Buffer Overflow Compromises Kerberos
Page 1 of 1
The Computer Emergency Response Team Coordination Center (CERT/CC) Friday warned of a remotely exploitable buffer overflow in the Kerberos network authentication protocol which could compromise the integrity of the entire Kerberos realm.
Kerberos, developed at the Massachusetts Institute of Technology (MIT), is a freely available tool used to provide strong authentication for client/server applications by using secret-key cryptography. The technology is also found in many commercial products today.
In a security advisory Friday, CERT said a buffer overflow in the Kerberos administration daemon could allow a remote attacker to gain root privileges. CERT also noted that it has received reports that this vulnerability is being exploited.
The Kerberos administration daemon (often called kadmind), handles password changes and other requests to modify the Kerberos database. The portion of that code which provides legacy support for the Kerberos 4 administration protocol contains the buffer overflow.
CERT recommended disabling support for the Kerberos 4 administration protocol if not needed, as well as blocking access to the Kerberos administration service from untrusted networks like the Internet. It also suggested only granting access to the service to trusted administrative hosts.
More information about the vulnerability, and patches, is available here.