MIT Kerberos (krb5): Multiple Checksum Handling Vulnerabilities
Users of MIT Kerberos (krb5) please be advised of a Multiple checksum handling vulnerabilities that has been identified.
To view this vulnerability, possible remedies, and others please check out the Security Advisories at Critical Watch (http://criticalwatch.com/support/security-advisories.aspx)
MITKRB5-SA-2010-007: [MITKRB5-SA-2010-007] Multiple checksum handling vulnerabilities
SUMMARY=======These vulnerabilities are in the MIT implementation of Kerberos
(krb5), but because these vulnerabilities arise from flaws in protocolhandling logic, other implementations may also be vulnerable.CVE-2010-1324MIT krb5 (releases krb-1.7 and newer) incorrectly accepts an unkeyed
checksum with DES session keys for version 2 (RFC 4121) of the GSS-APIkrb5 mechanism.MIT krb5 (releases krb5-1.7 and newer) incorrectly accepts an unkeyed
checksum for PAC signatures. Running exclusively krb5-1.8 or newerKDCs blocks the attack.MIT krb5 KDC (releases krb5-1.7 and newer) incorrectly accepts RFC
3961 key-derivation checksums using RC4 keys when verifying thereq-checksum in a KrbFastArmoredReq.
Reply