Attackers could use a "serious" security hole in the Kerberos 5 administration library to launch malicious code, according to an advisory from the Massachusetts Institute of Technology's (MIT) Kerberos Team. But fixes and a workaround are available.
According to the team's advisory,
"The overflow occurs during a password change of a principal with a certain password history state," the advisory added. "An administrator must have performed a certain password policy change in order to create the vulnerable state."
The MIT Kerberos Team said it knows of no exploits to date, though it noted there has been public discussion of the flaw in recent weeks, including "sufficient detail that someone could infer how to perform an attack."
Fortunately, the advisory said, "exploitation of this vulnerability is believed to be difficult, due to the limited extent of the overflow."
Nevertheless, the team warned that an authenticated user -- not necessarily one with administrative privileges -- could launch arbitrary code on the KDC host, "compromising an entire Kerberos realm." The advisory includes a list of mitigating factors that could make exploitation more difficult.
The vulnerability affects KDC software on all releases of MIT Kerberos 5 up to and including version 1.3.5.
A patch is available for version 1.3.5 and the vulnerability is fixed in version 1.4-beta3. The vulnerability is also expected to be fixed in the upcoming krb5-1.4 release and krb5-1.3.6 patch release.
Until KDC programs and libraries have been patched, the advisory recommended users "not decrease the password history count on any policy in your Kerberos realm. Also, if you have already decreased the password history count on a policy at some point in the past, you should raise it to the maximum value that it has had in the past."
Kerberos is a secure method for authenticating a request for a service in a computer network. It was developed in the Athena Project at MIT.