Kerberos was invented by the Massachusetts Institute of Technology and is used by many large businesses as a way of keeping their networks secure. It uses strong encryption to verify the identity of any machine using a networked resource.
On Wednesday, the Computer Incident Advisory Capability (CIAC) of the US government Department of Energy issued the warning, which originated at MIT. The flaw allows an attacker to gain unauthorized access to the key distribution center (KDC), which authenticates users, effectively compromising the security of the entire network.
The problem lies with software in MIT Kerberos 5 called kadmind4 (Kerberos v4 compatibility administration daemon), which allows compatibility with older administrative clients. A buffer stack overflow allows an attacker to use a specially formed request to gain access to the KDC with the privileges of a user running kadmind4. Since this is typically the "root" or highest-level user, the attacker would be able to run any code or make any changes to the KDC.
All releases of MIT Kerberos 5 are affected, including version 5-1.2.6. All Kerberos 4 implementations derived from MIT Kerberos 4 are also vulnerable, MIT said.
The CIAC's bulletin, with links to a patch, is available here.
MIT credited Johan Danielsson and Love Hornquist-Astrand for discovering the problem and providing the initial patch.
