‘Critical’ Kerberos Flaws Could Open Networks to Attack

Kerberos, the popular authentication protocol developed by the Massachusetts Institute of Technology, is vulnerable to three serious flaws that could allow an attacker to gain access to protected corporate networks, MIT researchers disclosed late on Tuesday.

Unix variants such as Solaris and Apple Computer Inc.’s Mac OS X, and Linux distributions such as Red Hat and Gentoo all contain the affected code. Windows also uses a version of Kerberos, but it doesn’t contain the flaw.

Two of the bugs affect the MIT krb5 KDC (Key Distribution Center), used for authenticating users. Both are exploitable via a specially crafted request via a TCP connection. The first bug causes the KDC to corrupt the heap by attempting to free memory at a random address, resulting in a KDC crash.

The second, more serious bug, can be exploited by the same request, via either TCP or UDP (User Datagram Protocol), and triggers a bug in the krb5 library resulting in a single-byte heap buffer overflow, potentially allowing an attacker to execute code with root privileges. If exploited, an attacker could gain access to an entire authentication realm, security experts said. MIT said such an attack was possible but “highly improbable.”

The third bug affects the “krb5_recvauth()” function and could also allow the execution of malicious code. MIT researchers said the type of flaw involved—a “double free” error, where a component attempts to free memory that has already been freed—is thought to be difficult to exploit. No exploit code is currently known for any of the three flaws, MIT said.

Independent security vendor Secunia called the three bugs “highly critical,” its second most serious rating. The French Security Incident Response Team gave the bugs a “critical” rating, its most serious.

MIT’s implementation of Kerberos is commonly integrated into Linux and Unix, and Linux vendors such as Red Hat Inc. and Gentoo Foundation Inc. have begun distributing patches.

Sun Microsystems Inc. acknowledged that Solaris and SEAM (Sun Enterprise Authentication Mechanism) are affected, but it did not immediately have a patch available, instead advising users to put a workaround into place. However, no workaround is available for the single-byte buffer overflow flaw, according to Sun.

Apple has not yet issued an advisory on its implementation of Kerberos in Mac OS X.

Click here to read about Apple’s latest update for Mac OS X “Tiger,” which fixes two security flaws.

The glitches affect Kerberos v5 versions 1.4.1 and earlier, as well as any third-party software using the affected components and functions, according to researchers. MIT’s advisories on the bugs, found here and here, contain instructions on patching. Kerberos v5 version 1.4.2 will also fix the bugs when it is released, according to MIT.

Kerberos, developed at MIT, is one of the most widely deployed authentication protocols on the Internet and is implemented in many commercial products, including operating systems and routers. Windows 2000, Windows XP and Windows Server 2003 use a variant of Kerberos as their default authentication method, but since the Windows version doesn’t use MIT’s code, it isn’t affected by the latest bugs.

The vulnerabilities are the most serious in Kerberos v5 since September 2004, when several serious bugs surfaced in an earlier version of Kerberos v5, similar to those disclosed this week. In early 2003, multiple issues allowed remote system access, impersonation and denial of service.

In October 2002, a flaw in kadmind4 (Kerberos v4 compatibility administration daemon) allowed unauthenticated attackers to gain root privileges on Kerberos v4 and v5 machines; at that time, MIT researchers said an exploit was already circulating when the patch was released.

A less serious bug surfaced in the MIT Kerberos Telnet Client at the end of March, allowing malicious users to access a system, but only under particular conditions.

Check out eWEEK.com’s for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer’s Weblog.