MIT Warns of Critical Vulnerabilities in Kerberos 5 100
kinrowan writes "MIT, inventor of Kerberos, has announced a pair of vulnerabities in the software that will allow an attacker to either execute a DOS attack or execute code on the machine. Some details of the story are at SearchSecurity as well as ComputerWeekly. Details of the advisories themselves are also available. The vulnerabilities also affect the VPN 3000 line of Cisco VPN concentrators."
What? (Score:5, Funny)
Re:What? (Score:2)
Re:What? (Score:1)
Re:What? (Score:2)
Re:What? (Score:1)
This is old news. (Score:3, Informative)
Oh well, guess we had a lot of news going on the past few days...
Link for those who run mandrake (Score:4, Informative)
http://www.mandrakesoft.com/security/advisories?na me=MDKSA-2004:088 [mandrakesoft.com]
Debian security advisory (Aug 31) (Score:1, Informative)
Re:This is old news. (Score:4, Funny)
Slashdot is still in an uproar over the revelation of the Ewok movies coming to DVD. What did you expect?
EVERYBODY has Updates... VERY old news indeed! (Score:1)
In this case, /. missed the train.
vulnerability in the implementation (Score:5, Informative)
Re:vulnerability in the implementation (Score:2, Interesting)
Re:vulnerability in the implementation (Score:2)
It is internal to the UofI, so maybe nobody has really looked for vulnerabilities.
Re:vulnerability in the implementation (Score:2)
Re:vulnerability in the implementation (Score:3, Informative)
Another one is Heimdal [pdc.kth.se].
And of course, the Microsoft-tweaked Windows 2000 Kerberos.
Re:vulnerability in the implementation (Score:3, Interesting)
I've been fooling with the whole Kerberos/SASL/LDAP thing, and for the moment that means using Heimdal, because MIT isn't thread-safe. I guess newer SASL can have thread-safe locks wrapped around the Kerberos calls, but I've already got Heimdal installed.
Heimdal can also store its keys in LDAP, kind of a Worm Ourboros. In ways it seems a little frightening, because another program has the keys to your keys, but I've seen others state that this opens up good capabili
Can anyone explain how ez this exploit really is (Score:1, Insightful)
which will trigger the infinite loop...
How about in 2K and XP (Score:3, Interesting)
Re:How about in 2K and XP (Score:3, Funny)
Re:How about in 2K and XP (Score:2, Informative)
Same with their TCP/IP code.
Can you trust the word of a convict? (Score:2)
What I can say though is that after doing some TCP and UDP IP socket programming in Windows and in linux the API, header files, and what not sure seem to be earil
Re:Can you trust the word of a convict? (Score:2)
The Windows TCP/IP stack has large amounts of BSD code in it. I wouldn't be surprised if the Linux stack had a fair amount as well. Regardless, MS can hardly be found at fault here.
Re:Can you trust the word of a convict? (Score:2)
I doubt that Microsofts TCP/IP implementation is a clean room implementation from non tainted programmers. And I suspect there is a fair amount of BSD code in the Microsoft implementation. This is not
Re:Can you trust the word of a convict? (Score:1)
So, the Linux network stack should be different code.
Re:Can you trust the word of a convict? (Score:1)
Even though the letters of the BSD license allows you to use the code without asking, the Linux developers asked to use the BSD networking code (remember, they'd have to relicense it as GPL). The BSD guys said no. There was already network code in linux at the time, so that was improved instead.
I'm no expert on this, and am only recalling threads I read of others recalling events so I'm probably a bit off on the details.
Mike
'clean room' (Score:3, Funny)
Re:'clean room' (Score:2)
Re:'clean room' (Score:2, Informative)
Re:'clean room' (Score:2)
But really, at work we had to use some third-party KDC because some of our other third-party boxes wouldn't tie-in with the KDC included with the AD. That's what the admin said, and he was die-hard Microsoft.
I heard the MS implentation is little-endian, which is not the standard for network communications, too.
It's a double free, not easy to exploit (Score:5, Insightful)
Re:It's a double free, not easy to exploit (Score:3, Insightful)
Honest question: Has there ever been an exploit of a double free (or similar) bug? I see how it is a problem (I've segfaulted more than once because of it), but how does one inject and run code using it?
Re:It's a double free, not easy to exploit (Score:5, Informative)
-Aaron
Re:It's a double free, not easy to exploit (Score:2)
Interesting read. Thank you for the link.
Re:It's a double free, not easy to exploit (Score:2)
A computer with the IP address 127.0.0.1 sent information that is characteristic of the HTTP_ActivePerl_Overflow attack.
I wonder what happens if you're running IE or IIS?
Re:It's a double free, not easy to exploit (Score:5, Informative)
Re:It's a double free, not easy to exploit (Score:2, Funny)
for a tutorial about doug lea's malloc
and exploiting the heap.
later
VPN 3000 boxes not vulnerable (Score:5, Informative)
Only if they're configured to authenticate against a KDC. From the Cisco advisory:
Cisco VPN 3000 Series Concentrators not authenticating users against a Kerberos Key Distribution Center (KDC) are not impacted.
Wonder if Windows Kerberos will be affected? (Score:5, Interesting)
Re:Wonder if Windows Kerberos will be affected? (Score:2)
Re:Wonder if Windows Kerberos will be affected? (Score:1)
Kerberos 4 (Score:1)
Re:Wonder if Windows Kerberos will be affected? (Score:2)
Microsoft's implementation is supposedly not affected.
Re:Wonder if Windows Kerberos will be affected? (Score:5, Informative)
Kerberos is good and can be used in an intuitive way in many applications. For everything else, there's nothing stopping you from also using SSH or SSL and (Kerberos) password authentication or even public-key authentication.
Other Schools (Score:1)
Re:Other Schools (Score:2)
The Mail app that comes with MacOS X also has Krb5 support.
Re:Wonder if Windows Kerberos will be affected? (Score:1)
No. SSH provides you with a secure method to log into a particular machine. However, if you have several services (applications, machines, etc) that require authentication it is desirable to have a secure method of not only having one username/password combo but allowing services to authenticate off of that username/password combo. That is where Kerberos comes in.
In the case of SSH it is quite common that its pam configuration is using Kerberos for authentication.
Check it out [mit.edu], truely intersting stu
Re:Wonder if Windows Kerberos will be affected? (Score:2, Informative)
The difference, I suppose, is that they're equivilent in a small/home environment, but much different in an enterprise environment with many users and many hosts. On an enterprise scale, ssh alone jus
Re:Wonder if Windows Kerberos will be affected? (Score:3, Insightful)
PacketCable security (VoIP over cable) is based on Kerberos. (www.packetcable.com). Interestingly, it's version of Kerberos that uses public-key authentication (PKINIT).
FWIW, the most common KDC used in PacketCable networks (www.ipfonix.com) is not vulnerable, since it uses no MIT code.
I do wish that the original headline had been more accurate, s
Re:Wonder if Windows Kerberos will be affected? (Score:2, Informative)
Quite a few scientific, governmental, and higher education institutions use Kerberos for authentication across thousands of machines.
Re:Wonder if Windows Kerberos will be affected? (Score:3, Interesting)
OTOH, as far as I can tell, MIT Kerberos is NOT under the GPL. A little quick searching and I can't really tell what license it is under, except perhaps MIT's own license. In that same look, I didn't see redistribution/modification provisions, so I have no way to know if it's more like GPL or BSD.
So perhaps Windows Kerberos really IS based on MIT. I just don't know, and don't know how to find out. As for the implementation-depende
Re:Wonder if Windows Kerberos will be affected? (Score:3, Informative)
I believe Windows' implementation was originally based on the MIT code, but I'm not sure.
Re:Wonder if Windows Kerberos will be affected? (Score:2)
The GPL would have prohibited that.
Re:Wonder if Windows Kerberos will be affected? (Score:1)
1: Julesh is wrong, and MS did their own Kerberos from the ground-up, in which case the rest is as you say.
2: MS began with the MIT Kerberos code, but tossed the part where the double-free was, because they had their own tweaks, anyway. Net result, largely the same as (1) above.
3: MS began with the MIT Kerberos code, but didn't touch the part where the double-free is.
Re:Wonder if Windows Kerberos will be affected? (Score:1, Flamebait)
2,3,4) The GPL would have prevented that.
"It's all moot, because most of us will never know"
The GPL would have prevented that.
Re:Wonder if Windows Kerberos will be affected? (Score:1)
Re:Maybe they should..... (Score:4, Insightful)
It is a pretty good deal with a fixed ip address, your own mit-domain name and a direct hookup without any extra firewalls or nats. I know I like mine. However, smarter than average kids do not necessarily good sys admins make. A hack on an "mit"-computer seems to enjoy questionable prestige especially in asia even though nobody ever hacks the university's computers.. just random people's personal ones. What's so great about defacing some bio-major's laptop..
Re:Maybe they should..... (Score:1)
they are continually monitoring for vulnerable hosts on the MIT (18.*) network. my guess is that you won't see the above-mentioned vulnerabilities persist for long.
Re:Maybe they should..... (Score:2)
In my experience, unless you're running kazaa with a high volume of uploads (some people still don't disable the uploads) or are spreading worms from your computer, they do not care. In either of these cases they generally tend to disable the network drop in your room (works for I/S ran places like most of the dorms, but not fraternities).
Generic worm patterns are relatively easy to detect but anyth
He's from RIAA/MPAA! (Score:1)
Affects Redhat, mandrake, mac OS X sun (Score:3, Interesting)
would some one explain what kerberos does and how it works? and how one exploits a double-free?
Re:Affects Redhat, mandrake, mac OS X sun (Score:5, Informative)
I don't believe anyone has mentioned it yet, but so far I haven't heard that the Heimdal Kerberos distribution is affected.
Re:Affects Redhat, mandrake, mac OS X sun (Score:1)
Re:Affects Redhat, mandrake, mac OS X sun (Score:1)
That's why you get messages like this in your console log:
*** malloc[7358]: error for object 0x38b730: Double free
or this:
*** malloc[7722]: Deallocation of a pointer not malloced: 0x55a020; This could be a double free(), or free() called with the middle of an allocated block; Try setting environment variable MallocHelp to see tools to help debug
- proton
Probably the oldest known security hole (Score:3, Funny)
Re:Probably the oldest known security hole (Score:1)
KFG
same goes for the XP SP2 writeup (Score:1, Flamebait)
the story got posted the way it did simply because it was sensational and slammed microsoft in a super-snotty manner. so hey, my point still stands, whaddya know.
Did MS steal from MIT? (Score:2, Informative)
Someone at MS commented a few days ago (it was picked up by cnet i think) that their "Kerberos" implementation is not vulnerable to the double free because it's their own code. But of course MIT's implementation is not GPL-licensed so MS could easily have stolen^H^H^H^H^H^H adapted it just as they d
Re:Did MS steal from MIT? (Score:2)
MIT chose to license it under their license. There's no reason anybody should be pissy at Microsoft if they used free code. Obviously this is what the MIT Kerberos developers wanted, so nobody has a right to bash Microsoft if they did use the code. There are plenty of other reasons to ba
Re:Did MS steal from MIT? (Score:1)
"bashing" - are you referring to my use of the word "stealing"? The MIT license does not require open-sourcing of derivative works but it does require proper attribution.
Re:Did MS steal from MIT? (Score:2)
Active Directory? (Score:2)
Re:Active Directory? (Score:2, Informative)
http://news.com.com/Security+pros+warn+of+critical +flaws+in+Kerberos/2100-1002_3-5343325.html#yourta ke [com.com]
"Kerberos is a building block of many network security devices and software. Microsoft uses the mechanism to control security in its Active Directory authentication. However, the company uses a homegrown version of Kerberos that is not affected by the flaws, Hartman said. However, Sun's Solaris, Linux from Red Hat and Mandrake, and OS X all use Kerberos. Some companies
Sorry, NOT dissapointed (Score:2)
Redhat Fedora fixed also (Score:2)
http://download.fedora.redhat.com/pub/fedora
and grab krb*
Or use yum, up2date, etc.
I guess the Open Source crowd argument... (Score:1, Insightful)
I guess "sharper eyes" are better than "many eyes"...
Open SSHD issues (Score:1)
MIT? Pfft (Score:1)