Attackers could exploit "highly critical" security holes in Kerberos 5 to cause a denial of service or launch malicious code, Danish security firm Secunia said in an advisory.
The first problem is that "a double-free error in the 'krb5_recvauth()' function can potentially be exploited to execute arbitrary code in the context of the program calling this function," Secunia said. "Successful exploitation may lead to the compromise of an entire Kerberos realm or cause the program to crash." The flaw has been reported in kpropd, klogind, and krshd versions 1.4.1 and prior. Any third-party programs calling the 'krb5_recvauth()' function are also vulnerable, the firm added.
The second issue is an error in the Key Distribution Center (KDC) implementation that causes memory to be freed up
The third vulnerability stems from a boundary error in the KDC that can cause a single-byte heap-based buffer overflow if the attacker uses a specially crafted TCP or UDP request. "This can potentially be exploited to execute arbitrary code," Secunia said. "Successful exploitation may lead to the compromise of an entire Kerberos realm or cause a [denial of service]." The vulnerability has been reported in KDC implementations and application servers 1.4.1 and prior. Third-party application servers using MIT krb5 are also affected, the firm said.
The Secunia advisory links to advisories from the Massachusetts Institute of Technology's (MIT) Kerberos Team. The advisories outline patches and workarounds, and Secunia noted the flaws will also be fixed in version 1.4.2.
Sun has issued its own advisory saying the problems affect the Enterprise Authentication Mechanism software and Solaris versions seven through 10. Sun said it has no patch yet, though it's working on a fix.
Meanwhile, Linux vendors Gentoo, Red Hat and Turbolinux have issued fixes for their affected products.