A flaw has been identified in certain implementations of the widely used Kerberos authentication protocol. The flaw could be exploited by crackers to gain root access to authentication servers.
The issue is serious, with at least one exploit known to exist in the wild, but there is a patch.
All releases of MIT Kerberos 5, up to and including krb5-1.2.6, and all Kerberos 4 implementations derived from MIT Kerberos 4, including Cygnus Network Security (CNS), are affected by the high risk vulnerability.
The US government Department of Energy's Computer Incident Advisory Capability (CIAC) team warns the problem is compounded because a potential attacker does not have to authenticate to an authentication server in order to carry out the attack. Because of the issue an attacker might be able execute arbitrary code on the key distribution center (KDC), which authenticates users, and thereby compromise a Kerberos database.
A stack buffer overflow in the implementation of the Kerberos v4 compatibility administration daemon (kadmind4) of the MIT krb5 distribution has been identified as the root cause of the problem. The kadmind4 daemon supplied with MIT krb5 is intended for use in sites that require compatibility with legacy administrative clients; sites that do not have this requirement are not likely to be running this daemon.
MIT has published an advisory which advises sys admins with potentially vulnerable servers on how to fix the flaw.
Kerberos, which was developed by MIT, is a very widely used means for securely authenticating a request for a service in a computer network. The name derives from Greek mythology, where Cerberus is the three-headed dog guarding the gates of Hades. ®