Kerberos vulnerabilities enable code smuggling
The Kerberos developers at the Massachusetts Institute of Technology (MIT) have discovered security holes in the network suite. Attackers can use them to inject and execute malicious code. The developers have made patches available to close the holes.
If Kerberos 4 is enabled in Kerberos Domain Controller (KDC), manipulated messages can result in a null pointer being used in other operations and freed. This makes it possible to execute injected malicious code. Furthermore, private data can be sent to the attacker, since the software might not completely fill the buffer in the reply under certain circumstances, but the entire buffer, including data which might not have been overwritten, is sent back.
The kadmin server also contains a vulnerability. An array overflow can occur if too many file descriptors are opened. This can cause the software to crash, but might also permit an attacker to execute malicious code. However the developers were not able to create an exploit for this and have not seen one in the wild.
The security advisories from MIT are either linked to, or contain, the patches that administrators need to update the Kerberos source code. The amended source code has to be re-compiled and the updated files installed, in order to repair the vulnerabilities. The next release of the Kerberos Suite should already contain the fixes, but the security advisories do not indicate when to expect it. Kerberos server administrators should update their installations as soon as possible.
See also:
- Double-free, Uninitialized Data Vulnerabilities in krb5kdc, MIT security advisory
- Array Overrun in RPC Library Used by kadmind, MIT security advisory
(mba)