MIT's Kerberos authentication utility has been found to have some serious vulnerabilities. Windows is not affected, but other widely used products from Cisco and Apple are definitely vulnerable, as are many third-party applications that rely on Kerberos 5.
Kerberos is a symmetric cryptographic key authentication system that uses a unique "ticket" to identify authorized users across an open network. Kerberos was developed at the Massachusetts Institute of Technology (MIT) during the Athena Project and later adopted as a standard by the Open Software Foundation.
Many applications use the MIT version of Kerberos code. Starting with Windows 2000, Microsoft began using a modified proprietary version of Kerberos. A Microsoft spokesperson, however, quoting experts in the vendor's Security Response Center, told TechRepublic that Windows-based products aren't affected by this vulnerability because Microsoft doesn't use MIT code in its version of the protocol.
Those applications that do rely on the actual MIT version of the protocol (including some Cisco and Apple products) are subject to a vulnerability found in the current version of the MIT krb5 libraries. These contain ASN.1 decoder code that is subject to a denial of service attack caused by an infinite loop. ASN.1, or Abstract Syntax Notation One, defined in C.C.I.T.T. X.208, is a language for describing structured information.
Other recent Kerberos 5 vulnerabilities listed by Secunia in Advisory 12408 and also related to the ASN.1 function are:
- Double-free errors in the Key Distribution Center cleanup code and client libraries.
- Double-free errors in the "krb5_rd_cred()" function.
- A double-free error in krb524d related to an event that occurs when a cross-realm ticket is denied and is later freed again during a call to "krb5_free_ticket()".
The initial advisory for the ASN.1 infinite loop denial of service vulnerability, MIT krb5 Security Advisory 2004-003, indicates that this vulnerability affects Kerberos 5 releases from krb5-1.2.2 through krb5-1.3.4.
There were five moderate vulnerabilities discovered in Kerberos 5 during 2003, all of which were patched. The ASN.1 flaw is the most serious vulnerability reported so far in 2004.
Cisco VPN 3000 Series Concentrators version 4.0.x prior to 4.0.5.B and 4.1.x versions prior to 4.1.5.B are vulnerable to this recently disclosed Kerberos vulnerability. See the Cisco security alert for more information about how this protocol library flaw can lead to remote code execution and a DoS attack. Cisco customers should upgrade to 4.0.5.B or 4.1.5.B.
Cisco IOS and Cisco CatOS are not vulnerable, and neither are Cisco PIX Firewall or Cisco Firewall Services Module (FWSM) for the Cisco Catalyst 6500 Series and Cisco 7600 Series routers. The latter two devices don't include Kerberos 5 support.
This is a serious vulnerability for the ASN.1 DoS threat (as rated by the MIT Kerberos team). The ASN.1 decoder bug can let an unauthenticated attacker run arbitrary code and trigger an infinite loop. The other vulnerabilities are important, but not as serious. Secunia rates them all together as highly critical.
Initially, all of the available patches provided by MIT should be applied (either manually or in the form of updates from vendors). However, when krb5-1.3.5 is made available, the Kerberos team reports that it will contain fixes for all these vulnerabilities.
These patches are available for the latest ASN.1 DoS threat:
- The patch for krb-1.3.4 also applies to the earlier krb5-1.3.x.
- The patch for krb5-1.2.8 applies to krb5-1.2.2 versions through krb5-1.2.8.
The patch schedules for the other vulnerabilities are more complicated, especially for krb5-1.2 through krb5-1.2.7, and you should refer directly to MIT krb5 Security Advisory 2004-002 for details.
Other Kerberos flaws
Another MIT advisory, MITKRB5-SA-2004-002, addresses these double-free threats:
- The Mitre CVE vulnerability designated CAN-2004-0642 affects releases of Kerberos 5, up to and including krb5-1.3.4.
- Applications that call the krb5_rd_cred() function prior to krb5-1.3.2, including remote login daemons and third-party applications, are subject to another vulnerability (Mitre CVE CAN-2004-0643).
- Also affected are client code from Kerberos 5 through krb5-1.3.4 and any applications calling client library functions. These are covered by Mitre CVE CAN-2004-0642.
- CAN-2004-0772 affects the krb524d program for krb5-1.2.8, and later or earlier versions if they have been patched to disable cross-realm functionality.
Some of these Kerberos flaws are part of an important security update that Apple recently released for Mac OS X.
At the time it was added to Windows, some of us complained about Microsoft's use of a proprietary version of Kerberos because it made it difficult to connect those systems with others that use Kerberos, but I guess Microsoft has had the last laugh because their version isn't susceptible to this particular vulnerability, and it has also remained safe from other Kerberos flaws in the past.
If you followed the link for Apple vulnerabilities, it appears that the reason Apple hasn't been coming out with a lot of patches isn't because there aren't many problems with Mac OS X software, but simply because the company has been hoarding the patches to release them all at once.
Also watch for...
- Microsoft's TechNet site reports that the automatic update of all XP and XP SP1 systems to XP SP2 has been delayed from December 2004 to April 2005 in order to help administrators prepare for this taxing upgrade. See the page on temporarily disabling automatic delivery of XP SP2 for more details.
- In addition to the Mac OS X security update mentioned above, there is also upgrade to version 10.2.5 for OS X. This fixes issues with Apache Server exception handling, problems with OpenSSL, and some newly disclosed Directory Services threats.
- SuSE has released a patch for Apache2 that addresses two DoS vulnerabilities.
- There are multiple buffer overflow and DoS vulnerabilities in the Oracle Database Server. See the SecuriTeam report page for more details.