Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Security Bug

MIT Warns of Critical Vulnerabilities in Kerberos 5 100

Posted by CowboyNeal from the heightened-state-of-alertness dept.
kinrowan writes "MIT, inventor of Kerberos, has announced a pair of vulnerabities in the software that will allow an attacker to either execute a DOS attack or execute code on the machine. Some details of the story are at SearchSecurity as well as ComputerWeekly. Details of the advisories themselves are also available. The vulnerabilities also affect the VPN 3000 line of Cisco VPN concentrators."
This discussion has been archived. No new comments can be posted.

MIT Warns of Critical Vulnerabilities in Kerberos 5 More

MIT Warns of Critical Vulnerabilities in Kerberos 5

Comments Filter:

  • What? (Score:5, Funny)

    by Saturn SL1-WNY ( 807134 ) on Saturday September 04, 2004 @11:08AM (#10157422)
    What doesn't cause a DoS attack now adays? If DOS still stood for Disk Operating System, and we all used that, we'd be safe.
    • I read the headline and the X-men came to mind. Wasn't Kerberos the machine that Dr. Xavier used in that big, round room? /nevermind
    • So . . . I guess that you couldn't DoS DOS? Interesting thesis . . . I think I'll write a research paper on the subject. Could you DDoS DOS? DoS DDOOSS? DDoS DDOS? So, how much wood could a woodchuck chuck . . .
      • You could not DOS does right out of the box. You could only DOS DOS if someone had installed add on software. Where there is no network support there is no DOS attack.
    • What about the Department of State? Could you DOS DOS if they ran DOS?

  • This is old news. (Score:3, Informative)

    by Anonymous Coward on Saturday September 04, 2004 @11:10AM (#10157433)
    Mandrake already has security updates for the vulnerabilities. That article is from Aug 31st... It's now September 4th.

    Oh well, guess we had a lot of news going on the past few days...

  • vulnerability in the implementation (Score:5, Informative)

    by BigHungryJoe ( 737554 ) on Saturday September 04, 2004 @11:11AM (#10157435) Homepage
    These are vulnerabilities in a particular implementation of K5, not in Kerberos itself. I think it's an important distinction.

    • Re:vulnerability in the implementation (Score:2, Interesting)

      by Anonymous Coward
      For example, the Microsoft implementation is not affected. (MS was maligned by certain Open Sourcers for rolling their own rather than reusing MIT -- apart from the issue of Windows using different network credentials than UNIX.)
    • Yes. Although MIT kerberos is the most used one. (on *ix platforms.)

      Another one is Heimdal [pdc.kth.se].

      And of course, the Microsoft-tweaked Windows 2000 Kerberos.
    • Does anyone know if Heimdal is affected?

      I've been fooling with the whole Kerberos/SASL/LDAP thing, and for the moment that means using Heimdal, because MIT isn't thread-safe. I guess newer SASL can have thread-safe locks wrapped around the Kerberos calls, but I've already got Heimdal installed.

      Heimdal can also store its keys in LDAP, kind of a Worm Ourboros. In ways it seems a little frightening, because another program has the keys to your keys, but I've seen others state that this opens up good capabili

  • Can anyone explain how ez this exploit really is (Score:1, Insightful)

    by Anonymous Coward
    "...it is trivial to construct a corrupt encoding
    which will trigger the infinite loop...

  • How about in 2K and XP (Score:3, Interesting)

    by newandyh-r ( 724533 ) on Saturday September 04, 2004 @11:13AM (#10157444)
    Microsoft's directory service has "embraced and extended" Kerberos ... does it also have this vulnerability?
    • Nay, the windows version is a clean room implementation from the original standard instead of duplicated code.

      • Re:How about in 2K and XP (Score:2, Informative)

        by Anonymous Coward
        Microsoft made a point of only hiring engineers who had not "tainted" themselves by looking at the MIT reference implementation.

        Same with their TCP/IP code.
        • I suppose it is pointless to argue about whether or not Microsoft borrowed code unless you are prepared to file a law suit that will force Microsoft to show everyone their code. But I would not put much faith into the word of a corporation which has been found guilty of corporate misconduct when it comes to dealing with competitors and customers.

          What I can say though is that after doing some TCP and UDP IP socket programming in Windows and in linux the API, header files, and what not sure seem to be earil
          • What I can say though is that after doing some TCP and UDP IP socket programming in Windows and in linux the API, header files, and what not sure seem to be earily similar for Microsofts TCP/IP stack to be a "clean room" implementation from non "tainted" programmers.

            The Windows TCP/IP stack has large amounts of BSD code in it. I wouldn't be surprised if the Linux stack had a fair amount as well. Regardless, MS can hardly be found at fault here.
            • I know the linux TCP/IP stack has a fair amount of BSD code and hence I would also agree that Microsofts implementation has a fair amount of BSD code. This would explain the similarities you may notice when using both implementations. We are in agreement. Perhaps I should have been more blunt, so here it is.

              I doubt that Microsofts TCP/IP implementation is a clean room implementation from non tainted programmers. And I suspect there is a fair amount of BSD code in the Microsoft implementation. This is not
            • I read that the Linux people asked the BSD people if they could copy the BSD TCP/IP stack, but the BSD people declined.

              So, the Linux network stack should be different code.
      • Judging by how well Microsoft's kerberos plays with others, I'd say it's less of a 'clean room' implementation and more of a 'bachelor pad' or 'dorm suite' implementation.
        • Well, MS does have coding standards that they have to follow.

        • Re:'clean room' (Score:2, Informative)

          by Anonymous Coward
          Have you ever actually worked with MS kerberos? It interoperates with every other implementation that I have tested. Unix realms using a trust or Unix machines in the w2k3 realm can't understand some group authorizarion data, but that data is in an optional field...it doesn't break them. You can actually map a trusted realm's spn's into windows groups that can then be used for authorization and acl'ing. I never know what you guys are talking about when you slam MS on this one. Kerberos and the CA are two of
          • I just saw an opportunity for a joke.

            But really, at work we had to use some third-party KDC because some of our other third-party boxes wouldn't tie-in with the KDC included with the AD. That's what the admin said, and he was die-hard Microsoft.

            I heard the MS implentation is little-endian, which is not the standard for network communications, too.

  • It's a double free, not easy to exploit (Score:5, Insightful)

    by Beryllium Sphere(tm) ( 193358 ) on Saturday September 04, 2004 @11:20AM (#10157476) Journal
    Has anyone seen exploit code in the wild yet?

  • VPN 3000 boxes not vulnerable (Score:5, Informative)

    by caluml ( 551744 ) <slashdot@spamgoe ... minus herbivore> on Saturday September 04, 2004 @11:21AM (#10157478) Homepage
    The vulnerabilities also affect the VPN 3000 line of Cisco VPN concentrators.

    Only if they're configured to authenticate against a KDC. From the Cisco advisory:
    Cisco VPN 3000 Series Concentrators not authenticating users against a Kerberos Key Distribution Center (KDC) are not impacted.

  • It would be interesting if the Windows implementation of Kerberos used in AD was vulnerable too. Apart from MIT, and Windows, who uses Kerberos nowadays? Doesn't SSH, and public-key based authentication pretty much make the whole thing irrelevant?
    • Mac OS X, although disabled by default in the clients, uses Kerberos4 for authentication. Supposedly in OS X.4 it will be more prevalent.

    • Microsoft's implementation is supposedly not affected.

    • Re:Wonder if Windows Kerberos will be affected? (Score:5, Informative)

      by oddityfds ( 138457 ) on Saturday September 04, 2004 @11:54AM (#10157632)
      Doesn't SSH, and public-key based authentication pretty much make the whole thing irrelevant?
      No. You still need another infrastructure to get single sign on while avoiding having to passwords to remote hosts and to be able to detect MITM attacks. A PKI will get you some of that, but you'd still need to deal with storing private keys somewhere and figure out how to forward credentials.

      Kerberos is good and can be used in an intuitive way in many applications. For everything else, there's nothing stopping you from also using SSH or SSL and (Kerberos) password authentication or even public-key authentication.

    • Iowa State University also uses kerberos for for their entire system and I think several other universites do too if I remember from my searches on how to set up my linux e-mail to work correctly with it. On a related note, does anyone know of a linux e-mail client that actually will use kerberos_v5 authentication well? I've tried setting up fetchmail to do it, but kerberos_v5 isn't compliled in by defalt and there seems to be some bugs in the code that prevent the compile from working now that MIT has cha
      • On a related note, does anyone know of a linux e-mail client that actually will use kerberos_v5 authentication well?
        When I grew tired of Gnus I switched to Evolution because it was (and still is, AFAIK) the only graphical mailer for X with GSSAPI/Krb5 support and because it's a nice GNOME app. Works well with the Cyrus-IMAPd server.

        The Mail app that comes with MacOS X also has Krb5 support.

    • No. SSH provides you with a secure method to log into a particular machine. However, if you have several services (applications, machines, etc) that require authentication it is desirable to have a secure method of not only having one username/password combo but allowing services to authenticate off of that username/password combo. That is where Kerberos comes in.

      In the case of SSH it is quite common that its pam configuration is using Kerberos for authentication.

      Check it out [mit.edu], truely intersting stu

    • SSH doesn't do the same thing Kerberos does. Kerberos provides for centralized authentication (ssh doesn't)... just having an authorized_keys file set up on every system you access is NOT the same as centralized authentication. It also provides for a number of other useful features that ssh just can't provide.

      The difference, I suppose, is that they're equivilent in a small/home environment, but much different in an enterprise environment with many users and many hosts. On an enterprise scale, ssh alone jus
    • Apart from MIT, and Windows, who uses Kerberos nowadays? Doesn't SSH, and public-key based authentication pretty much make the whole thing irrelevant?

      PacketCable security (VoIP over cable) is based on Kerberos. (www.packetcable.com). Interestingly, it's version of Kerberos that uses public-key authentication (PKINIT).

      FWIW, the most common KDC used in PacketCable networks (www.ipfonix.com) is not vulnerable, since it uses no MIT code.

      I do wish that the original headline had been more accurate, s

    • Apart from MIT, and Windows, who uses Kerberos nowadays?

      Quite a few scientific, governmental, and higher education institutions use Kerberos for authentication across thousands of machines.
    • Windows Kerberos is a different implementation, so it shouldn't be affected.

      OTOH, as far as I can tell, MIT Kerberos is NOT under the GPL. A little quick searching and I can't really tell what license it is under, except perhaps MIT's own license. In that same look, I didn't see redistribution/modification provisions, so I have no way to know if it's more like GPL or BSD.

      So perhaps Windows Kerberos really IS based on MIT. I just don't know, and don't know how to find out. As for the implementation-depende

  • Affects Redhat, mandrake, mac OS X sun (Score:3, Interesting)

    by goombah99 ( 560566 ) on Saturday September 04, 2004 @11:38AM (#10157564)
    According to cnet, this affects Redhat, mandrake, mac OS X and sun but not Microsoft (who wrote their own implementation). The problem is a Double-freee which is when the same memory block is freed twice. Not quite sure how that happens or how it leads to insecurity. But apparently done properly this allows arbitrary user access but is hard to exploit.

    would some one explain what kerberos does and how it works? and how one exploits a double-free?

  • Probably the oldest known security hole (Score:3, Funny)

    by hey! ( 33014 ) on Saturday September 04, 2004 @11:42AM (#10157575) Homepage Journal
    It's long been known that to get around Kerberos, all you have to do is throw him a sop.
  • Having looked at the source code (our product incorporates a KDC and we had to patch it the other day when this story broke), the double-free problem is essentially a regression that crept in a few versions ago.

    Someone at MS commented a few days ago (it was picked up by cnet i think) that their "Kerberos" implementation is not vulnerable to the double free because it's their own code. But of course MIT's implementation is not GPL-licensed so MS could easily have stolen^H^H^H^H^H^H adapted it just as they d
    • I have seen a Microsoft developer post on the MIT Kerberos dev list before, asking a question about code. Was probably 4 months or so ago. Didn't check the headers, though, just saw the FROM field. Seemed legit to me.

      MIT chose to license it under their license. There's no reason anybody should be pissy at Microsoft if they used free code. Obviously this is what the MIT Kerberos developers wanted, so nobody has a right to bash Microsoft if they did use the code. There are plenty of other reasons to ba
      • The question being addressed is: "does MS's implementation suffer from the double-free problem?"

        "bashing" - are you referring to my use of the word "stealing"? The MIT license does not require open-sourcing of derivative works but it does require proper attribution.
      • Yes but you'd think that they would have at least told the MIT guys about the problem they found and fixed.
  • No, ive not read the real articles yet ( they dont seem to load from here ) .. but does this also efect Microsofts Active Directory?
  • go to:
    http://download.fedora.redhat.com/pub/fedora/ linux /core/updates/2/i386/
    and grab krb*

    Or use yum, up2date, etc.

  • I guess the Open Source crowd argument... (Score:1, Insightful)

    by Anonymous Coward
    ...about "many-eyes" on the source always being more secure is deflated somewhat by this, if, in fact, the MS implementation does NOT have this flaw because they developed their implementation from spec.

    I guess "sharper eyes" are better than "many eyes"...

  • About two weeks ago, we had an issue with our SSHD server. I didn't have Kerberos enabled but someone sent a malformed handshake that crashed the ssh server. It turns out the version of OpenSSH we had installed by default had Kerberos enabled. The later versions do not, so if you're using OpenSSH, make sure you're using the latest version.
  • Who are these MIT guys anyways and what do they know about anything? Ha!

Slashdot Top Deals

Beware of Programmers who carry screwdrivers. -- Leonard Brandwein

Close