Kerberos Authentication Protocol Ill

Alcatel, Apple Computer Inc, AT&T, the Fedora Project, Fujitsu, the Hewlett Packard Company, the IBM Corporation, Juniper Networks, McAfee, the Microsoft Corporation, Novell Inc, Red Hat Inc, the Sony Corporation. All of these are examples of companies or corporations that use the Kerberos authentication protocol and are affected by the bugs that have been found to come along with it.

So far, no exploits have been found, but patches have already been made available for the MIT Kerberos 5 releases, up to krb5-1.6.3. The biggest problems that surfaced up to date deal with processing krb4 requests in MIT Kerberos 5 implementation's Key Distribution Center (KDC in short) program and libraries. Hackers have missed out on a big opportunity to make something of the flaws, as they allowed arbitrary code execution on the systems using it.

By the looks of it, the protocol taking its name from the hound that guarded the gates of Tartarus, was pretty unsecure, to say the least. For something that was meant to securely authenticate a request for a service in a computer network, it left doors wide open for cybercriminals to swoop for the kill. Two additional bugs have been documented, being found in the Kerberos RPC library and they involved handling of open file descriptors. Any exploit of the two would have caused memory corruption.

Update to the latest version if you want to avoid the above as krb-1.6.4 is your savior. If you're not able to do it for one reason or another, then there are a number of workarounds available. Had the hackers eventually profited from the two types of security flaws, it seems to me they would have been granted a great stress-relieving means: should the former not work, then all they had to do to get the failure out of their systems was to crash the target PC.