MIT fixes critical Kerberos 5 flaws

MIT fixed several critical flaws in Kerberos 5, a suite of applications and libraries for the Kerberos network-authentication protocol used on numerous platforms.

This Content Component encountered an error

The Massachusetts Institute of Technology (MIT) has fixed several critical Kerberos 5 flaws attackers could exploit to cause a denial of service, bypass security restrictions and hijack targeted machines.

Kerberos is a secure method for authenticating a request for a service in a computer network. It was developed in the Athena Project at MIT and is incorporated into a variety of products, including Sun Microsystems's Enterprise Authentication Mechanism software and its Solaris operating system, Red Hat Linux, MandrakeSoft Linux and Debian Linux.

Danish vulnerability clearinghouse Secunia described one of the flaws as an error in the MIT krb5 telnet daemon that surfaces when a username is processed. Attackers who exploited this can log in as an arbitrary user by providing a specially crafted username beginning with "-e".

Secunia said Kerberos also contained a boundary error in the "krb5_klog_syslog()" function within the kadm5 library, which attackers can exploit to cause a stack-based buffer overflow via an overly long string. A double-free error in the "kg_unseal_v1()" function within the MIT krb5 GSS-API library also exists. Attackers can exploit it to launch malicious code, Secunia said.

The Secunia advisory links to the advisories MIT released for the individual issues.

Dig deeper on Web Services Security and SOA Security



Enjoy the benefits of Pro+ membership, learn more and join.



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: