September 9, 2004

Kerberos Open to Hackers

Print More

According to security warnings released by the Massachusetts Institute of Technology and the Department of Energy, two major security holes exist in the Kerberos’s authentication and encryption software, which is used by Cornell and hundreds of major businesses worldwide. Kerberos was developed at MIT.

One of the holes allows an attacker to put a system running Kerberos into an “infinite loop,” effectively crashing the program or possibly even the entire computer. The second — and more serious — vulnerability allows an attacker to gain administrative access to the Kerberos server, gain user passwords and even run malicious software on the server computer.

Steve Schuster, director of Information Technology Security at Cornell, said that even if the vulnerability had not carried the risk of malicious software it would still be a severe threat.

“To be honest, they talk about compromising the Kerberos server host,” Schuster said, explaining the danger of the hole. “If you compromise the host that it’s running on anyway, regardless of the exploit, your whole Kerberos system is suspect.”

The vulnerabilities are enough of a concern that CIT is breaking a usual “freeze” in modifying its software at the beginning of the academic year. The freeze is usually done so that no major server changes upset the system that has been tested all summer.

“Typically, the entire University freezes our entire operational infrastructure for the first five weeks of classes,” Schuster said. “This one we’re taking seriously enough to violate that freeze. We’re taking it very, very seriously.”

Schuster said that a fix for the hole was currently being tested on University servers and should be in place across the network by the end of the week.

He explained that the second, more dangerous vulnerability was a “double-free bug,” related to “buffer-overflow” bugs that have plagued software in recent years and been the source of many of the most damaging viruses. The double-free bug, however, is more difficult to abuse and no groups have yet come forward with an exploit to the bug.

As far as student computers are concerned, only the first, “infinite loop” bug affects them, and Schuster said that an attack using that flaw would require a Kerberos server to either be compromised in the first place or for a malicious server to pose as a legitimate one.

The complexity of the bug, however, is little deterrent to those who would find a way to exploit it, according to Schuster.

“With the Windows vulnerabilities that have been announced, we’ve seen the time from when the vulnerability is announced to the time of exploitation down to a number of days,” Schuster said. “There’s no doubt in my mind that an exploit will become available for this.”

Archived article by Michael Morisy
Sun Senior Writer