Kerberos Holes Could Bring Serious Exploits

 
 
By Wayne Rash  |  Posted 2004-09-01 Email Print this article Print
 
 
 
 
 
 
 

While none has yet been reported, the vulnerabilities uncovered by MIT researchers could cause "double free" errors or send the component into an endless loop.

Researchers at the Massachusetts Institute of Technology have reported the discovery of several potential vulnerabilities in the Kerberos Key Distribution Center that could allow an attacker to run malicious code on the target machine. As reported earlier, a fix is expected for these vulnerabilities in the near future. In the case of Cisco VPN products using Kerberos, such a patch has already been issued. The vulnerability that is potentially the most serious involves whats called a "double free" error, in which the cleanup module attempts to clear the same buffer twice. When this happens, its possible that an attacker could compromise Kerberos. The second, called the ASN.1 bug, involves the potential to cause a module to hang, bringing Kerberos to a halt.
While these vulnerabilities have the potential to be serious because they could give an attacker free reign inside your enterprise while appearing to be an authorized user, at this point there are no known exploits. More important, creating such an exploit would, according to MIT, require a significant level of capability and perhaps existing secure access to the enterprise.
What this means to you is that the risk to your enterprise is low, but its still there, and if an exploit is developed, it could be very serious indeed. Because of this risk, its important that you secure your enterprise by applying the patches, as explained by MIT here and here. If youre using Ciscos VPN 3000 series concentrator, you should download the patch from Cisco and apply it now. Click here to read about how vulnerabilities in core libraries can have a far wider impact than expected.
Assuming you have a well-designed network that can prevent unauthorized remote access, the risk of these vulnerabilities is minimized simply because the attacker would have to have physical access to your network. But VPN access that uses Kerberos authentication is, of course, vulnerable until patched. Cisco users can solve that problem immediately, but its not clear that others can do so just yet without applying patches manually. Unfortunately, exploits of the ASN.1 bug in Kerberos arent so difficult. That bug will cause the system in which its installed to hang, interfering with or preventing operations involving Kerberos. To cause this result, all thats required is a corrupt encoding that will in turn cause the component to go into an endless loop. MIT researchers say this exploit is trivial to create. While no such exploit has been identified here, either, you can expect one to appear. For insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzers Weblog. Either way, you should consider it critical that these vulnerabilities are patched as soon as possible. An exploit could leave your entire enterprise open to anyone who wanted in, or at the very least, you could find your Kerberos authentication inoperative. The soon to be released krb5-1.3.5 version of Kerberos will contain fixes for all of these vulnerabilities. But you can patch your most critical systems now, and you should. Yes, it will require some work, but not nearly as much as a successful exploit. Check out eWEEK.coms Security Center at http://security.eweek.com for security news, views and analysis.

Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page:  

 
 
 
 
Wayne Rash Wayne Rash is a Senior Analyst for eWEEK Labs and runs the magazine's Washington Bureau. Prior to joining eWEEK as a Senior Writer on wireless technology, he was a Senior Contributing Editor and previously a Senior Analyst in the InfoWorld Test Center. He was also a reviewer for Federal Computer Week and Information Security Magazine. Previously, he ran the reviews and events departments at CMP's InternetWeek.

He is a retired naval officer, a former principal at American Management Systems and a long-time columnist for Byte Magazine. He is a regular contributor to Plane & Pilot Magazine and The Washington Post.
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Thanks for your registration, follow us on our social networks to keep up-to-date
Rocket Fuel