Kerberos Vulnerability

• To: <www-security@ns2.rutgers.edu>
• Subject: Kerberos Vulnerability
• From: David Kennedy <76702.3557@compuserve.com>
• Date: 19 Feb 96 03:07:57 EST

[DMK: Amid the discussion of using Kerberos to provide secure updating of a web
server outside the perimeter, this popped up in the Best-of-Security list.  I
cannot get Spaf's sig to verify, but that could be attributed to the
remailings it's gone through.  It reads like it's genuine, but YMMV.]

 To: best-of-security@suburbia.net
 Subject: BoS: Kerberos 4 Vulnerability
 Date: Sun, 18 Feb 1996 02:09:30 -0800
 From: Alan Coopersmith <alanc@CSUA.Berkeley.EDU>
 Sender: owner-best-of-security@suburbia.net
 Errors-to: nobody@mail.uu.net
 Precedence: bulk
 Reply-To: nobody@mail.uu.net


 ------- Forwarded Message

 [Many levels of forwarding deleted...]

 - ------- Start of forwarded message -------
 From: COAST <coast-request@cs.purdue.edu>
 To: COAST Watch <important-people@cs.purdue.edu>
 Date: Fri, 16 Feb 1996 20:09:36 -0500 (EST)

 We were going to announce this later, but events have changed that.
 Please don't contact us asking for the gory details -- we'll be
 releasing a paper on this after MIT and the vendors publish their fix(es).

 - --spaf

 - -----BEGIN PGP SIGNED MESSAGE-----

 Personnel at the COAST Laboratory (Computer Operations, Audit, and
 Security Technology) at Purdue University have discovered some
 unexepected weaknesses in the Kerberos security system.  Graduate
 students Steve Lodin and Bryn Dole, working with Professor Eugene
 Spafford, have discovered a method whereby someone without privileged
 access to most implementations of a Kerberos 4 server can nonetheless
 break secret session keys issued to users.  This means that it is
 possible to gain unauthorized access to distributed services available
 to a user without knowing that user's password. This method has been
demonstrated to work in under 5 minutes, on average, using a typical
workstation, and sometimes as quickly as 12 seconds.

 The Kerberos system was developed at MIT in the mid-1980s, and has
 been widely adopted for security in distributed systems worldwide.
 Kerberos is most often used on UNIX platforms by various vendors, and
 is often enhanced, sold and supported by 3rd-party vendors for use in
academic, government, and commercial environments.

 The same researchers at COAST have also found a small, theoretical
 weakness in Kerberos version 5 that would allow similar access, given
 some additional information and considerable preliminary computation. Kerberos
version 5 does not exhibit the same weakness as described
 above for Kerberos version 4.

 The researchers at COAST had intended to release the specific details
 of the problem to affected vendors and incident response teams during
 the week of February 19, prior to making a public announcement of
 their findings.  However, as rumors have begun to circulate and
 several representatives of the news media have apparently received
 indication of the problem, we are releasing this preliminary
 announcement at this time.

 Government and industry sponsors of the COAST Laboratory were made
 aware of the preliminary details of these findings in January (full
 sponsors receive early notification of significant discoveries as a
 result of COAST research).  Other affiliates of COAST as well as the
world-wide network of FIRST computer incident response teams were made
 aware of the general nature of the findings during the week of
 February 5.  The original plan at COAST was to release specific
 details only to FIRST (Forum of Incident Response and Security Teams)
 teams and to MIT prior to announcement by affected vendors of a fix
 for these weaknesses.  The flaw in Kerberos version 4 is significant
 enough that disclosure of its details prior to a fix would allow
 someone with moderate programming skills to exploit it; there is
 currently no reason to believe that others know the details of the
 flaw and are exploiting it, so there is no immediate danger to the
 public that would warrant release of the details at this time.

 COAST personnel have been informed that MIT has already developed a
 fix for the flaw in version 4 Kerberos and is preparing it for
 release.  Additionally, COAST researchers are cooperating with MIT
 personnel to identify what (if any) fixes are necessary for version 5
Kerberos. Users of either version of Kerberos should contact their
 vendors for details of any fixes that may be made available; vendors
 of products incorporating Kerberos should contact MIT directly for
 details of the problems and fixes.

 COAST is a research group of faculty and students dedicated to
 research into information security and computer crime investigation,
 and education in computer and network security.  It is the largest
 such university-based group in the United States.

 Information on COAST may be found on the WWW at
  http://www.cs.purdue.edu/coast
 Information on FIRST teams may be found on the WWW at
  http://www.first.org
 Information on MIT's Kerberos may be found on the WWW at
  ftp://athena-dist.mit.edu/pub/kerberos/doc/KERBEROS.FAQ

 - -----BEGIN PGP SIGNATURE-----
 Version: 2.6.2
 Comment: Key @ ftp://ftp.cs.purdue.edu/pub/spaf/pers/pgpkey.asc

 iQCVAwUBMSUnIspvK4P8DALVAQFhEwP6Aojp7tclxnOcodaY6st4Ej2UUglWqEyb
aFMl+WeNWSnC/HR0S/Jjxya/jLsEnXBn38EwplAl102HvbY68MLv08WnBdnejUYZ
kCCtQ2mTsuC8L3YNYOqI/8P5y8vNx9s7pytHP0GczBA/vxuXvUOf6m976lIjleqn 6ZLnOM2CHjc=
=K1IP
 - -----END PGP SIGNATURE-----

 - ------- End of forwarded message -------


 - --
 Sameer Parekh                                   Voice:   510-601-9777x3
Community ConneXion, Inc.                       FAX:     510-601-9734
 The Internet Privacy Provider                   Dialin:  510-658-6376
http://www.c2.org/ (or login as "guest")                sameer@c2.org

 ------- End of Forwarded Message

• Previous: Re: Web server update problem
• Next: Winword Macro Viruses: unsafe to use Wor
• Index(es):
  • Index
  • Thread