MIT’s Kerberos authentication utility has been found to have
some serious vulnerabilities. Windows is not affected,
but other widely used products from Cisco and Apple are definitely vulnerable,
as are many third-party applications that rely on Kerberos 5.

Details

Kerberos is a symmetric cryptographic key authentication
system that uses a unique “ticket” to identify authorized users
across an open network. Kerberos was developed at the Massachusetts Institute
of Technology (MIT) during the Athena Project and later adopted as a standard
by the Open Software Foundation.

Many applications use the MIT version of Kerberos code.
Starting with Windows 2000, Microsoft began using a modified proprietary
version of Kerberos. A Microsoft spokesperson, however, quoting experts in the
vendor’s Security Response Center,
told TechRepublic that Windows-based products aren’t affected by this
vulnerability because Microsoft doesn’t use MIT code in its version of the
protocol.

Those applications that do rely on the actual MIT version of the protocol
(including some Cisco and Apple products) are subject to a vulnerability found
in the current version of the MIT krb5 libraries. These contain ASN.1 decoder
code that is subject to a denial of service attack caused by an infinite loop.
ASN.1, or Abstract Syntax Notation One, defined in C.C.I.T.T. X.208, is a
language for describing structured information.

Other recent Kerberos 5 vulnerabilities listed by Secunia in
Advisory 12408 and also related to the ASN.1
function are:

  • Double-free
    errors in the Key Distribution Center cleanup code and client
    libraries.
  • Double-free
    errors in the “krb5_rd_cred()” function.
  • A
    double-free error in krb524d related to an event that occurs when a cross-realm
    ticket is denied and is later freed again during a call to “krb5_free_ticket()”.

Applicability

The initial advisory for the ASN.1 infinite loop denial of
service vulnerability, MIT krb5 Security Advisory 2004-003,
indicates that this vulnerability affects Kerberos 5 releases from krb5-1.2.2
through krb5-1.3.4.

There were five moderate vulnerabilities discovered in
Kerberos 5 during 2003, all of which were patched. The ASN.1 flaw is the most
serious vulnerability reported so far in 2004.

Cisco VPN 3000 Series Concentrators version 4.0.x prior to
4.0.5.B and 4.1.x versions prior to 4.1.5.B are vulnerable to this recently
disclosed Kerberos vulnerability. See the Cisco security alert for more
information about how this protocol library flaw can lead to remote code
execution and a DoS attack. Cisco customers should upgrade to 4.0.5.B or 4.1.5.B.

Cisco IOS and Cisco CatOS are not vulnerable, and neither
are Cisco PIX Firewall or Cisco Firewall Services Module (FWSM) for the Cisco
Catalyst 6500 Series and Cisco 7600 Series routers. The latter two devices don’t
include Kerberos 5 support.

Risk level—Serious

This is a serious vulnerability for the ASN.1 DoS threat (as
rated by the MIT Kerberos team). The ASN.1 decoder bug can let an
unauthenticated attacker run arbitrary code and trigger an infinite loop. The
other vulnerabilities are important, but not as serious. Secunia rates them all
together as highly critical.

Fix—Patch

Initially, all of the available patches provided by MIT
should be applied (either manually or in the form of updates from vendors).
However, when krb5-1.3.5 is made available, the Kerberos team reports that it
will contain fixes for all these vulnerabilities.

These patches are available for the latest ASN.1 DoS threat:

The patch schedules for the other vulnerabilities are more complicated,
especially for krb5-1.2 through krb5-1.2.7, and you should refer directly to MIT krb5 Security Advisory 2004-002
for details.

Other Kerberos flaws

Another MIT advisory, MITKRB5-SA-2004-002,
addresses these double-free threats:

  • The
    Mitre CVE vulnerability designated CAN-2004-0642
    affects releases of Kerberos 5, up to and including krb5-1.3.4.
  • Applications
    that call the krb5_rd_cred() function prior to
    krb5-1.3.2, including remote login daemons and third-party applications,
    are subject to another vulnerability (Mitre CVE CAN-2004-0643).
  • Also
    affected are client code from Kerberos 5 through krb5-1.3.4 and any
    applications calling client library functions. These are covered by Mitre
    CVE CAN-2004-0642.
  • CAN-2004-0772
    affects the krb524d program for krb5-1.2.8, and later or earlier versions
    if they have been patched to disable cross-realm functionality.

Some of these Kerberos flaws are part of an important security update that Apple
recently released for Mac OS X
.

Final word

At the time it was added to Windows, some of us complained
about Microsoft’s use of a proprietary version of Kerberos because it made it
difficult to connect those systems with others that use Kerberos, but I guess
Microsoft has had the last laugh because their version isn’t susceptible to this
particular vulnerability, and it has also remained safe from other Kerberos
flaws in the past.

If you followed the link for Apple vulnerabilities, it appears
that the reason Apple hasn’t been coming out with a lot of patches isn’t
because there aren’t many problems with Mac OS X software, but simply because
the company has been hoarding the patches to release them all at once.


Also watch for…

  • Microsoft’s
    TechNet site reports that the automatic update of all XP and XP SP1
    systems to XP SP2 has been delayed from December 2004 to April 2005 in
    order to help administrators prepare for this taxing upgrade. See the page
    on temporarily disabling automatic
    delivery of XP SP2
    for more details.
  • In
    addition to the Mac OS X security update mentioned
    above, there is also upgrade to version 10.2.5
    for OS X. This fixes issues with Apache Server exception handling,
    problems with OpenSSL, and some newly disclosed Directory Services
    threats.
  • SuSE
    has released a patch for Apache2
    that addresses two DoS vulnerabilities.
  • There
    are multiple buffer overflow and DoS vulnerabilities in the Oracle
    Database Server. See the SecuriTeam report page
    for more details.