Slashdot Mirror

← Back to Stories (view on slashdot.org)

MIT Warns of Critical Vulnerabilities in Kerberos 5

Posted by CowboyNeal on Saturday September 4, 2004 @03:07AM from the heightened-state-of-alertness dept.

kinrowan writes "MIT, inventor of Kerberos, has announced a pair of vulnerabities in the software that will allow an attacker to either execute a DOS attack or execute code on the machine. Some details of the story are at SearchSecurity as well as ComputerWeekly. Details of the advisories themselves are also available. The vulnerabilities also affect the VPN 3000 line of Cisco VPN concentrators."

4 of 100 comments (clear)

Min score:

Reason:

Sort:

What? by Saturn+SL1-WNY · 2004-09-04 03:08 · Score: 5, Funny

What doesn't cause a DoS attack now adays? If DOS still stood for Disk Operating System, and we all used that, we'd be safe.
vulnerability in the implementation by BigHungryJoe · 2004-09-04 03:11 · Score: 5, Informative

These are vulnerabilities in a particular implementation of K5, not in Kerberos itself. I think it's an important distinction.
Re:Affects Redhat, mandrake, mac OS X sun by Dop · 2004-09-04 03:51 · Score: 5, Informative

The Kerberos Dialogue should help explain a little bit about what Kerberos is. I like it because it shows why certain design decisions were made.

I don't believe anyone has mentioned it yet, but so far I haven't heard that the Heimdal Kerberos distribution is affected.
Re:It's a double free, not easy to exploit by AaronMB · 2004-09-04 03:52 · Score: 5, Informative

It's pretty complicated to do (compared to the ease of stack based exploits). However, it is possible. This site has a good explanation/example of a double-free exploit(against CVS).
-Aaron