US CERT Advisory - MIT KERBEROS

[Guest MEB]

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

National Cyber Alert System

 

Technical Cyber Security Alert TA08-079B

 

 

MIT Kerberos Updates for Multiple Vulnerabilities

 

Original release date: March 19, 2008

Last revised: --

Source: US-CERT

 

Systems Affected

 

* MIT Kerberos

 

Overview

 

The MIT Kerberos implementation contains several vulnerabilities.

Exploitation of these vulnerabilities could allow a remote,

unauthenticated attacker to execute arbitrary code, compromise the key

database or cause a denial of service on a vulnerable system.

 

I. Description

 

The MIT Kerberos Development Team has released MIT krb5 Security

Advisory 2008-002 to address vulnerabilities in multiple versions of

MIT Kerberos. More information about these vulnerabilities can be

found in VU#895609 and VU#374121.

 

II. Impact

 

Potential consequences include arbitrary code execution, key database

compromise, and denial of service.

 

III. Solution

 

Install updates from your vendor

 

Check with your vendors for patches or updates. For information about

a vendor, please see the systems affected section in vulnerability

notes VU#895609 and VU#374121 or contact your vendor directly.

Administrators who compile MIT Kerberos from source should refer to

MIT Security Advisory 2008-002 for more information.

 

IV. References

 

* US-CERT Vulnerability Note VU#895609 -

<http://www.kb.cert.org/vuls/id/895609>

 

* US-CERT Vulnerability Note VU#374121 -

<http://www.kb.cert.org/vuls/id/374121>

 

* MIT krb5 Security Advisory 2008-002 -

<http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2008-002.txt2>

 

_________________________________________________________________

 

The most recent version of this document can be found at:

 

<http://www.us-cert.gov/cas/techalerts/TA08-079B.html>

_________________________________________________________________

 

Feedback can be directed to US-CERT Technical Staff. Please send

email to <cert@cert.org> with "TA08-079B Feedback VU#895609" in the

subject.

_________________________________________________________________

 

For instructions on subscribing to or unsubscribing from this

mailing list, visit <http://www.us-cert.gov/cas/signup.html>.

_________________________________________________________________

 

Produced 2008 by US-CERT, a government organization.

 

Terms of use:

 

<http://www.us-cert.gov/legal.html>

____________________________________________________________________

 

Revision History

 

March 19, 2008: Initial release

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.2.1 (GNU/Linux)

 

iQEVAwUBR+E+pPRFkHkM87XOAQK1jwf/ZDEomMLCZvsmN7KVXa0Il5PqXlfRvG2Y

jdWPUCi92qmgvm8LdqoNgAUxnUGYzCHLQzw8ebmnz37AMigDNsYIzFHStgnoJDVi

iK6UGC6gHLnGJFuG+otEC9jZaVeIiUbKddB2+vzvmDWLnvIsyxzmHf6lJe0IrZlH

ho/cCgpfRctgZHM5Ke+pPPqMjZZ7u0OUQnM7MIcSsZbKxw8x2CyUpaSiheMDhf8p

8JGyx+nkyvZoja6Ee4WCRq3xtVaUlp/sg8IZYY5nav2VuSh15rJXLJCWDBXUU+oV

aAXPa2JEx5Cn3S0CFz8SIJ4NoLUp09usVMFyeNd57FMBKRjTAC/DBw==

=4wkz

-----END PGP SIGNATURE-----

 

--

MEB

http://peoplescounsel.orgfree.com

--

_________

[Guest David H. Lipman]

Re: US CERT Advisory - MIT KERBEROS

 

From: "MEB" <meb@not here@hotmail.com>

 

| -----BEGIN PGP SIGNED MESSAGE-----

| Hash: SHA1

|

| National Cyber Alert System

|

| Technical Cyber Security Alert TA08-079B

|

| MIT Kerberos Updates for Multiple Vulnerabilities

|

| Original release date: March 19, 2008

| Last revised: --

| Source: US-CERT

|

| Systems Affected

|

| * MIT Kerberos

|

 

Since when is Kerberos used in Win9x/ME ?

 

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

[Guest MEB]

Re: US CERT Advisory - MIT KERBEROS

 

 

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message

news:u8Ztt1siIHA.4536@TK2MSFTNGP06.phx.gbl...

| From: "MEB" <meb@not here@hotmail.com>

|

| | -----BEGIN PGP SIGNED MESSAGE-----

| | Hash: SHA1

| |

| | National Cyber Alert System

| |

| | Technical Cyber Security Alert TA08-079B

| |

| | MIT Kerberos Updates for Multiple Vulnerabilities

| |

| | Original release date: March 19, 2008

| | Last revised: --

| | Source: US-CERT

| |

| | Systems Affected

| |

| | * MIT Kerberos

| |

|

| Since when is Kerberos used in Win9x/ME ?

|

| --

| Dave

 

http://web.mit.edu/Kerberos/dist/ - Welcome to the MIT Kerberos Distribution

Page!

 

Don't tell me you didn't know...

 

--

MEB

http://peoplescounsel.orgfree.com

--

_________

[Guest MEB]

Re: US CERT Advisory - MIT KERBEROS

 

I should have added:

 

1. The warning is more for dual booters who may be using one of MIT's

versions.

 

2. To indicate flaws in KEREBOS generally, regardless of version.

 

 

--

MEB

http://peoplescounsel.orgfree.com

--

_________

[Guest MEB]

Re: US CERT Advisory - MIT KERBEROS

 

TYPO

That's KERBEROS,,,

 

--

MEB

http://peoplescounsel.orgfree.com

--

_________

[Guest David H. Lipman]

Re: US CERT Advisory - MIT KERBEROS

 

From: "MEB" <meb@not here@hotmail.com>

 

| I should have added:

|

| 1. The warning is more for dual booters who may be using one of MIT's

| versions.

|

| 2. To indicate flaws in KEREBOS generally, regardless of version.

|

| --

| MEB

| http://peoplescounsel.orgfree.com

 

That's just it. Kerberos authentication is not used in Win9x/ME.

 

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

[Guest MEB]

Re: US CERT Advisory - MIT KERBEROS

 

 

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message

news:eEuZj4ziIHA.4320@TK2MSFTNGP06.phx.gbl...

| From: "MEB" <meb@not here@hotmail.com>

|

| | I should have added:

| |

| | 1. The warning is more for dual booters who may be using one of MIT's

| | versions.

| |

| | 2. To indicate flaws in KEREBOS generally, regardless of version.

| |

| | --

| | MEB

| | http://peoplescounsel.orgfree.com

|

| That's just it. Kerberos authentication is not used in Win9x/ME.

|

| --

| Dave

| http://www.claymania.com/removal-trojan-adware.html

| Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

|

|

 

You should have at least used the link I provided before rambling on about

things you apparently don't know.

MIT Kerberos for Windows 2.6.5

MIT Kerberos for Windows (KfW) includes Kerberos v4, Kerberos v5, Leash32,

KClient, and an in-memory credentials cache. It runs on Windows

98/98SE/ME/NT4/2000/XP/2003. (Windows 95 is not supported).

http://web.mit.edu/kerberos/dist/historic.html

 

Just as any third party program may not have YOUR usage or your backing:

MIT did produce a few versions for 9X/ME {to 2.6.5}, just as they produced a

good suite of PGP and tools which worked with Kerberos and 98*E/ME.

Kerberos is NOT the private domain of Windows Servers, in fact Microsoft's

Windows and servers were late to the Kerberos idea and ACTUAL standards{as

usual Microsoft tried to produce its own standards; Server 2000/Win2K, in

fact, included a broken attempt}.

Just because you don't use the program, and apparently know nothing

pertaining to it in the 98*E/ME environment, doesn't mean there are not

others on this planet who may have used it, and perhaps still use it in

their 98*E/ME environment. Several programmers are still working on the

Linux to 98/ME ports, though they are difficult to find [i include no links

as these are experimental.].

Microsoft TRIED to include parts of it in its NTLM protocol, and Winsock

2.0. RNR20.DLL provides an attempt of some of the ideas, as does MSXML3.DLL,

WININET.DLL, two of Microsoft's JAVA packages, and several other files

included in those systems related to networking. Kerberos is actually

assigned ports in SERVICES, btw

 

--

MEB

http://peoplescounsel.orgfree.com

--

_________

[Guest David H. Lipman]

Re: US CERT Advisory - MIT KERBEROS

 

From: "MEB" <meb@not here@hotmail.com>

 

 

| You should have at least used the link I provided before rambling on about

| things you apparently don't know.

| MIT Kerberos for Windows 2.6.5

| MIT Kerberos for Windows (KfW) includes Kerberos v4, Kerberos v5, Leash32,

| KClient, and an in-memory credentials cache. It runs on Windows

| 98/98SE/ME/NT4/2000/XP/2003. (Windows 95 is not supported).

| http://web.mit.edu/kerberos/dist/historic.html

|

| Just as any third party program may not have YOUR usage or your backing:

| MIT did produce a few versions for 9X/ME {to 2.6.5}, just as they produced a

| good suite of PGP and tools which worked with Kerberos and 98*E/ME.

| Kerberos is NOT the private domain of Windows Servers, in fact Microsoft's

| Windows and servers were late to the Kerberos idea and ACTUAL standards{as

| usual Microsoft tried to produce its own standards; Server 2000/Win2K, in

| fact, included a broken attempt}.

| Just because you don't use the program, and apparently know nothing

| pertaining to it in the 98*E/ME environment, doesn't mean there are not

| others on this planet who may have used it, and perhaps still use it in

| their 98*E/ME environment. Several programmers are still working on the

| Linux to 98/ME ports, though they are difficult to find [i include no links

| as these are experimental.].

| Microsoft TRIED to include parts of it in its NTLM protocol, and Winsock

| 2.0. RNR20.DLL provides an attempt of some of the ideas, as does MSXML3.DLL,

| WININET.DLL, two of Microsoft's JAVA packages, and several other files

| included in those systems related to networking. Kerberos is actually

| assigned ports in SERVICES, btw

|

| --

| MEB

| http://peoplescounsel.orgfree.com

 

OK, I'll admit it may be used in third party software but it is not natively implemented in

Win9x/ME.

 

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

[Guest MEB]

Re: US CERT Advisory - MIT KERBEROS

 

 

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message

news:uwVVr45iIHA.4080@TK2MSFTNGP03.phx.gbl...

| From: "MEB" <meb@not here@hotmail.com>

|

|

| | You should have at least used the link I provided before rambling on

about

| | things you apparently don't know.

| | MIT Kerberos for Windows 2.6.5

| | MIT Kerberos for Windows (KfW) includes Kerberos v4, Kerberos v5,

Leash32,

| | KClient, and an in-memory credentials cache. It runs on Windows

| | 98/98SE/ME/NT4/2000/XP/2003. (Windows 95 is not supported).

| | http://web.mit.edu/kerberos/dist/historic.html

| |

| | Just as any third party program may not have YOUR usage or your

backing:

| | MIT did produce a few versions for 9X/ME {to 2.6.5}, just as they

produced a

| | good suite of PGP and tools which worked with Kerberos and 98*E/ME.

| | Kerberos is NOT the private domain of Windows Servers, in fact

Microsoft's

| | Windows and servers were late to the Kerberos idea and ACTUAL

standards{as

| | usual Microsoft tried to produce its own standards; Server 2000/Win2K,

in

| | fact, included a broken attempt}.

| | Just because you don't use the program, and apparently know nothing

| | pertaining to it in the 98*E/ME environment, doesn't mean there are not

| | others on this planet who may have used it, and perhaps still use it in

| | their 98*E/ME environment. Several programmers are still working on the

| | Linux to 98/ME ports, though they are difficult to find [i include no

links

| | as these are experimental.].

| | Microsoft TRIED to include parts of it in its NTLM protocol, and

Winsock

| | 2.0. RNR20.DLL provides an attempt of some of the ideas, as does

MSXML3.DLL,

| | WININET.DLL, two of Microsoft's JAVA packages, and several other files

| | included in those systems related to networking. Kerberos is actually

| | assigned ports in SERVICES, btw

| |

| | --

| | MEB

| | http://peoplescounsel.orgfree.com

|

| OK, I'll admit it may be used in third party software but it is not

natively implemented in

| Win9x/ME.

|

| --

| Dave

 

Ah, you missed the lower part of that apparently,,, Microsoft ATTEMPTED to

bring parts of Kerberos into Windows 98. It never *fully* supported it

natively. None the less, 98 does have Kerberos aspects [just not named such]

included within it.

Segments were used in SSL as well.

Microsoft didn't CLAIM Kerberos compatibility included [and main

authentication] until Server 2000/win2K or via addins. As usual, Microsoft's

programmers use ideas and code provided in the outside world within its OSs,

and Microsoft users swooned over it..

 

--

MEB

http://peoplescounsel.orgfree.com

--

_________

[Guest David H. Lipman]

Re: US CERT Advisory - MIT KERBEROS

 

From: "MEB" <meb@not here@hotmail.com>

 

 

|

| Ah, you missed the lower part of that apparently,,, Microsoft ATTEMPTED to

| bring parts of Kerberos into Windows 98. It never *fully* supported it

| natively. None the less, 98 does have Kerberos aspects [just not named such]

| included within it.

| Segments were used in SSL as well.

| Microsoft didn't CLAIM Kerberos compatibility included [and main

| authentication] until Server 2000/win2K or via addins. As usual, Microsoft's

| programmers use ideas and code provided in the outside world within its OSs,

| and Microsoft users swooned over it..

|

| --

| MEB

| http://peoplescounsel.orgfree.com

 

Fair enough.

 

BTW: I receive the same email :-)

 

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

[Guest MEB]

Re: US CERT Advisory - MIT KERBEROS

 

 

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message

news:eyUvZL8iIHA.1944@TK2MSFTNGP02.phx.gbl...

| From: "MEB" <meb@not here@hotmail.com>

|

|

| |

| | Ah, you missed the lower part of that apparently,,, Microsoft ATTEMPTED

to

| | bring parts of Kerberos into Windows 98. It never *fully* supported it

| | natively. None the less, 98 does have Kerberos aspects [just not named

such]

| | included within it.

| | Segments were used in SSL as well.

| | Microsoft didn't CLAIM Kerberos compatibility included [and main

| | authentication] until Server 2000/win2K or via addins. As usual,

Microsoft's

| | programmers use ideas and code provided in the outside world within its

OSs,

| | and Microsoft users swooned over it..

| |

| | --

| | MEB

| | http://peoplescounsel.orgfree.com

|

| Fair enough.

|

| BTW: I receive the same email :-)

|

| --

| Dave

| http://www.claymania.com/removal-trojan-adware.html

| Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

 

I post these for those who don't keep track of this stuff or don't want to

sign up for it.

 

--

MEB

http://peoplescounsel.orgfree.com

--

_________