MIT Warns of Kerberos 5 Flaws

The Massachusetts Institute of Technology (MIT) has sounded a warning
for a pair of potentially dangerous flaws in its Kerberos
network authentication system.

In separate advisories, the MIT Kerberos team warned of security
holes in the Kerberos 5 implementation’s Key Distribution Center (KDC)
program and a Denial of Service bug in the ASN.1
decoder library.

Independent research firm Secunia rates the flaws as “highly critical.”

“Compromise of a KDC host compromises the security of the entire
authentication realm served by
the KDC. Additionally, double-free vulnerabilities exist in MIT
Kerberos 5 library code, making client programs and application servers
vulnerable,” according to the first advisory.

KDC software from all releases of MIT Kerberos 5, up to and including
krb5-1.3.4, are affected by the flaw. The software can be exploited by an
unauthenticated attacker to execute arbitrary code on a KDC host,
compromising an entire Kerberos transaction.

Patches have been released to correct the flaws, and MIT said an
upcoming krb5-1.3.5 release will contain fixes.

The Kerberos protocol, developed by the Project Athena team at MIT,
is designed to enable two parties to exchange private information across
an otherwise open network. It works by assigning a unique key, called a
ticket, to each user who logs on to the network. The ticket is then
embedded in messages to identify the sender of the message.

A second
alert
from MIT discusses potential holes in the ASN.1 decoder
library that could let an unauthenticated remote attacker cause a KDC
or application server to hang inside an infinite loop.

Cisco Systems
confirmed that the Kerberos flaws affected its VPN 3000 Series
Concentrators and released upgrades to plug the holes.

A Cisco security
alert
said the Cisco VPN 3000 Series Concentrators
authenticating users against a Kerberos KDC may be at risk of remote
code execution and DoS attacks.

Cisco urged its customers to upgrade to 4.0.5.B or 4.1.5.B.

News Around the Web