Kerberos critical hole allows system access

The Massachusetts Institute of Technology (MIT) has warned of security vulnerabilities in its implementation of Kerberos that...

The Massachusetts Institute of Technology (MIT) has warned of security vulnerabilities in its implementation of Kerberos that could allow attackers free access to protected systems. Users of MIT Kerberos 5 are urged to apply patches immediately.

Kerberos was invented by MIT and is used by many large businesses as a way of keeping their networks secure. It uses strong encryption to verify the identity of any machine using a networked resource.

The bugs include double-free vulnerabilities in MIT Kerberos 5's Key Distribution Center (KDC), which authenticates users, compromising the entire authentication realm served by the KDC.

The same type of vulnerability is also in several libraries, affecting client programs and application servers.

A bug in Kerberos 5's ASN.1 decoder library could allow an attacker to mount a denial of service attack on a KDC by sending the decoder into an infinite loop.

MIT's advisories on the bugs contain instructions on patching. Kerberos 5 version 1.3.5 will also fix the bugs when it is released, according to MIT.

The most serious of the flaws are the double-free vulnerabilities, where a component attempts to free a buffer that has already been freed; this error can be exploited to execute malicious code and take control of a system, researchers said.

These bugs were found in Kerberos 5's KDC cleanup code and several client libraries, allowing unauthenticated users to compromise a system, according to an advisory from Danish security firm Secunia. A double-free bug in krb524d may also allow the execution of malicious code, Secunia said.

Other double-free errors in the "krb5_rd_cred()" function can only be exploited by authenticated users, via services such as krshd, klogind and telnetd, according to Secunia.

MIT said the sophistication needed to exploit these vulnerabilities could mitigate their seriousness slightly.

"Exploitation of double-free bugs is believed to be difficult," MIT's researchers said in its advisory. "No exploits are known to exist for these vulnerabilities."

However, exploiting the ASN.1 decoder flaw, which could effectively shut down the Kerberos system, is another matter. "It is trivial to construct a corrupt encoding which will trigger the infinite loop," MIT said.

The vulnerabilities are the third time "highly critical" flaws have been found in Kerberos 5, according to Secunia's vulnerability database. The previous bugs were in October 2002 and January 2003.

Matthew Broersma writes for Techworld

Read more on Hackers and cybercrime prevention