In association with heise online

08 April 2009, 11:46

Multiple holes in MIT Kerberos

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

The Kerberos developers at the Massachusetts Institute of Technology (MIT) have reported multiple vulnerabilities in their network authentication suite. Attackers can reportedly exploit a weakness to cause a SPNEGO GSS-API application crash, including the Kerberos administration daemon (kadmind). A remote attack could also cause a key distribution center (KDC) or kinit program to crash.

The developers also describe a vulnerability in the ASN.1 decoder that could allow an attacker to crash the Kerberos application and execute arbitrary malicious code. All attacks can be run remotely and do not require authentication.

Kerberos versions krb5-1.5 and later are affected as previous MIT releases did not contain the vulnerable code. All MIT krb5 releases and third-party software that uses the krb5 libraries are affected by the critical vulnerability in the ASN.1 decoder. The upcoming official krb5-1.7 and krb5-1.6.4 releases resolve the problems.

MIT provide source code patches for the SPNEGO GSS-API and ASN.1 vulnerabilities on their site. Ubuntu has already released updated packages for it's distributions.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit