Go to the Softpedia homepage


NEWS CATEGORIES:



NEWS ARCHIVE >>
SOFTPEDIA REVIEWS >>
Home / News / Security / Advisories

Advisories

Kerberos Authentication Protocol Ill

Bugs did it!

By Vlad Constandes, SEO News Editor

20th of March 2008, 15:08 GMT

Adjust text size:


The way Kerberos works
Enlarge picture
Alcatel, Apple Computer Inc, AT&T, the Fedora Project, Fujitsu, the Hewlett Packard Company, the IBM Corporation, Juniper Networks, McAfee, the Microsoft
Corporation, Novell Inc, Red Hat Inc, the Sony Corporation. All of these are examples of companies or corporations that use the Kerberos authentication protocol and are affected by the bugs that have been found to come along with it.

So far, no exploits have been found, but patches have already been made available for the MIT Kerberos 5 releases, up to krb5-1.6.3. The biggest problems that surfaced up to date deal with processing krb4 requests in MIT Kerberos 5 implementation's Key Distribution Center (KDC in short) program and libraries. Hackers have missed out on a big opportunity to make something of the flaws, as they allowed arbitrary code execution on the systems using it.

By the looks of it, the protocol taking its name from the hound that guarded the gates of Tartarus, was pretty unsecure, to say the least. For something that was meant to securely authenticate a request for a service in a computer network, it left doors wide open for cybercriminals to swoop for the kill. Two additional bugs have been documented, being found in the Kerberos RPC library and they involved handling of open file descriptors. Any exploit of the two would have caused memory corruption.

Update to the latest version if you want to avoid the above as krb-1.6.4 is your savior. If you're not able to do it for one reason or another, then there are a number of workarounds available. Had the hackers eventually profited from the two types of security flaws, it seems to me they would have been granted a great stress-relieving means: should the former not work, then all they had to do to get the failure out of their systems was to crash the target PC.

TAGS:

 kerberos | network | authentication | bugs


Rating:
Fair (2.0/5) 4 vote(s) so far    

Read by 442 user(s) | Add comment | Link to this article
Subscribe to news | Print article | Send to friend

© Copyright 2001-2008 Softpedia
Contact:

 

 

SEARCH THE NEWS ARCHIVE :




Today's News | Yesterday's News | News Archive


MORE RELATED ARTICLES:


openSUSE 10.2 Installation Guide with Screenshots

Seting-Up a HTTP Proxy Server with Authentication and Filtering

Testing Windows Vista Ultimate and Linux

Encrypted Ubuntu 7.10

User opinions:

No user comments yet.
Be the first to express your opinion using the form below!

Share your opinion:

Your Name:
Your Email Address:
(will not be used for commercial purposes)
Solve this to prove you're not a bot: =
Your review/opinion:

 






SUBMIT PROGRAM   |   ADVERTISE   |   GET HELP   |   SEND US FEEDBACK   |   RSS FEEDS   |   ENTER NEWS SITE   |   ENGLISH BOARD   |   ROMANIAN FORUM
© 2001 - 2008 Softpedia. All rights reserved.
Softpedia™ and the Softpedia™ logo are registered trademarks of SoftNews NET SRL.		 Copyright Information | Privacy Policy | Terms of Use | Update your software | Archive