Kerberos Authentication System Reveals Critical Holes

A number of serious security flaws were found in the Kerberos authentication system at the Massachusetts Institute of Technology following which the system's developers adequately patched them.

According to experts, security holes in the server of MIT Kerberos Key Distribution Center could be remotely exploited to take control of the main database, get hold on sensitive information, and cause a DOS condition.

Describing the security holes, US-CERT said on March 18, 2008 that they are present in the krb5Kdc (Key Distribution Center server) and Authentication Service that form part of the implementation of MIT Krb5 Kerberos.

As accords to security experts, one particular case shows how the employment of a dangling pointer in KDC could result in double free or crash, and might leak the process memory. Another case shows how unlabelled stack values could cause a repeat use of a window of earlier stack values that would be construed as the content of a message. Some portion of that content could be sent back to the hacker as one of the error responses.

The vulnerabilities, however, can be exploited only when Kerberos 4 support becomes active. According to MIT, Kerberos 4 support included by default but not similarly activated in the software's latest versions. MIT further says that any other application or client server system are not affected.

Security researchers also discuss a third hole that exists in the Kerberos RPC library in the manner that open file descriptors are handled, as reported by PCWorld on March 23, 2008. Under specific conditions, a malicious user could send an overwhelming number of RPC connections leading to memory corruption and allowing the installation of malicious software.

Thus, the vulnerability could yield results but only when the operating system allows massive opened file descriptors along with the non-specification of FD_SETSIZE in the system headers for editions previous to 1.3.

MIT notes that this bug influences Kerberos5 versions 1.2.2 to 1.3 and 1.4 to 1.6.3. For versions prior to 1.3, the bug could be exploited in the same conditions but is limited to environments not specifying macros in some of the C system headers.

» SPAMfighter News - 3/28/2008