Alert on Kerberos Vulnerabilities

by Robert Williams

August 21, 2002 —

Last week, I extolled the virtues of Kerberos as a sound cross platform
authentication technology. Since timing is everything, just hours after
submitting that newsletter the CERT Coordination Center issued a
bulletin impacting certain UNIX and Linux implementations.

Specifically, the XDR library (a derived remote procedure call) supplied
by Sun Microsystems to a number of vendors had a security hole that
threatened Kerberos. The library involves sending process between
computer systems. The flaw can produce a buffer overflow. A hacker can
use the overflow in MTI Kerberos to gain control of a Key Distribution
Center (KDC) and improperly authenticate to other services within a
trusted realm. The impacted products include those that use the Sun
network service library (libnsl), the BSD-derived XDR/RPC routines
(libc) and the GNU C library with sunrpc (glibc).

The CERT Advisory, available at
http://www.cert.org/advisories/CA-2002-25.html, also provides links to
appropriate software patches. The patches apply to the following
applications (plus others that were unidentified at the time): DMI
Service Provider daemon (dmispd); CDE Calendar Manager Service daemon
(rpc.cmsd); and MIT Kerberos 5 Administration daemon (kadmind).
If you are running systems from one or more of the following vendors,
you are advised to apply the patches noted in the CERT Advisory:

Apple OS-X
Debian 2.2 and 3.0
GNU glibc
Free BSD
HP-UX
IBM AIX
Juniper Neworks SDX-300
MIT Kerberos
Microsoft (no confirmed problem but check)
Net BSD
OpenAFS
Red Hat
SGI
Sun Microsystems

A final note: Despite this advisory, I still recommend Kerberos. Apply
the patches as noted and live in a more secure environment.

ITworld