MIT Kerberos (krb5): Multiple Checksum Handling Vulnerabilities

Users of MIT Kerberos (krb5) please be advised of a Multiple checksum handling vulnerabilities that has been identified.

To view this vulnerability, possible remedies, and others please check out the Security Advisories at Critical Watch (http://criticalwatch.com/support/security-advisories.aspx)

Amplify’d from www.criticalwatch.com

MITKRB5-SA-2010-007: [MITKRB5-SA-2010-007] Multiple checksum handling vulnerabilities

SUMMARY ======= These vulnerabilities are in the MIT implementation of Kerberos (krb5), but because these vulnerabilities arise from flaws in protocol handling logic, other implementations may also be vulnerable. CVE-2010-1324 MIT krb5 (releases krb-1.7 and newer) incorrectly accepts an unkeyed checksum with DES session keys for version 2 (RFC 4121) of the GSS-API krb5 mechanism. MIT krb5 (releases krb5-1.7 and newer) incorrectly accepts an unkeyed checksum for PAC signatures. Running exclusively krb5-1.8 or newer KDCs blocks the attack. MIT krb5 KDC (releases krb5-1.7 and newer) incorrectly accepts RFC 3961 key-derivation checksums using RC4 keys when verifying the req-checksum in a KrbFastArmoredReq. Read more at www.criticalwatch.com

 

See this Amp at http://bit.ly/gC9Vkx