MIT Warns of Critical Vulnerabilities in Kerberos 5
kinrowan writes "MIT, inventor of Kerberos, has announced a pair of vulnerabities in the software that will allow an attacker to either execute a DOS attack or execute code on the machine. Some details of the story are at SearchSecurity as well as ComputerWeekly. Details of the advisories themselves are also available. The vulnerabilities also affect the VPN 3000 line of Cisco VPN concentrators."
What doesn't cause a DoS attack now adays? If DOS still stood for Disk Operating System, and we all used that, we'd be safe.
Oh well, guess we had a lot of news going on the past few days...
These are vulnerabilities in a particular implementation of K5, not in Kerberos itself. I think it's an important distinction.
"...it is trivial to construct a corrupt encoding
which will trigger the infinite loop...
so much for MIT not believing in firewalls for their network... :)
Microsoft's directory service has "embraced and extended" Kerberos ... does it also have this vulnerability?
http://www.mandrakesoft.com/security/advisories?na me=MDKSA-2004:088
Has anyone seen exploit code in the wild yet?
Only if they're configured to authenticate against a KDC. From the Cisco advisory:
Cisco VPN 3000 Series Concentrators not authenticating users against a Kerberos Key Distribution Center (KDC) are not impacted.
Get your own free personal location tracker
It would be interesting if the Windows implementation of Kerberos used in AD was vulnerable too. Apart from MIT, and Windows, who uses Kerberos nowadays? Doesn't SSH, and public-key based authentication pretty much make the whole thing irrelevant?
Get your own free personal location tracker
really they are
hmm...
Judging by how well Microsoft's kerberos plays with others, I'd say it's less of a 'clean room' implementation and more of a 'bachelor pad' or 'dorm suite' implementation.
"Sometimes, I think Trent just needs a cup of hot chocolate and a blankie." -Tori Amos on Nine Inch Nails
Worry about their own security first?
2004/09/04: channel.mit.edu
2004/09/04: ecco.mit.edu
---------
In the end we are ALL disconnected....
The biggest problem with any security issues is decermation of the information. This is over a week old and thats the public airing date. Given that it has been known about for over a month in closed circles then you realy have to ask were the flaw in products are. the security flaw in the first place or the un timely manner in which EVERYBODY updates. Remember in security you are only as secure as the weakest link and the bigger the setup the more links you have. Sod authenticating users and single sign n nevania's. We want distributed sign on and verification. I would love for my firewall to tell windows to update and when and for windows to tell my firewall when to sort itself out and then only have to worry about flaws in the update process :). One day we will have software that fix's itself and prevents the user form going near it, one day :D.
In the same vain as most security alerts - man has landed on the moon :-)
would some one explain what kerberos does and how it works? and how one exploits a double-free?
Some drink at the fountain of knowledge. Others just gargle.
http://www.debian.org/security/2004/dsa-543
It's long been known that to get around Kerberos, all you have to do is throw him a sop.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
...sucks.
Momocrome writes "So did Slashdotters call this one? Kerberos seems not to be so secure after all. An MIT student goes in depth to find out just how unsafe a fresh install is. He provides a list of which dangerous bugs are left open and which protocols are vulnerable by default. I guess now we know why Open Software's security procedure is haphazard and undisciplined." Reader ack154 writes "Slashdot is reporting that many Cisco VPN3300 users are reporting an extreme security threat since bothering to trust the loud mouthed braggarts of the 'many eyes' principle - threats as much as from DoS as from Remote Code Execution. Cisco claims no responsibility, claiming it is 'externally created, open-source software' and they don't support it. In the mean time there has been a fix posted on MIT's FTP site, which disables this crucial protocol."
lol. i bet this gets modded down just because of the nasty tone. even though i copied it verbatim from a nasty anti-microsoft writeup from yesterday, and only replaced things like 'XP SP2' with 'Kerberos'.
just a case of not being able to swallow what you blokes dish out. so sad.
Iowa State University also uses kerberos for for their entire system and I think several other universites do too if I remember from my searches on how to set up my linux e-mail to work correctly with it. On a related note, does anyone know of a linux e-mail client that actually will use kerberos_v5 authentication well? I've tried setting up fetchmail to do it, but kerberos_v5 isn't compliled in by defalt and there seems to be some bugs in the code that prevent the compile from working now that MIT has changed a few pieces of the code. Oh and I'm running Mandrake btw. I'd really love to stop using webmail so any sugestions would be great. Thanks
Bush
All too often, some people attempt to make an argument by attacking and insulting those who hold opposing views. George W Bush's sentiments are a perfect example. I would like to start by discussing Bush's arguments, mainly because they scare me. The thing I'm the most frightened about is that even if one isn't completely conversant with current events, the evidence overwhelmingly indicates that if Bush gets his way, I might very well fall into the traps set for me by his secret police. Someone has to be willing to follow knowledge like a sinking star beyond the utmost bound of human thought. Even if it's not polite to do so. Even if it hurts a lot of people's feelings. Even if everyone else is pretending that a richly evocative description of a problem automatically implies the correct solution to that problem.
No amount of opinion or innuendo nor any string of unrelated sermons can change the fact that Bush is willing to promote truth and justice when it's convenient. But when it threatens his creature comforts, Bush throws principle to the wind. His press releases have caused widespread social alienation, and from this alienation a thousand social pathologies have sprung. This screams of the old belief that the worst sorts of dangerous, indecent social outcasts I've ever seen are merely out-of-touch, hypocritical weasels. So let Bush call me irritable. I call him malignant. By the bye, he maliciously defames and damagingly misrepresents everyone and everything around him. There's a word for that: libel.
There is no contradiction here; even though the erroneous things Bush says about me are sometimes entertaining, oftentimes sad, and frequently totally detestable, you mustn't forget that Bush's double standards will have consequences -- very serious consequences. And we ought to begin doing something about that. Contrast, for example, his projects with those of bitter, worthless skinflints, and observe that there is no contrast. I, by (genuine) contrast, take the view that I am deliberately using colorful language in this letter. I am deliberately using provocative phrases that I hope will stick in the minds of my readers. I do ensure, however, that my words are always appropriate and accurate and clearly explain how I'm not a psychiatrist. Sometimes, though, I wish I were, so that I could better understand what makes people like Bush want to purge the land of every non-temperamental person, gene, idea, and influence.
His ebullitions are continually evolving into more and more insipid incarnations. Here, I'm not just talking about evolution in a simply Darwinist sense; I'm also talking about how Bush operates on an international scale to steal the fruits of other people's labor. It's only fitting, therefore, that we, too, work on an international scale, but to remove the misunderstanding that Bush has created in the minds of myriad people throughout the world. When he tells us that snobbism is a viable and vital objective for our nation's educational institutions, he somehow fails to mention that he winds up on the wrong side of every important issue. He fails to mention that this cannot go on much longer. And he fails to mention that he has gotten away with so much for so long that he's lost all sense of caution, all sense of limits. If you think about it, only a man without any sense of limits could desire to seek temporary tactical alliances with unimaginative authoritarians in order to sugarcoat the past and dispense false optimism for the future. Bush hates it when you say that I oppose, deplore, and disavow discrimination, extremism, and hatred of every kind. He really hates it when you say that. Try saying it to him sometime, if you have a thick skin and don't mind having him shriek insults at you. He argues that I am lazy for wanting to work beyond the predatory plasticity of his expostulations. I should point out that this is almost the same argument that was made against Copernicus and Galileo almost half a millennium ago
Because it's wrong. This vulnerability is very hard to exploit and there isn't an exploit in the wild. So what you're saying really isn't relevant to this discussion.
read the comments, even the +5 buggers make it clear that the writeup and the source article were complete rancid crap, even perhaps outright fabrications!
the story got posted the way it did simply because it was sensational and slammed microsoft in a super-snotty manner. so hey, my point still stands, whaddya know.
I suppose it is pointless to argue about whether or not Microsoft borrowed code unless you are prepared to file a law suit that will force Microsoft to show everyone their code. But I would not put much faith into the word of a corporation which has been found guilty of corporate misconduct when it comes to dealing with competitors and customers.
What I can say though is that after doing some TCP and UDP IP socket programming in Windows and in linux the API, header files, and what not sure seem to be earily similar for Microsofts TCP/IP stack to be a "clean room" implementation from non "tainted" programmers.
burnin
Having looked at the source code (our product incorporates a KDC and we had to patch it the other day when this story broke), the double-free problem is essentially a regression that crept in a few versions ago.
Someone at MS commented a few days ago (it was picked up by cnet i think) that their "Kerberos" implementation is not vulnerable to the double free because it's their own code. But of course MIT's implementation is not GPL-licensed so MS could easily have stolen^H^H^H^H^H^H adapted it just as they did with BSD's TCP stack.
Has anyone bothered to do behavioral scanning of MS's "Kerberos" to see if it matches up with MIT's?
No, ive not read the real articles yet ( they dont seem to load from here ) .. but does this also efect Microsofts Active Directory?
---- Booth was a patriot ----
go to:/ linux /core/updates/2/i386/
http://download.fedora.redhat.com/pub/fedora
and grab krb*
Or use yum, up2date, etc.
Need to save CowboyNeal's face, only 54 comments so far..
Kerberos right ? That's too bad !
...about "many-eyes" on the source always being more secure is deflated somewhat by this, if, in fact, the MS implementation does NOT have this flaw because they developed their implementation from spec.
I guess "sharper eyes" are better than "many eyes"...
What you think would happen if everyone disabled upload and be leech like you? Exactly, there would be no more Kazaa of any other P2P network left. Therefore I'm confident that Inburito is actually RIAA/MPAA employee. Beware!
ISTR that Kerberos 4 is flawed at the protocol level, not just implementation. Does anyone else know about this one?
The living have better things to do than to continue hating the dead.
About two weeks ago, we had an issue with our SSHD server. I didn't have Kerberos enabled but someone sent a malformed handshake that crashed the ssh server. It turns out the version of OpenSSH we had installed by default had Kerberos enabled. The later versions do not, so if you're using OpenSSH, make sure you're using the latest version.
In this case, /. missed the train.
Since i have to help support 10,000+ windows machines, i would not look foward to having to patch for such a fundamental flaw...
---- Booth was a patriot ----
Who are these MIT guys anyways and what do they know about anything? Ha!