Three critical vulnerabilities in Kerberos network authentication
MIT has reported three critical vulnerabilities in its implementation of the Kerberos v5 network authentication solution, present in all versions up to and including version 5-1.6. Because other vendors also use the MIT Kerberos libraries, other products may be affected.
Until a new Kerberos 5 version is released, patches should fix the vulnerabilities. Most Linux distributors have already released their own bug-fixed packets, so that users in many cases will not have to go to the trouble of recompiling the source code.
The consequences of these vulnerabilities include enabling an attacker to gain control of a system remotely. Two of the vulnerabilities are in the kadmind service and the Key Distribution Center (KDC) and allow injection and execution of code as root. However, according to the bug report an attacker would need to be authenticated. In addition, a bug in the telnet service enables an attacker to login with root privileges simply by entering a specially crafted username. The bug is apparently very simple to exploit, however MIT does not give further details. As a workaround, users should disable the telnet service.
- telnetd allows login as arbitrary user, bug report from MIT
- KDC, kadmind stack overflow in krb5_klog_syslog, bug report from MIT
- double-free vulnerability in kadmind (via GSS-API library), bug report from MIT