Slashdot Mirror

← Back to Stories (view on slashdot.org)

MIT Warns of Critical Vulnerabilities in Kerberos 5

Posted by CowboyNeal on from the heightened-state-of-alertness dept.

kinrowan writes "MIT, inventor of Kerberos, has announced a pair of vulnerabities in the software that will allow an attacker to either execute a DOS attack or execute code on the machine. Some details of the story are at SearchSecurity as well as ComputerWeekly. Details of the advisories themselves are also available. The vulnerabilities also affect the VPN 3000 line of Cisco VPN concentrators."

32 of 100 comments (clear)

  1. What? by Saturn+SL1-WNY · · Score: 5, Funny

    What doesn't cause a DoS attack now adays? If DOS still stood for Disk Operating System, and we all used that, we'd be safe.

  2. This is old news. by Anonymous Coward · · Score: 3, Informative
    Mandrake already has security updates for the vulnerabilities. That article is from Aug 31st... It's now September 4th.

    Oh well, guess we had a lot of news going on the past few days...

    1. Re:This is old news. by dr_dank · · Score: 3, Funny

      Oh well, guess we had a lot of news going on the past few days...

      Slashdot is still in an uproar over the revelation of the Ewok movies coming to DVD. What did you expect?

      --
      Where does the school board find them and why do they keep sending them to ME?
  3. vulnerability in the implementation by BigHungryJoe · · Score: 5, Informative

    These are vulnerabilities in a particular implementation of K5, not in Kerberos itself. I think it's an important distinction.

    1. Re:vulnerability in the implementation by Anonymous Coward · · Score: 2, Interesting

      For example, the Microsoft implementation is not affected. (MS was maligned by certain Open Sourcers for rolling their own rather than reusing MIT -- apart from the issue of Windows using different network credentials than UNIX.)

    2. Re:vulnerability in the implementation by k98sven · · Score: 3, Informative

      Yes. Although MIT kerberos is the most used one. (on *ix platforms.)

      Another one is Heimdal.

      And of course, the Microsoft-tweaked Windows 2000 Kerberos.

    3. Re:vulnerability in the implementation by dpilot · · Score: 2, Interesting

      Does anyone know if Heimdal is affected?

      I've been fooling with the whole Kerberos/SASL/LDAP thing, and for the moment that means using Heimdal, because MIT isn't thread-safe. I guess newer SASL can have thread-safe locks wrapped around the Kerberos calls, but I've already got Heimdal installed.

      Heimdal can also store its keys in LDAP, kind of a Worm Ourboros. In ways it seems a little frightening, because another program has the keys to your keys, but I've seen others state that this opens up good capabilities. I need to read more. I need more time.

      --
      The living have better things to do than to continue hating the dead.
  4. How about in 2K and XP by newandyh-r · · Score: 3, Interesting

    Microsoft's directory service has "embraced and extended" Kerberos ... does it also have this vulnerability?

    1. Re:How about in 2K and XP by DaHat · · Score: 2, Funny

      Nay, the windows version is a clean room implementation from the original standard instead of duplicated code.

      --
      Help Brendan pay off his student loans
    2. Re:How about in 2K and XP by Anonymous Coward · · Score: 2, Informative

      Microsoft made a point of only hiring engineers who had not "tainted" themselves by looking at the MIT reference implementation.

      Same with their TCP/IP code.

  5. Link for those who run mandrake by Anonymous Coward · · Score: 4, Informative
    Here's a link to the security bulletin by mandrake:

    http://www.mandrakesoft.com/security/advisories?na me=MDKSA-2004:088

  6. It's a double free, not easy to exploit by Beryllium+Sphere(tm) · · Score: 4, Insightful

    Has anyone seen exploit code in the wild yet?

    1. Re:It's a double free, not easy to exploit by BetterThanCaesar · · Score: 2, Insightful

      Honest question: Has there ever been an exploit of a double free (or similar) bug? I see how it is a problem (I've segfaulted more than once because of it), but how does one inject and run code using it?

      --
      "Stop failing the Turing test!" -- Dilbert
    2. Re:It's a double free, not easy to exploit by AaronMB · · Score: 5, Informative

      It's pretty complicated to do (compared to the ease of stack based exploits). However, it is possible. This site has a good explanation/example of a double-free exploit(against CVS).
      -Aaron

    3. Re:It's a double free, not easy to exploit by ca1v1n · · Score: 4, Informative

      OpenSSH's privilege escalation vulnerability was due to a double free bug. Thus, the only root exploit in the default install to ever have been found in OpenBSD was due to a double free. The zlib vulnerability, which affects a whole bunch of programs that link with zlib, was also a double free bug. It's not something that typically gets taught in undergrad CS courses, like buffer overrun, but it's not unheard of for it to be exploited.

      --
      WARNING: there is a trojan on your
    4. Re:It's a double free, not easy to exploit by Anonymous Coward · · Score: 2, Funny

      please check out http://252.angelcities.com
      for a tutorial about doug lea's malloc
      and exploiting the heap.

      later

  7. VPN 3000 boxes not vulnerable by caluml · · Score: 4, Informative
    The vulnerabilities also affect the VPN 3000 line of Cisco VPN concentrators.

    Only if they're configured to authenticate against a KDC. From the Cisco advisory:
    Cisco VPN 3000 Series Concentrators not authenticating users against a Kerberos Key Distribution Center (KDC) are not impacted.

    --
    Get your own free personal location tracker
  8. Wonder if Windows Kerberos will be affected? by caluml · · Score: 4, Interesting

    It would be interesting if the Windows implementation of Kerberos used in AD was vulnerable too. Apart from MIT, and Windows, who uses Kerberos nowadays? Doesn't SSH, and public-key based authentication pretty much make the whole thing irrelevant?

    --
    Get your own free personal location tracker
    1. Re:Wonder if Windows Kerberos will be affected? by oddityfds · · Score: 4, Informative
      Doesn't SSH, and public-key based authentication pretty much make the whole thing irrelevant?
      No. You still need another infrastructure to get single sign on while avoiding having to passwords to remote hosts and to be able to detect MITM attacks. A PKI will get you some of that, but you'd still need to deal with storing private keys somewhere and figure out how to forward credentials.

      Kerberos is good and can be used in an intuitive way in many applications. For everything else, there's nothing stopping you from also using SSH or SSL and (Kerberos) password authentication or even public-key authentication.

    2. Re:Wonder if Windows Kerberos will be affected? by Whip · · Score: 2, Informative

      SSH doesn't do the same thing Kerberos does. Kerberos provides for centralized authentication (ssh doesn't)... just having an authorized_keys file set up on every system you access is NOT the same as centralized authentication. It also provides for a number of other useful features that ssh just can't provide.

      The difference, I suppose, is that they're equivilent in a small/home environment, but much different in an enterprise environment with many users and many hosts. On an enterprise scale, ssh alone just doesn't cut it.

    3. Re:Wonder if Windows Kerberos will be affected? by N7DR · · Score: 2, Insightful
      Apart from MIT, and Windows, who uses Kerberos nowadays? Doesn't SSH, and public-key based authentication pretty much make the whole thing irrelevant?

      PacketCable security (VoIP over cable) is based on Kerberos. (www.packetcable.com). Interestingly, it's version of Kerberos that uses public-key authentication (PKINIT).

      FWIW, the most common KDC used in PacketCable networks (www.ipfonix.com) is not vulnerable, since it uses no MIT code.

      I do wish that the original headline had been more accurate, since it's not a bug in Kerberos that has been found, but a bug in a particular implementation.

    4. Re:Wonder if Windows Kerberos will be affected? by ravenspear · · Score: 2, Informative

      Apart from MIT, and Windows, who uses Kerberos nowadays?

      Quite a few scientific, governmental, and higher education institutions use Kerberos for authentication across thousands of machines.

    5. Re:Wonder if Windows Kerberos will be affected? by dpilot · · Score: 2, Interesting

      Windows Kerberos is a different implementation, so it shouldn't be affected.

      OTOH, as far as I can tell, MIT Kerberos is NOT under the GPL. A little quick searching and I can't really tell what license it is under, except perhaps MIT's own license. In that same look, I didn't see redistribution/modification provisions, so I have no way to know if it's more like GPL or BSD.

      So perhaps Windows Kerberos really IS based on MIT. I just don't know, and don't know how to find out. As for the implementation-dependent security of Windows Kerberos, we just don't know about that, either. Furthermore, without signing some sort of potentially-restrictive NDA, or reverse-engineering the code, it may well be unknowable. So maybe it's more secure, maybe it isn't.

      That's the point about Open Source. We know there's a flaw in the MIT implementation. We also know that there are fixes out, already.

      --
      The living have better things to do than to continue hating the dead.
    6. Re:Wonder if Windows Kerberos will be affected? by julesh · · Score: 2, Informative

      MIT Kerberos is under the MIT license, which is largely similar to the BSD license.

      I believe Windows' implementation was originally based on the MIT code, but I'm not sure.

  9. 'clean room' by MarcQuadra · · Score: 2, Funny

    Judging by how well Microsoft's kerberos plays with others, I'd say it's less of a 'clean room' implementation and more of a 'bachelor pad' or 'dorm suite' implementation.

    --
    "Sometimes, I think Trent just needs a cup of hot chocolate and a blankie." -Tori Amos on Nine Inch Nails
    1. Re:'clean room' by Anonymous Coward · · Score: 2, Informative

      Have you ever actually worked with MS kerberos? It interoperates with every other implementation that I have tested. Unix realms using a trust or Unix machines in the w2k3 realm can't understand some group authorizarion data, but that data is in an optional field...it doesn't break them. You can actually map a trusted realm's spn's into windows groups that can then be used for authorization and acl'ing. I never know what you guys are talking about when you slam MS on this one. Kerberos and the CA are two of the coolest things they have done. AND every server product they have is kerberized. When was the last time you saw a Unix distro that came with only kerberized daemons?

      get a clue, loser.

  10. Affects Redhat, mandrake, mac OS X sun by goombah99 · · Score: 2, Interesting
    According to cnet, this affects Redhat, mandrake, mac OS X and sun but not Microsoft (who wrote their own implementation). The problem is a Double-freee which is when the same memory block is freed twice. Not quite sure how that happens or how it leads to insecurity. But apparently done properly this allows arbitrary user access but is hard to exploit.

    would some one explain what kerberos does and how it works? and how one exploits a double-free?

    --
    Some drink at the fountain of knowledge. Others just gargle.
    1. Re:Affects Redhat, mandrake, mac OS X sun by Dop · · Score: 5, Informative

      The Kerberos Dialogue should help explain a little bit about what Kerberos is. I like it because it shows why certain design decisions were made.

      I don't believe anyone has mentioned it yet, but so far I haven't heard that the Heimdal Kerberos distribution is affected.

  11. Probably the oldest known security hole by hey! · · Score: 2, Funny

    It's long been known that to get around Kerberos, all you have to do is throw him a sop.

    --
    Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
  12. Re:Maybe they should..... by inburito · · Score: 3, Insightful

    Umm.. most of the .mit.edu computers are students' own dorm room computers. Mit doesn't care what people do with them unless they start disrupting the network operations.

    It is a pretty good deal with a fixed ip address, your own mit-domain name and a direct hookup without any extra firewalls or nats. I know I like mine. However, smarter than average kids do not necessarily good sys admins make. A hack on an "mit"-computer seems to enjoy questionable prestige especially in asia even though nobody ever hacks the university's computers.. just random people's personal ones. What's so great about defacing some bio-major's laptop..

  13. Did MS steal from MIT? by blackhedd · · Score: 2, Informative

    Having looked at the source code (our product incorporates a KDC and we had to patch it the other day when this story broke), the double-free problem is essentially a regression that crept in a few versions ago.

    Someone at MS commented a few days ago (it was picked up by cnet i think) that their "Kerberos" implementation is not vulnerable to the double free because it's their own code. But of course MIT's implementation is not GPL-licensed so MS could easily have stolen^H^H^H^H^H^H adapted it just as they did with BSD's TCP stack.

    Has anyone bothered to do behavioral scanning of MS's "Kerberos" to see if it matches up with MIT's?

  14. Re:Active Directory? by Anonymous Coward · · Score: 2, Informative

    Nope. Sorry to disappoint you.

    http://news.com.com/Security+pros+warn+of+critical +flaws+in+Kerberos/2100-1002_3-5343325.html#yourta ke

    "Kerberos is a building block of many network security devices and software. Microsoft uses the mechanism to control security in its Active Directory authentication. However, the company uses a homegrown version of Kerberos that is not affected by the flaws, Hartman said. However, Sun's Solaris, Linux from Red Hat and Mandrake, and OS X all use Kerberos. Some companies, such as Sun and Red Hat, have announced patches for the problem, but not all have."