The Channel logo


By | John Leyden 20th March 2008 11:44

Critical bugs bite Kerberos

Hell's fire

Multiple critical vulnerabilities have been discovered in version five of the widely-used Kerberos authentication protocol. The most serious of the bugs create a means to either compromise or crash vulnerable systems.

Exploits are yet to surface and patches are available. All releases of MIT Kerberos 5 up to and including krb5-1.6.3 are affected.

Two of the bugs involve errors in processing krb4 requests in MIT Kerberos 5 implementation's Key Distribution Center (KDC) program and libraries. The flaws create a possible mechanism for hackers to execute arbitrary code on targeted systems.

A further two bugs in the Kerberos RPC library, involving the handling of open file descriptors, might be exploited to cause memory corruption.

Developers are advised to update to version krb5-1.6.4 or apply workarounds.

A overview of the bugs by security clearing house Secunia can be found here. A summary of the products affected - along with responses from vendors - has been published by US CERT here and here.

Kerberos was developed by MIT and is a popular means for securely authenticating a request for a service in a computer network. The name derives from Greek mythology, where Cerberus is the three-headed dog guarding the gates of Hades. ®

alert Send corrections


George Osborne, photo: HM Treasury
shutterstock_183801788_container ship

Chris Mellor

The SAN growth glory days are well and truly over, so where next?

Tom Whipp

Insurance industry insider tells all
Crypto fingers


Michael Dell. Pic by Joi Ito
Cool Texas dude is just your average billionaire
The Seeing Eye by Valerie Everett, Flickr, CC2.0
Follow the money – or, at least, our projections
Boats storm girl photo via Nikolina Mrakovic
The puppets from Team America: World Police gather at a bar for drinks.