BOSTON – Two serious security flaws in a technology widely used for network authentication could expose a bunch of software products to hacker attack, experts warned Thursday.
The flaws could allow an online intruder to crash or gain access to computers running Kerberos, a freely available authentication technology that was developed by the Massachusetts Institute of Technology, CNET.Com reported.
MIT rates both flaws “critical,” according to two advisories. The university also made available patches to fix the problems and stated that exploitation of the bugs by attackers “is believed to be difficult.”
Several software makers have already released updates to their products to address the problem. Red Hat, Turbolinux and Gentoo have issued fixes for their Linux versions, for example. Sun Microsystems on Tuesday issued two alerts acknowledging that several versions of Solaris are vulnerable, but it does not have a patch available yet.
Because Kerberos is so widely used, more vendors are likely to publish security alerts, said Brian Grayek, chief technology officer at Preventsys, a vulnerability management company in Carlsbad, Calif. “I think you are going to see a floodgate of patches open,” he said. Microsoft also uses Kerberos, but a homegrown version that is not affected by the flaws. Both bugs affect Kerberos 5 Release 1.4.1 as well as earlier versions, according to MIT.
Independent security-monitoring company Secunia rates the issues “highly critical,” its second most serious rating. The French Security Incident Response Team, or FrSIRT, deems the bugs “critical,” its highest ranking.




