Vulnerability Managment Blog

Tagged: incorrectly Toggle Comment Threads | Keyboard Shortcuts

• 

  vulnerability management 7:24 pm on December 3, 2010 Permalink | Reply
  Tags: accepts, checksum, critical watch ( 900 ), incorrectly, krb5 ( 5 ), releases, vulnerabilities ( 108 ), vulnerability ( 725 ), vulnerability management ( 512 )   

  MIT Kerberos (krb5): Multiple Checksum Handling Vulnerabilities 

  Users of MIT Kerberos (krb5) please be advised of a Multiple checksum handling vulnerabilities that has been identified.
  To view this vulnerability, possible remedies, and others please check out the Security Advisories at Critical Watch (http://criticalwatch.com/support/security-advisories.aspx)

  Amplify’d from http://www.criticalwatch.com

  MITKRB5-SA-2010-007: [MITKRB5-SA-2010-007] Multiple checksum handling vulnerabilities

  SUMMARY ======= These vulnerabilities are in the MIT implementation of Kerberos (krb5), but because these vulnerabilities arise from flaws in protocol handling logic, other implementations may also be vulnerable. CVE-2010-1324 MIT krb5 (releases krb-1.7 and newer) incorrectly accepts an unkeyed checksum with DES session keys for version 2 (RFC 4121) of the GSS-API krb5 mechanism. MIT krb5 (releases krb5-1.7 and newer) incorrectly accepts an unkeyed checksum for PAC signatures. Running exclusively krb5-1.8 or newer KDCs blocks the attack. MIT krb5 KDC (releases krb5-1.7 and newer) incorrectly accepts RFC 3961 key-derivation checksums using RC4 keys when verifying the req-checksum in a KrbFastArmoredReq. Read more at http://www.criticalwatch.com

   

  See this Amp at http://bit.ly/gC9Vkx
   

  Reply Cancel reply

  Required fields are marked *

  Name *

  Email *

  Website

  Notify me of new comments via email.

  Notify me of new posts via email.

  Δ