Info

Disclosure

Jun 09, 2000

Discovery

Jun 09, 2000

Dates

Exploit

Unknown

Solution

Unknown

Description

Kerberos contains a flaw that may allow a remote denial of service. The issue is triggered when a non-null terminated AUTH_MSG_KDC_REQUEST is recieved by the KDC, and will result in loss of availability for the KDC

Classification

Location: Remote/Network Access Required
Attack Type: Denial of Service
Impact: Loss of Availability
Exploit: Exploit Unknown
Disclosure: OSVDB Verified

Solution

There are several solutions for mitigating this vulnerability. The first option users have is to upgrade to MIT Kerberos 5 version 1.2, as it has been reported to fix this vulnerability. Users who have the option to recompile Kerberos from source can apply the vendor supplied patches obtained from the following URL: http://web.mit.edu/kerberos/www/advisories/krb4kdc.txt Those implementations of Kerberos from vendors other than MIT should consult the specific vendor for the availability of patch information. It is also possible to correct the flaw by implementing the following workaround(s): 1. Kerberos version 4 authentication can be disabled at run time by supplying command-line options to the KDC server. Consult the help pages for Kerberos to obtain the exact syntax to disable authentication. 2. Again for those user who have the option to recompile the Kerberos software can in fact recompile with the option '--without-krb4' to disable all Kerberos version 4 ticket handling in Kerberos version 5

Products

Cygnus

Network Security

All Versions

MIT

Kerberos 4

Patch 10 and below

References

CVE ID: 2000-0549 (see also: NVD)
Keyword: AUTH_MSG_KDC_REQUEST Kerberos
CERT: CA-2000-11
Vendor URL: http://web.mit.edu/kerberos/
Vendor Specific Advisory URL: http://web.mit.edu/kerberos/www/advisories/krb4kdc.txt
CIAC Advisory: k-051

Credit

CERT - CERT
MIT - MIT

Direct URL: http://osvdb.org/36218