MIT Kerberos (krb5): Multiple Checksum Handling Vulnerabilities

Users of MIT Kerberos (krb5) please be advised of a Multiple checksum handling vulnerabilities that has been identified.
To view this vulnerability, possible remedies, and others please check out the Security Advisories at Critical Watch (http://criticalwatch.com/support/security-advisories.aspx)

MITKRB5-SA-2010-007: [MITKRB5-SA-2010-007] Multiple checksum handling vulnerabilities
SUMMARY

=======

These vulnerabilities are in the MIT implementation of Kerberos
(krb5), but because these vulnerabilities arise from flaws in protocol

handling logic, other implementations may also be vulnerable.

CVE-2010-1324

MIT krb5 (releases krb-1.7 and newer) incorrectly accepts an unkeyed
checksum with DES session keys for version 2 (RFC 4121) of the GSS-API

krb5 mechanism.

MIT krb5 (releases krb5-1.7 and newer) incorrectly accepts an unkeyed
checksum for PAC signatures. Running exclusively krb5-1.8 or newer

KDCs blocks the attack.

MIT krb5 KDC (releases krb5-1.7 and newer) incorrectly accepts RFC
3961 key-derivation checksums using RC4 keys when verifying the

req-checksum in a KrbFastArmoredReq.

Read more at http://www.criticalwatch.com

 

Advertisements