Monday, March 24, 2008

Critical bugs bite MIT Kerberos

Just happened to catch this article today. Here's the important bits:

Multiple critical vulnerabilities have been discovered in version five of the widely-used Kerberos authentication protocol. The most serious of the bugs create a means to either compromise or crash vulnerable systems.

Exploits are yet to surface and patches are available. All releases of MIT Kerberos 5 up to and including krb5-1.6.3 are affected.

An overview of the bugs by security clearing house Secunia can be found here. A summary of the products affected - along with responses from vendors - has been published by US CERT here and here.

What's the key take-away? Numerous companies ship MIT Kerberos with their product(s), like Centrify (here, here and here). And, in fact, may even customize it. I wonder how companies affected by these published vulnerabilities handle the following?

  • Patching their own customized versions of MIT Kerberos to work around these and other bugs? (For all versions of their software!)

  • Notifying their install base to update to the patched, more secure release?

  • Guarantee timely releases to critical security issues, bugs and vulnerabilities?

Who provides your Kerberos implementation? Is it up to date? Is it affected by these recent security alerts? How do you know? This is one of the reasons why Quest Software has a published guarantee that all critical security bugs will be patched within 10 business days.

Technorati Tags:
, ,

1 comment:

Manuel said...


I took a quick look at the MIT security advisories and it looks like this advisory (like many of the most recent ones) have all been in the kdc or kadmind code. As such, it doesn't affect any code that only includes client-side kerberos libraries.

Nevertheless, your point is well taken.