Patches issued for Kerberos flaws

The Massachusetts Institute of Technology (MIT) has issued patches for three serious flaws in its widely-used Kerberos v5 authentication system. Two of the flaws are found in the Key Distribution Center (KDC). One is a heap-based buffer overflow an attacker could exploit over TCP or UDP to execute malicious code and even gain access to the authentication realm. Another flaw would free memory in random locations, crashing the system. A double-free flaw, found in the krb5_recvauth() function, could allow a hacker to take over the system, but would be difficult to exploit. The flaws affect version 1.4.1 of Kerberos v5. While MIT has released patches for the meantime, the flaws will also be fixed in the upcoming version 1.4.2.


Leave a Reply