spend the money my boss gives me for security on beer and better video cards for my office mates that like unreal tournament.

    Oh, I should also mention that in addition to not providing any type of network secuity you must also not supply any type of network monitoring. Can you imagine...you're two frags from godlike and some system monitor (that you don't understand anyway) starts paging your beeper like a crazy x-girlfriend.

    You might just lose concentration.

    --
    Here before all but 8486 of you.
  16. Re:A distinction... by psamuels · · Score: 3, Funny
    "Critical Kerberos Flaw Revealed" is not exactly an appropriate headline for a fscking buffer overflow. Getting a bit sensational now, aren't we?

    Hey, it worked - at least, it sure got me to read the blurb in a hurry. (While hyperventilating, but whatever.) Maybe they did it on purpose. At least the panic attack only lasted a couple sentences. If they'd made me actually read the article to find this out....

    --
    "How can you claim that you are anti-crack, while still writing a window manager?" — Metacity README