Close
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Kerberos Holes Could Bring Serious Exploits

    Written by

    Wayne Rash
    Published September 1, 2004
    Share
    Facebook
    Twitter
    Linkedin

      eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

      Researchers at the Massachusetts Institute of Technology have reported the discovery of several potential vulnerabilities in the Kerberos Key Distribution Center that could allow an attacker to run malicious code on the target machine.

      As reported earlier, a fix is expected for these vulnerabilities in the near future. In the case of Cisco VPN products using Kerberos, such a patch has already been issued.

      The vulnerability that is potentially the most serious involves whats called a “double free” error, in which the cleanup module attempts to clear the same buffer twice. When this happens, its possible that an attacker could compromise Kerberos. The second, called the ASN.1 bug, involves the potential to cause a module to hang, bringing Kerberos to a halt.

      While these vulnerabilities have the potential to be serious because they could give an attacker free reign inside your enterprise while appearing to be an authorized user, at this point there are no known exploits. More important, creating such an exploit would, according to MIT, require a significant level of capability and perhaps existing secure access to the enterprise.

      What this means to you is that the risk to your enterprise is low, but its still there, and if an exploit is developed, it could be very serious indeed. Because of this risk, its important that you secure your enterprise by applying the patches, as explained by MIT here and here. If youre using Ciscos VPN 3000 series concentrator, you should download the patch from Cisco and apply it now.

      /zimages/4/28571.gifClick here to read about how vulnerabilities in core libraries can have a far wider impact than expected.

      Assuming you have a well-designed network that can prevent unauthorized remote access, the risk of these vulnerabilities is minimized simply because the attacker would have to have physical access to your network. But VPN access that uses Kerberos authentication is, of course, vulnerable until patched. Cisco users can solve that problem immediately, but its not clear that others can do so just yet without applying patches manually.

      Unfortunately, exploits of the ASN.1 bug in Kerberos arent so difficult. That bug will cause the system in which its installed to hang, interfering with or preventing operations involving Kerberos. To cause this result, all thats required is a corrupt encoding that will in turn cause the component to go into an endless loop. MIT researchers say this exploit is trivial to create. While no such exploit has been identified here, either, you can expect one to appear.

      /zimages/4/28571.gifFor insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzers Weblog.

      Either way, you should consider it critical that these vulnerabilities are patched as soon as possible. An exploit could leave your entire enterprise open to anyone who wanted in, or at the very least, you could find your Kerberos authentication inoperative.

      The soon to be released krb5-1.3.5 version of Kerberos will contain fixes for all of these vulnerabilities. But you can patch your most critical systems now, and you should. Yes, it will require some work, but not nearly as much as a successful exploit.

      /zimages/4/28571.gifCheck out eWEEK.coms Security Center at http://security.eweek.com for security news, views and analysis.

      /zimages/4/77042.gif

      Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page: /zimages/4/19420.gif http://us.i1.yimg.com/us.yimg.com/i/us/my/addtomyyahoo2.gif

      Wayne Rash
      Wayne Rash
      https://www.eweek.com/author/wayne-rash/
      Wayne Rash is a content writer and editor with a 35-year history covering technology. He’s a frequent speaker on business, technology issues and enterprise computing. He is the author of five books, including his most recent, "Politics on the Nets." Rash is a former Executive Editor of eWEEK and a former analyst in the eWEEK Test Center. He was also an analyst in the InfoWorld Test Center and editor of InternetWeek. He's a retired naval officer, a former principal at American Management Systems and a long-time columnist for Byte Magazine.

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      MOST POPULAR ARTICLES

      Artificial Intelligence

      9 Best AI 3D Generators You Need...

      Sam Rinko - June 25, 2024 0
      AI 3D Generators are powerful tools for many different industries. Discover the best AI 3D Generators, and learn which is best for your specific use case.
      Read more
      Cloud

      RingCentral Expands Its Collaboration Platform

      Zeus Kerravala - November 22, 2023 0
      RingCentral adds AI-enabled contact center and hybrid event products to its suite of collaboration services.
      Read more
      Artificial Intelligence

      8 Best AI Data Analytics Software &...

      Aminu Abdullahi - January 18, 2024 0
      Learn the top AI data analytics software to use. Compare AI data analytics solutions & features to make the best choice for your business.
      Read more
      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Video

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2024 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×