Unix/Linux shops -- beware of Kerberos hole
Published: 11 Nov 2002 17:54 GMT
Mitigating factors
If you don't use Kerberos, kadmind probably isn't enabled. If it is, you can remove it to eliminate this threat. Kerberos 5 doesn't appear to be vulnerable by itself, but some implementations also support version 4 protocols, making them vulnerable.
Fix
Disable support for Kerberos 4 authentication if it is not explicitly in use on your network. For MIT Kerberos 5, disable kadmind4 at compile time. Information about this is posted here. For KTH Heimdal, the instructions for disabling Kerberos 4 are posted here.
Symantec and CERT recommend restricting remote connectivity as a workaround. Block TCP/UDP access on port 751 for Kerberos 4 and on port 749 for Kerberos 5 where Kerberos 4 is supported along with version 5. This will not completely block exploitation but will limit damages by preventing password changes and other administrative actions.
You can also apply patches where practical. Patches are available for KTH Heimdal software at the Debian GNU/Linux Security site's DSA-183-1 Security Advisory krb 5 and at DSA-184-1 for krb4.
You can also go to the Symantec report for direct links to many patches for KTH.
Please note that there may be updates to the various security advisories as additional information and more patches are released. For instance, FreeBSD had reportedly already addressed the base Kerberos 4 (kadmind) and Kerberos 5 (k5admind v4 compatibility) daemons flaw at the time of this writing, but no vendor advisory was posted yet. It will almost certainly be posted by the time this article is published. Several of the other FTP or advisory links were not immediately active but should be by the time you read this.
Check with your vendor or see the CERT Advisory CA-2002-29 for another list of available patches.
Final word
Kerberos is a protocol designed at MIT and intended to make it easy to authenticate users across a series of networks based on a single sign-in. Penetrating the Kerberos security system at one point can potentially open a lot of resources to the attacker. For some basic details of how Kerberos works, see the MIT Kerberos site. Unlike basic firewall protection, the use of Kerberos authentication can protect networks from unauthorised insiders as well as outsiders, which makes it a valuable security mechanism.
Kerberos is a free security tool offered by MIT, but there are also commercial versions. Microsoft introduced Kerberos support in Windows 2000 but did so in a proprietary way, which made it difficult for other vendors' networks to be connected to the Microsoft systems using Kerberos. The upside is that, in this case, this vulnerability doesn't affect Microsoft networks because they use the company's specialised version of Kerberos.
However, this vulnerability does affect a lot of systems, and the exploit code is known to be circulating. You need to patch systems where appropriate, disable the daemons if not needed, and consider blocking access to manage this threat until you can remove support for Kerberos 4 or otherwise correct the problem. Remember that firewall port blocking is only a partial protection for vulnerable systems and is not a real fix.
Have your say instantly, in the Tech Update forum.
For a weekly round-up of the enterprise IT news, sign up for the Tech Update newsletter.
Find out what's where in the new Tech Update with our Guided Tour.
Tell us what you think in the Mailroom.
Previous
Did you find this article useful?
107 out of 181 people found this useful
- Share this article:
