Bugs found in Kerberos
The MIT developers of the Kerberos authentication system have released patches for several serious security holes, which could allow remote attackers to obtain sensitive information, shut down a system or execute malicious code.
The first problem is with the Kerberos Key Distribution Center (KDC) and involves the way the KDC handles incoming krb4 requests. The problem can be exploited to crash the KDC server, execute malicious code or disclose memory, according to MIT.
The second problem is in the way the KDC sends responses for krb4 requests, which can be exploited to disclose potentially sensitive stack memory via a specially crafted krb4 request.
Exploitation for these first two bugs requires that krb4 support is enabled in the KDC; it is disabled by default in newer versions. These bugs affect Kerberos 5 versions 1.6.3 and earlier.
The third bug is in the Kerberos RPC library when handling open file descriptors. Under certain conditions, an attacker could send an overly large number of RPC connections, causing a memory corruption and allowing the execution of malicious code.
This bug affects Kerberos 5 versions 1.2.2 to 1.3 and 1.4 through 1.6.3, according to MIT.
Independent security firm Secunia gave the bugs a "highly critical" ranking.
» posted by abennett
Techworld.com
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
On Twitter now
Kerberos
Powered by Twitter
jfruh
Apple syncing patent can't come soon enough
pasmith
New Twitter features borrow from 3rd party clients
Esther Schindler
Open Source Changes the Software Acquisition Process
mikelgan
How to set up continuous podcast play on the new iTunes
David Strom
Five important Windows 7 mobility features
sjvn
Guard your Wi-Fi for your own sake
Sandra Henry-Stocker
Grepping on Whole Words
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.












