Vulnerabilities in the Massachusetts Institute of Technology's (MIT) Kerberos 5 software could allow an attacker to launch arbitrary code or put machines into an endless loop.
The first advisory from the MIT Kerberos Team describes a "double-free" vulnerability in the Key Distribution Center (KDC) program, which a remote attacker could use to execute arbitrary code. "Compromise of a KDC host compromises the security of the entire authentication realm served by the KDC," the advisory said. "Additionally, double-free vulnerabilities exist in MIT Kerberos 5 library code, making client programs and application servers vulnerable."
The second advisory describes flaws in the ASN.1 decoder library an attacker could exploit to cause a denial of service or an infinite loop in the decoder. The KDC is vulnerable to this attack, the advisory said. "An unauthenticated remote attacker can cause a KDC or application server to hang inside an infinite loop," the advisory said. "An attacker impersonating a legitimate KDC or application server may cause a client program to hang inside an infinite loop."
The two advisories outline patches and future updates that will correct these problems.
San Jose, Calif.-based Cisco Systems said the vulnerabilities affect its VPN 3000 Series Concentrators. "All 4.0.x software versions prior to 4.0.5.B and all 4.1.x software versions prior to 4.1.5.B are vulnerable," the network giant said in an advisory. "Versions prior to 4.0.x are not vulnerable since they do not support Kerberos authentication."
Cisco described Kerberos as a secret-key network authentication protocol developed at MIT that uses the DES cryptographic algorithm for encryption and authentication. It was designed to authenticate requests for network resources and, like other secret-key systems, is based on the concept of a trusted third party that performs secure verification of users and services.
Cisco said the primary use of Kerberos is to verify that users and the network services they use are really who and what they claim to be. To accomplish this, a trusted Kerberos server issues tickets to users. These tickets, which have a limited lifespan, are stored in a user's credential cache and can be used in place of the standard username-and-password authentication mechanism.
The Kerberos credential scheme embodies a concept called "single logon." This process requires authenticating a user once, and then allows secure authentication (without encrypting another password) wherever that user's credential is accepted, the company added in its advisory.
Cisco said the vulnerabilities are fixed in software versions 4.0.5.B and later and 4.1.5.B and later of the Cisco VPN 3000 Series Concentrators.