Slashdot Mirror

← Back to Stories (view on slashdot.org)

MIT Warns of Critical Vulnerabilities in Kerberos 5

Posted by CowboyNeal on from the heightened-state-of-alertness dept.

kinrowan writes "MIT, inventor of Kerberos, has announced a pair of vulnerabities in the software that will allow an attacker to either execute a DOS attack or execute code on the machine. Some details of the story are at SearchSecurity as well as ComputerWeekly. Details of the advisories themselves are also available. The vulnerabilities also affect the VPN 3000 line of Cisco VPN concentrators."

17 of 100 comments (clear)

  1. This is old news. by Anonymous Coward · · Score: 3, Informative
    Mandrake already has security updates for the vulnerabilities. That article is from Aug 31st... It's now September 4th.

    Oh well, guess we had a lot of news going on the past few days...

  2. vulnerability in the implementation by BigHungryJoe · · Score: 5, Informative

    These are vulnerabilities in a particular implementation of K5, not in Kerberos itself. I think it's an important distinction.

    1. Re:vulnerability in the implementation by k98sven · · Score: 3, Informative

      Yes. Although MIT kerberos is the most used one. (on *ix platforms.)

      Another one is Heimdal.

      And of course, the Microsoft-tweaked Windows 2000 Kerberos.

  3. Link for those who run mandrake by Anonymous Coward · · Score: 4, Informative
    Here's a link to the security bulletin by mandrake:

    http://www.mandrakesoft.com/security/advisories?na me=MDKSA-2004:088

  4. Re:How about in 2K and XP by Anonymous Coward · · Score: 2, Informative

    Microsoft made a point of only hiring engineers who had not "tainted" themselves by looking at the MIT reference implementation.

    Same with their TCP/IP code.

  5. VPN 3000 boxes not vulnerable by caluml · · Score: 4, Informative
    The vulnerabilities also affect the VPN 3000 line of Cisco VPN concentrators.

    Only if they're configured to authenticate against a KDC. From the Cisco advisory:
    Cisco VPN 3000 Series Concentrators not authenticating users against a Kerberos Key Distribution Center (KDC) are not impacted.

    --
    Get your own free personal location tracker
  6. Debian security advisory (Aug 31) by Anonymous Coward · · Score: 1, Informative

    http://www.debian.org/security/2004/dsa-543

  7. Re:Affects Redhat, mandrake, mac OS X sun by Dop · · Score: 5, Informative

    The Kerberos Dialogue should help explain a little bit about what Kerberos is. I like it because it shows why certain design decisions were made.

    I don't believe anyone has mentioned it yet, but so far I haven't heard that the Heimdal Kerberos distribution is affected.

  8. Re:It's a double free, not easy to exploit by AaronMB · · Score: 5, Informative

    It's pretty complicated to do (compared to the ease of stack based exploits). However, it is possible. This site has a good explanation/example of a double-free exploit(against CVS).
    -Aaron

  9. Re:Wonder if Windows Kerberos will be affected? by oddityfds · · Score: 4, Informative
    Doesn't SSH, and public-key based authentication pretty much make the whole thing irrelevant?
    No. You still need another infrastructure to get single sign on while avoiding having to passwords to remote hosts and to be able to detect MITM attacks. A PKI will get you some of that, but you'd still need to deal with storing private keys somewhere and figure out how to forward credentials.

    Kerberos is good and can be used in an intuitive way in many applications. For everything else, there's nothing stopping you from also using SSH or SSL and (Kerberos) password authentication or even public-key authentication.

  10. Re:It's a double free, not easy to exploit by ca1v1n · · Score: 4, Informative

    OpenSSH's privilege escalation vulnerability was due to a double free bug. Thus, the only root exploit in the default install to ever have been found in OpenBSD was due to a double free. The zlib vulnerability, which affects a whole bunch of programs that link with zlib, was also a double free bug. It's not something that typically gets taught in undergrad CS courses, like buffer overrun, but it's not unheard of for it to be exploited.

    --
    WARNING: there is a trojan on your
  11. Did MS steal from MIT? by blackhedd · · Score: 2, Informative

    Having looked at the source code (our product incorporates a KDC and we had to patch it the other day when this story broke), the double-free problem is essentially a regression that crept in a few versions ago.

    Someone at MS commented a few days ago (it was picked up by cnet i think) that their "Kerberos" implementation is not vulnerable to the double free because it's their own code. But of course MIT's implementation is not GPL-licensed so MS could easily have stolen^H^H^H^H^H^H adapted it just as they did with BSD's TCP stack.

    Has anyone bothered to do behavioral scanning of MS's "Kerberos" to see if it matches up with MIT's?

  12. Re:Wonder if Windows Kerberos will be affected? by Whip · · Score: 2, Informative

    SSH doesn't do the same thing Kerberos does. Kerberos provides for centralized authentication (ssh doesn't)... just having an authorized_keys file set up on every system you access is NOT the same as centralized authentication. It also provides for a number of other useful features that ssh just can't provide.

    The difference, I suppose, is that they're equivilent in a small/home environment, but much different in an enterprise environment with many users and many hosts. On an enterprise scale, ssh alone just doesn't cut it.

  13. Re:Active Directory? by Anonymous Coward · · Score: 2, Informative

    Nope. Sorry to disappoint you.

    http://news.com.com/Security+pros+warn+of+critical +flaws+in+Kerberos/2100-1002_3-5343325.html#yourta ke

    "Kerberos is a building block of many network security devices and software. Microsoft uses the mechanism to control security in its Active Directory authentication. However, the company uses a homegrown version of Kerberos that is not affected by the flaws, Hartman said. However, Sun's Solaris, Linux from Red Hat and Mandrake, and OS X all use Kerberos. Some companies, such as Sun and Red Hat, have announced patches for the problem, but not all have."

  14. Re:Wonder if Windows Kerberos will be affected? by ravenspear · · Score: 2, Informative

    Apart from MIT, and Windows, who uses Kerberos nowadays?

    Quite a few scientific, governmental, and higher education institutions use Kerberos for authentication across thousands of machines.

  15. Re:'clean room' by Anonymous Coward · · Score: 2, Informative

    Have you ever actually worked with MS kerberos? It interoperates with every other implementation that I have tested. Unix realms using a trust or Unix machines in the w2k3 realm can't understand some group authorizarion data, but that data is in an optional field...it doesn't break them. You can actually map a trusted realm's spn's into windows groups that can then be used for authorization and acl'ing. I never know what you guys are talking about when you slam MS on this one. Kerberos and the CA are two of the coolest things they have done. AND every server product they have is kerberized. When was the last time you saw a Unix distro that came with only kerberized daemons?

    get a clue, loser.

  16. Re:Wonder if Windows Kerberos will be affected? by julesh · · Score: 2, Informative

    MIT Kerberos is under the MIT license, which is largely similar to the BSD license.

    I believe Windows' implementation was originally based on the MIT code, but I'm not sure.