Slashdot Mirror

← Back to Stories (view on slashdot.org)

Critical Kerberos Flaw Revealed

Posted by CowboyNeal on from the locking-down-the-network dept.

doi writes "ZD Net is carrying a story about '...a critical flaw that could allow hackers to circumvent the secure networking system...The problem lies with software in MIT Kerberos 5 called kadmind4 (Kerberos v4 compatibility administration daemon), which allows compatibility with older administrative clients. A buffer stack overflow allows an attacker to use a specially formed request to gain access to the KDC with the privileges of a user running kadmind4.' It affects all MIT-derived versions of Kerberos 4 and 5."

5 of 197 comments (clear)

  1. A distinction... by Xenographic · · Score: 5, Insightful

    For a minute, I almost wondered if the actual cryptosystem had been broken, but then I realized that this is only the implementation of it. There's a *big* difference...

    Fortunately, all we have to do is download a patch, which is much better than having to find something other than Diffie-Hellman key exchange... :]

    1. Re:A distinction... by dirvish · · Score: 5, Insightful

      Unfortunately, most sys admins will be oblivious to the problem and will not patch anything.

      --
      FoundNews.com - get paid to blog.,
  2. What would really be appreciated by Anonymous Coward · · Score: 5, Insightful

    ..on stories like this is if you'd just put some short thing telling how to determine if you are affected by the security hole.

    like, just say "if you type /sbin/sshd --version and it says your version is 2.23 or lower, you're affected".

    A lot of the time it's kind of hard to remember which version exactly you have, and much UNIX software offers no quick, clear way to tell what version you have installed. Hell, i don't even know if i have kerberos. I know i've never consiously used kerberos. But for all i know my linux distribution installed kerberos as part of another package. Now i, and a bunch of other people, are going to be poking around manpages and wierd directories for awhile trying to figure out, uhh, do we have kerberos, what version/brand, do we need to disable or patch anything.. this is not the hardest thing in the world, but it isn't exactly easy when you consider it's 11:12 PM and at my college, we start drinking on thursday night. I'm not exactly in the mood to think logically at this exact moment.

    So, a quick 'heads up, here's the quick way to tell if you're affected' on the part of the slashdotty people at the end of these story blurbs would be much appreciated :)

  3. is this for real by carpe_noctem · · Score: 5, Insightful

    Hrm....I haven't noticed anything about this on Bugtraq or Full-Disclosure, and you'd think that something this big would be all over those lists about two or three days before it got posted here. I'll believe this when I see a proof-of-concept.

    --
    "Quoting famous computer scientists out of context is the root of all evil (or at least most of it) in programming." - K
  4. Then turn off security articles :P by fortinbras47 · · Score: 5, Insightful
    Bugs in critical authetication and login systems, (eg. Kerberos, ssh, etc...) fall into a category critical enough to warrant a ./ story.

    If we're going to have articles on what dangerous server rooms look like, we can have an article on how if you don't patch that KDC server fast, tens of thousands of user accounts might be compromised. Kerberos is at the HEART of many large multi-user distributed systems. (Universities, hospitals...) A critical flaw possibly compromising hundreds of thousands of accounts worldwide is a big story.