US CERT Advisory - MIT KERBEROS

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

National Cyber Alert System

Technical Cyber Security Alert TA08-079B


MIT Kerberos Updates for Multiple Vulnerabilities

Original release date: March 19, 2008
Last revised: --
Source: US-CERT

Systems Affected

* MIT Kerberos

Overview

The MIT Kerberos implementation contains several vulnerabilities.
Exploitation of these vulnerabilities could allow a remote,
unauthenticated attacker to execute arbitrary code, compromise the key
database or cause a denial of service on a vulnerable system.

I. Description

The MIT Kerberos Development Team has released MIT krb5 Security
Advisory 2008-002 to address vulnerabilities in multiple versions of
MIT Kerberos. More information about these vulnerabilities can be
found in VU#895609 and VU#374121.

II. Impact

Potential consequences include arbitrary code execution, key database
compromise, and denial of service.

III. Solution

Install updates from your vendor

Check with your vendors for patches or updates. For information about
a vendor, please see the systems affected section in vulnerability
notes VU#895609 and VU#374121 or contact your vendor directly.
Administrators who compile MIT Kerberos from source should refer to
MIT Security Advisory 2008-002 for more information.

IV. References

* US-CERT Vulnerability Note VU#895609 -
http://www.kb.cert.org/vuls/id/895609

* US-CERT Vulnerability Note VU#374121 -
http://www.kb.cert.org/vuls/id/374121

* MIT krb5 Security Advisory 2008-002 -
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2008-002.txt2

__________________________________________________ _______________

The most recent version of this document can be found at:

http://www.us-cert.gov/cas/techalerts/TA08-079B.html
__________________________________________________ _______________

Feedback can be directed to US-CERT Technical Staff. Please send
email to with "TA08-079B Feedback VU#895609" in the
subject.
__________________________________________________ _______________

For instructions on subscribing to or unsubscribing from this
mailing list, visit http://www.us-cert.gov/cas/signup.html.
__________________________________________________ _______________

Produced 2008 by US-CERT, a government organization.

Terms of use:

http://www.us-cert.gov/legal.html
__________________________________________________ __________________

Revision History

March 19, 2008: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBR+E+pPRFkHkM87XOAQK1jwf/ZDEomMLCZvsmN7KVXa0Il5PqXlfRvG2Y
jdWPUCi92qmgvm8LdqoNgAUxnUGYzCHLQzw8ebmnz37AMigDNs YIzFHStgnoJDVi
iK6UGC6gHLnGJFuG+otEC9jZaVeIiUbKddB2+vzvmDWLnvIsyx zmHf6lJe0IrZlH
ho/cCgpfRctgZHM5Ke+pPPqMjZZ7u0OUQnM7MIcSsZbKxw8x2CyUp aSiheMDhf8p
8JGyx+nkyvZoja6Ee4WCRq3xtVaUlp/sg8IZYY5nav2VuSh15rJXLJCWDBXUU+oV
aAXPa2JEx5Cn3S0CFz8SIJ4NoLUp09usVMFyeNd57FMBKRjTAC/DBw==
=4wkz
-----END PGP SIGNATURE-----

--
MEB
http://peoplescounsel.orgfree.com
--
_________

From: "MEB" meb@not

| -----BEGIN PGP SIGNED MESSAGE-----
| Hash: SHA1
|
| National Cyber Alert System
|
| Technical Cyber Security Alert TA08-079B
|
| MIT Kerberos Updates for Multiple Vulnerabilities
|
| Original release date: March 19, 2008
| Last revised: --
| Source: US-CERT
|
| Systems Affected
|
| * MIT Kerberos
|

Since when is Kerberos used in Win9x/ME ?

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

"David H. Lipman" wrote in message
...
| From: "MEB" meb@not
|
| | -----BEGIN PGP SIGNED MESSAGE-----
| | Hash: SHA1
| |
| | National Cyber Alert System
| |
| | Technical Cyber Security Alert TA08-079B
| |
| | MIT Kerberos Updates for Multiple Vulnerabilities
| |
| | Original release date: March 19, 2008
| | Last revised: --
| | Source: US-CERT
| |
| | Systems Affected
| |
| | * MIT Kerberos
| |
|
| Since when is Kerberos used in Win9x/ME ?
|
| --
| Dave

http://web.mit.edu/Kerberos/dist/ - Welcome to the MIT Kerberos Distribution
Page!

Don't tell me you didn't know...

--
MEB
http://peoplescounsel.orgfree.com
--
_________

I should have added:

1. The warning is more for dual booters who may be using one of MIT's
versions.

2. To indicate flaws in KEREBOS generally, regardless of version.


--
MEB
http://peoplescounsel.orgfree.com
--
_________

TYPO
That's KERBEROS,,,

--
MEB
http://peoplescounsel.orgfree.com
--
_________

From: "MEB" meb@not

| I should have added:
|
| 1. The warning is more for dual booters who may be using one of MIT's
| versions.
|
| 2. To indicate flaws in KEREBOS generally, regardless of version.
|
| --
| MEB
| http://peoplescounsel.orgfree.com

That's just it. Kerberos authentication is not used in Win9x/ME.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

"David H. Lipman" wrote in message
...
| From: "MEB" meb@not
|
| | I should have added:
| |
| | 1. The warning is more for dual booters who may be using one of MIT's
| | versions.
| |
| | 2. To indicate flaws in KEREBOS generally, regardless of version.
| |
| | --
| | MEB
| | http://peoplescounsel.orgfree.com
|
| That's just it. Kerberos authentication is not used in Win9x/ME.
|
| --
| Dave
| http://www.claymania.com/removal-trojan-adware.html
| Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
|
|

You should have at least used the link I provided before rambling on about
things you apparently don't know.
MIT Kerberos for Windows 2.6.5
MIT Kerberos for Windows (KfW) includes Kerberos v4, Kerberos v5, Leash32,
KClient, and an in-memory credentials cache. It runs on Windows
98/98SE/ME/NT4/2000/XP/2003. (Windows 95 is not supported).
http://web.mit.edu/kerberos/dist/historic.html

Just as any third party program may not have YOUR usage or your backing:
MIT did produce a few versions for 9X/ME {to 2.6.5}, just as they produced a
good suite of PGP and tools which worked with Kerberos and 98*E/ME.
Kerberos is NOT the private domain of Windows Servers, in fact Microsoft's
Windows and servers were late to the Kerberos idea and ACTUAL standards{as
usual Microsoft tried to produce its own standards; Server 2000/Win2K, in
fact, included a broken attempt}.
Just because you don't use the program, and apparently know nothing
pertaining to it in the 98*E/ME environment, doesn't mean there are not
others on this planet who may have used it, and perhaps still use it in
their 98*E/ME environment. Several programmers are still working on the
Linux to 98/ME ports, though they are difficult to find [I include no links
as these are experimental.].
Microsoft TRIED to include parts of it in its NTLM protocol, and Winsock
2.0. RNR20.DLL provides an attempt of some of the ideas, as does MSXML3.DLL,
WININET.DLL, two of Microsoft's JAVA packages, and several other files
included in those systems related to networking. Kerberos is actually
assigned ports in SERVICES, btw

--
MEB
http://peoplescounsel.orgfree.com
--
_________

From: "MEB" meb@not


| You should have at least used the link I provided before rambling on about
| things you apparently don't know.
| MIT Kerberos for Windows 2.6.5
| MIT Kerberos for Windows (KfW) includes Kerberos v4, Kerberos v5, Leash32,
| KClient, and an in-memory credentials cache. It runs on Windows
| 98/98SE/ME/NT4/2000/XP/2003. (Windows 95 is not supported).
| http://web.mit.edu/kerberos/dist/historic.html
|
| Just as any third party program may not have YOUR usage or your backing:
| MIT did produce a few versions for 9X/ME {to 2.6.5}, just as they produced a
| good suite of PGP and tools which worked with Kerberos and 98*E/ME.
| Kerberos is NOT the private domain of Windows Servers, in fact Microsoft's
| Windows and servers were late to the Kerberos idea and ACTUAL standards{as
| usual Microsoft tried to produce its own standards; Server 2000/Win2K, in
| fact, included a broken attempt}.
| Just because you don't use the program, and apparently know nothing
| pertaining to it in the 98*E/ME environment, doesn't mean there are not
| others on this planet who may have used it, and perhaps still use it in
| their 98*E/ME environment. Several programmers are still working on the
| Linux to 98/ME ports, though they are difficult to find [I include no links
| as these are experimental.].
| Microsoft TRIED to include parts of it in its NTLM protocol, and Winsock
| 2.0. RNR20.DLL provides an attempt of some of the ideas, as does MSXML3.DLL,
| WININET.DLL, two of Microsoft's JAVA packages, and several other files
| included in those systems related to networking. Kerberos is actually
| assigned ports in SERVICES, btw
|
| --
| MEB
| http://peoplescounsel.orgfree.com

OK, I'll admit it may be used in third party software but it is not natively implemented in
Win9x/ME.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

"David H. Lipman" wrote in message
...
| From: "MEB" meb@not
|
|
| | You should have at least used the link I provided before rambling on
about
| | things you apparently don't know.
| | MIT Kerberos for Windows 2.6.5
| | MIT Kerberos for Windows (KfW) includes Kerberos v4, Kerberos v5,
Leash32,
| | KClient, and an in-memory credentials cache. It runs on Windows
| | 98/98SE/ME/NT4/2000/XP/2003. (Windows 95 is not supported).
| | http://web.mit.edu/kerberos/dist/historic.html
| |
| | Just as any third party program may not have YOUR usage or your
backing:
| | MIT did produce a few versions for 9X/ME {to 2.6.5}, just as they
produced a
| | good suite of PGP and tools which worked with Kerberos and 98*E/ME.
| | Kerberos is NOT the private domain of Windows Servers, in fact
Microsoft's
| | Windows and servers were late to the Kerberos idea and ACTUAL
standards{as
| | usual Microsoft tried to produce its own standards; Server 2000/Win2K,
in
| | fact, included a broken attempt}.
| | Just because you don't use the program, and apparently know nothing
| | pertaining to it in the 98*E/ME environment, doesn't mean there are not
| | others on this planet who may have used it, and perhaps still use it in
| | their 98*E/ME environment. Several programmers are still working on the
| | Linux to 98/ME ports, though they are difficult to find [I include no
links
| | as these are experimental.].
| | Microsoft TRIED to include parts of it in its NTLM protocol, and
Winsock
| | 2.0. RNR20.DLL provides an attempt of some of the ideas, as does
MSXML3.DLL,
| | WININET.DLL, two of Microsoft's JAVA packages, and several other files
| | included in those systems related to networking. Kerberos is actually
| | assigned ports in SERVICES, btw
| |
| | --
| | MEB
| | http://peoplescounsel.orgfree.com
|
| OK, I'll admit it may be used in third party software but it is not
natively implemented in
| Win9x/ME.
|
| --
| Dave

Ah, you missed the lower part of that apparently,,, Microsoft ATTEMPTED to
bring parts of Kerberos into Windows 98. It never *fully* supported it
natively. None the less, 98 does have Kerberos aspects [just not named such]
included within it.
Segments were used in SSL as well.
Microsoft didn't CLAIM Kerberos compatibility included [and main
authentication] until Server 2000/win2K or via addins. As usual, Microsoft's
programmers use ideas and code provided in the outside world within its OSs,
and Microsoft users swooned over it..

--
MEB
http://peoplescounsel.orgfree.com
--
_________

From: "MEB" meb@not


|
| Ah, you missed the lower part of that apparently,,, Microsoft ATTEMPTED to
| bring parts of Kerberos into Windows 98. It never *fully* supported it
| natively. None the less, 98 does have Kerberos aspects [just not named such]
| included within it.
| Segments were used in SSL as well.
| Microsoft didn't CLAIM Kerberos compatibility included [and main
| authentication] until Server 2000/win2K or via addins. As usual, Microsoft's
| programmers use ideas and code provided in the outside world within its OSs,
| and Microsoft users swooned over it..
|
| --
| MEB
| http://peoplescounsel.orgfree.com

Fair enough.

BTW: I receive the same email :-)

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp