Feeds

Critical Kerberos bugs surface

Action stations

  • alert
  • submit to reddit

Choosing a cloud hosting partner with confidence

Multiple vulnerabilities have been reported in version five of the widely-used Kerberos authentication protocol. The most serious could be exploited by crackers to gain root control to authentication servers.

Exploits are yet to surface and patches are available. All releases of MIT Kerberos 5 up to and including krb5-1.3.4 are affected. At fault are "double-free vulnerabilities" in MIT Kerberos 5 implementation's Key Distribution Center (KDC) program and libraries. Double free vulnerabilities arise when programs try to free up the same portion of system memory twice, in this case creating a possible means for a remote attacker to execute arbitrary code on target systems.

Also, an error in the ASN.1 decoder of MIT Kerberos 5 could be used to cause vulnerable systems to hang. An attacker would be able to carry out this denial of service attack without first having to log onto vulnerable systems.

Developers are advised to update to version krb5-1.3.5, when it becomes available. In the meantime, MIT has published patches to address the vulnerability in earlier versions of its code. A summary of the products affected - along with responses from vendors - is here. Some users of Cisco VPN 3000 Series Concentrators will, for example, need to update their software .

Kerberos was developed by MIT and is a popular means for securely authenticating a request for a service in a computer network. The name derives from Greek mythology, where Cerberus is the three-headed dog guarding the gates of Hades. ®

Related stories

Kerberos Redux?
Kerberos bug bites
Sun library bug affects *Nix and Kerberos

Remote control for virtualized desktops

More from The Register

next story
Webcam hacker pervs in MASS HOME INVASION
You thought you were all alone? Nope – change your password, says ICO
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
Meet OneRNG: a fully-open entropy generator for a paranoid age
Kiwis to seek random investors for crowd-funded randomiser
USB coding anarchy: Consider all sticks licked
Thumb drive design ruled by almighty buck
Attack reveals 81 percent of Tor users but admins call for calm
Cisco Netflow a handy tool for cheapskate attackers
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Managing SSL certificates with ease
The lack of operational efficiencies and compliance pitfalls associated with poor SSL certificate management, and how the right SSL certificate management tool can help.
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.