Alert on Kerberos Vulnerabilities
Last week, I extolled the virtues of Kerberos as a sound cross platform
authentication technology. Since timing is everything, just hours after
submitting that newsletter the CERT Coordination Center issued a
bulletin impacting certain UNIX and Linux implementations.
Specifically, the XDR library (a derived remote procedure call) supplied
by Sun Microsystems to a number of vendors had a security hole that
threatened Kerberos. The library involves sending process between
computer systems. The flaw can produce a buffer overflow. A hacker can
use the overflow in MTI Kerberos to gain control of a Key Distribution
Center (KDC) and improperly authenticate to other services within a
trusted realm. The impacted products include those that use the Sun
network service library (libnsl), the BSD-derived XDR/RPC routines
(libc) and the GNU C library with sunrpc (glibc).
The CERT Advisory, available at
http://www.cert.org/advisories/CA-2002-25.html, also provides links to
appropriate software patches. The patches apply to the following
applications (plus others that were unidentified at the time): DMI
Service Provider daemon (dmispd); CDE Calendar Manager Service daemon
(rpc.cmsd); and MIT Kerberos 5 Administration daemon (kadmind).
If you are running systems from one or more of the following vendors,
you are advised to apply the patches noted in the CERT Advisory:
Apple OS-X
Debian 2.2 and 3.0
GNU glibc
Free BSD
HP-UX
IBM AIX
Juniper Neworks SDX-300
MIT Kerberos
Microsoft (no confirmed problem but check)
Net BSD
OpenAFS
Red Hat
SGI
Sun Microsystems
A final note: Despite this advisory, I still recommend Kerberos. Apply
the patches as noted and live in a more secure environment.
» posted by ITworld staff
ITworld
Symantec Backup Exec 12 and Backup Exec System Recovery 8 deliver industry leading Windows data protection and system recovery. Download this whitepaper to find out the top reasons to upgrade and how to get continuous data protection and complete system recovery.
Data and system loss — from a hard drive failure, malicious attack, natural disaster, or simple human error — can happen anytime. Don’t leave your business vulnerable. Make sure you have a secure recovery strategy in place. Symantec's latest backup and system recovery technology can efficiently restore critical applications, individual emails and documents and even restore your entire system in minutes in the event of a loss.
Businesses face a growing challenge to ensure that the IT environment is properly protected. Backup Exec 12 integrates with other applications in the Symantec family of products, to complement your current data protection strategy, keep your data securely backed up and make it recoverable when you need it most.
VMware ESX Server in the Enterprise
By Edward L. Haletky
Published Dec 29, 2007 by Prentice Hall.
Enter now! | Official rules | Sample chapter
Green IT
By Toby Velte, Anthony Velte, Robert C. Elsenpeter
To be published Oct. 10, 2008 by McGraw Hill Professional
Enter now! | Official rules | About the book
