MIT's Kerberos authentication utility has been found to have some serious vulnerabilities. Windows is not affected, but other widely used products from Cisco and Apple are definitely vulnerable, as are many third-party applications that rely on Kerberos 5.
Kerberos is a symmetric cryptographic key authentication system that uses a unique "ticket" to identify authorised users across an open network. Kerberos was developed at the Massachusetts Institute of Technology (MIT) during the Athena Project and later adopted as a standard by the Open Software Foundation.
Many applications use the MIT version of Kerberos code. Starting with Windows 2000, Microsoft began using a modified proprietary version of Kerberos. A Microsoft spokesperson, however, quoting experts in the vendor's Security Response Center, told TechRepublic that Windows-based products aren't affected by this vulnerability because Microsoft doesn't use MIT code in its version of the protocol.
Those applications that do rely on the actual MIT version of the protocol (including some Cisco and Apple products) are subject to a vulnerability found in the current version of the MIT krb5 libraries. These contain ASN.1 decoder code that is subject to a denial of service attack caused by an infinite loop. ASN.1, or Abstract Syntax Notation One, defined in C.C.I.T.T. X.208, is a language for describing structured information.
Other recent Kerberos 5 vulnerabilities listed by Secunia in Advisory 12408 and also related to the ASN.1 function are:
Applicability
The initial advisory for the ASN.1 infinite loop denial of service vulnerability, MIT krb5 Security Advisory 2004-003, indicates that this vulnerability affects Kerberos 5 releases from krb5-1.2.2 through krb5-1.3.4.
There were five moderate vulnerabilities discovered in Kerberos 5 during 2003, all of which were patched. The ASN.1 flaw is the most serious vulnerability reported so far in 2004.
Cisco VPN 3000 Series Concentrators version 4.0.x prior to 4.0.5.B and 4.1.x versions prior to 4.1.5.B are vulnerable to this recently disclosed Kerberos vulnerability. See the Cisco security alert for more information about how this protocol library flaw can lead to remote code execution and a DoS attack. Cisco customers should upgrade to 4.0.5.B or 4.1.5.B.
Cisco IOS and Cisco CatOS are not vulnerable, and neither are Cisco PIX Firewall or Cisco Firewall Services Module (FWSM) for the Cisco Catalyst 6500 Series and Cisco 7600 Series routers. The latter two devices don't include Kerberos 5 support.
Risk level: serious
This is a serious vulnerability for the ASN.1 DoS threat (as rated by the MIT Kerberos team). The ASN.1 decoder bug can let an unauthenticated attacker run arbitrary code and trigger an infinite loop. The other vulnerabilities are important, but not as serious. Secunia rates them all together as highly critical.
6%
1%
