RealTime IT News

MIT Warns of Kerberos 5 Flaws

The Massachusetts Institute of Technology (MIT) has sounded a warning for a pair of potentially dangerous flaws in its Kerberos network authentication system.

In separate advisories, the MIT Kerberos team warned of security holes in the Kerberos 5 implementation's Key Distribution Center (KDC) program and a Denial of Service bug in the ASN.1 decoder library.

Independent research firm Secunia rates the flaws as "highly critical."

"Compromise of a KDC host compromises the security of the entire authentication realm served by the KDC. Additionally, double-free vulnerabilities exist in MIT Kerberos 5 library code, making client programs and application servers vulnerable," according to the first advisory.

KDC software from all releases of MIT Kerberos 5, up to and including krb5-1.3.4, are affected by the flaw. The software can be exploited by an unauthenticated attacker to execute arbitrary code on a KDC host, compromising an entire Kerberos transaction.

Patches have been released to correct the flaws, and MIT said an upcoming krb5-1.3.5 release will contain fixes.

The Kerberos protocol, developed by the Project Athena team at MIT, is designed to enable two parties to exchange private information across an otherwise open network. It works by assigning a unique key, called a ticket, to each user who logs on to the network. The ticket is then embedded in messages to identify the sender of the message.

A second alert from MIT discusses potential holes in the ASN.1 decoder library that could let an unauthenticated remote attacker cause a KDC or application server to hang inside an infinite loop.

Cisco Systems confirmed that the Kerberos flaws affected its VPN 3000 Series Concentrators and released upgrades to plug the holes.

A Cisco security alert said the Cisco VPN 3000 Series Concentrators authenticating users against a Kerberos KDC may be at risk of remote code execution and DoS attacks.

Cisco urged its customers to upgrade to 4.0.5.B or 4.1.5.B.