MIT Warns of Critical Vulnerabilities in Kerberos 5

kinrowan writes "MIT, inventor of Kerberos, has announced a pair of vulnerabities in the software that will allow an attacker to either execute a DOS attack or execute code on the machine. Some details of the story are at SearchSecurity as well as ComputerWeekly. Details of the advisories themselves are also available. The vulnerabilities also affect the VPN 3000 line of Cisco VPN concentrators."

What?

[Saturn+SL1-WNY]

What doesn't cause a DoS attack now adays? If DOS still stood for Disk Operating System, and we all used that, we'd be safe.

vulnerability in the implementation

[BigHungryJoe]

These are vulnerabilities in a particular implementation of K5, not in Kerberos itself. I think it's an important distinction.

Link for those who run mandrake

Here's a link to the security bulletin by mandrake:

http://www.mandrakesoft.com/security/advisories?na me=MDKSA-2004:088

It's a double free, not easy to exploit

[Beryllium+Sphere(tm)]

Has anyone seen exploit code in the wild yet?

Re:It's a double free, not easy to exploit

[AaronMB]

It's pretty complicated to do (compared to the ease of stack based exploits). However, it is possible. This site has a good explanation/example of a double-free exploit(against CVS).
-Aaron

Re:It's a double free, not easy to exploit

[ca1v1n]

OpenSSH's privilege escalation vulnerability was due to a double free bug. Thus, the only root exploit in the default install to ever have been found in OpenBSD was due to a double free. The zlib vulnerability, which affects a whole bunch of programs that link with zlib, was also a double free bug. It's not something that typically gets taught in undergrad CS courses, like buffer overrun, but it's not unheard of for it to be exploited.

VPN 3000 boxes not vulnerable

[caluml]

The vulnerabilities also affect the VPN 3000 line of Cisco VPN concentrators.

Only if they're configured to authenticate against a KDC. From the Cisco advisory:
Cisco VPN 3000 Series Concentrators not authenticating users against a Kerberos Key Distribution Center (KDC) are not impacted.

Wonder if Windows Kerberos will be affected?

[caluml]

It would be interesting if the Windows implementation of Kerberos used in AD was vulnerable too. Apart from MIT, and Windows, who uses Kerberos nowadays? Doesn't SSH, and public-key based authentication pretty much make the whole thing irrelevant?

Re:Wonder if Windows Kerberos will be affected?

[oddityfds]

Doesn't SSH, and public-key based authentication pretty much make the whole thing irrelevant?

No. You still need another infrastructure to get single sign on while avoiding having to passwords to remote hosts and to be able to detect MITM attacks. A PKI will get you some of that, but you'd still need to deal with storing private keys somewhere and figure out how to forward credentials.

Kerberos is good and can be used in an intuitive way in many applications. For everything else, there's nothing stopping you from also using SSH or SSL and (Kerberos) password authentication or even public-key authentication.

Re:Affects Redhat, mandrake, mac OS X sun

[Dop]

The Kerberos Dialogue should help explain a little bit about what Kerberos is. I like it because it shows why certain design decisions were made.

I don't believe anyone has mentioned it yet, but so far I haven't heard that the Heimdal Kerberos distribution is affected.