To: kerberos@MIT.EDU Date: 17 Feb 1996 17:04:29 -0500 From: pauld@umbc.edu (Paul Danckaert) I am somewhat concerned about this.. does anybody have any more information on the extent of the problems here, or the status on any bug-fixes? paul ------------------------------------------------------------------------------ From: COAST <coast-request@cs.purdue.edu> To: COAST Watch <important-people@cs.purdue.edu> Date: Fri, 16 Feb 1996 20:09:36 -0500 (EST) We were going to announce this later, but events have changed that. Please don't contact us asking for the gory details -- we'll be releasing a paper on this after MIT and the vendors publish their fix(es). --spaf -----BEGIN PGP SIGNED MESSAGE----- Personnel at the COAST Laboratory (Computer Operations, Audit, and Security Technology) at Purdue University have discovered some unexepected weaknesses in the Kerberos security system. Graduate students Steve Lodin and Bryn Dole, working with Professor Eugene Spafford, have discovered a method whereby someone without privileged access to most implementations of a Kerberos 4 server can nonetheless break secret session keys issued to users. This means that it is possible to gain unauthorized access to distributed services available to a user without knowing that user's password. This method has been demonstrated to work in under 5 minutes, on average, using a typical workstation, and sometimes as quickly as 12 seconds. The Kerberos system was developed at MIT in the mid-1980s, and has been widely adopted for security in distributed systems worldwide. Kerberos is most often used on UNIX platforms by various vendors, and is often enhanced, sold and supported by 3rd-party vendors for use in academic, government, and commercial environments. The same researchers at COAST have also found a small, theoretical weakness in Kerberos version 5 that would allow similar access, given some additional information and considerable preliminary computation. Kerberos version 5 does not exhibit the same weakness as described above for Kerberos version 4. The researchers at COAST had intended to release the specific details of the problem to affected vendors and incident response teams during the week of February 19, prior to making a public announcement of their findings. However, as rumors have begun to circulate and several representatives of the news media have apparently received indication of the problem, we are releasing this preliminary announcement at this time. Government and industry sponsors of the COAST Laboratory were made aware of the preliminary details of these findings in January (full sponsors receive early notification of significant discoveries as a result of COAST research). Other affiliates of COAST as well as the world-wide network of FIRST computer incident response teams were made aware of the general nature of the findings during the week of February 5. The original plan at COAST was to release specific details only to FIRST (Forum of Incident Response and Security Teams) teams and to MIT prior to announcement by affected vendors of a fix for these weaknesses. The flaw in Kerberos version 4 is significant enough that disclosure of its details prior to a fix would allow someone with moderate programming skills to exploit it; there is currently no reason to believe that others know the details of the flaw and are exploiting it, so there is no immediate danger to the public that would warrant release of the details at this time. COAST personnel have been informed that MIT has already developed a fix for the flaw in version 4 Kerberos and is preparing it for release. Additionally, COAST researchers are cooperating with MIT personnel to identify what (if any) fixes are necessary for version 5 Kerberos. Users of either version of Kerberos should contact their vendors for details of any fixes that may be made available; vendors of products incorporating Kerberos should contact MIT directly for details of the problems and fixes. COAST is a research group of faculty and students dedicated to research into information security and computer crime investigation, and education in computer and network security. It is the largest such university-based group in the United States. Information on COAST may be found on the WWW at http://www.cs.purdue.edu/coast Information on FIRST teams may be found on the WWW at http://www.first.org Information on MIT's Kerberos may be found on the WWW at ftp://athena-dist.mit.edu/pub/kerberos/doc/KERBEROS.FAQ -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Key @ ftp://ftp.cs.purdue.edu/pub/spaf/pers/pgpkey.asc iQCVAwUBMSUnIspvK4P8DALVAQFhEwP6Aojp7tclxnOcodaY6st4Ej2UUglWqEyb aFMl+WeNWSnC/HR0S/Jjxya/jLsEnXBn38EwplAl102HvbY68MLv08WnBdnejUYZ kCCtQ2mTsuC8L3YNYOqI/8P5y8vNx9s7pytHP0GczBA/vxuXvUOf6m976lIjleqn 6ZLnOM2CHjc= =K1IP -----END PGP SIGNATURE----- ------- End of Forwarded Message --
To: kerberos@MIT.EDU Date: 17 Feb 1996 17:17:18 -0500 From: swlodin@cs.purdue.edu (Steve Lodin) In article <4g5jdd$iv4@umbc7.umbc.edu>, pauld@umbc.edu (Paul Danckaert) writes: > I am somewhat concerned about this.. does anybody have any more information > on the extent of the problems here, or the status on any bug-fixes? > Contact your Kerberos vendor or MIT for fixes. Further details will be released later. My first suggestion is don't use any kerberos based on MIT Kerberos Version 4 for military-grade security requirements. Steve -- Steve Lodin Purdue - swlodin@cs.purdue.edu http://www.cs.purdue.edu/people/swlodin Delco Electronics - swlodin@delcoelect.com (317)451-0479 Home - swlodin@iquest.net http://www.iquest.net/~swlodin/
To: kerberos@MIT.EDU Date: 18 Feb 1996 11:22:41 -0500 From: spaf@cs.purdue.edu (Gene Spafford) In article <4g5k5e$21c@narnia.cs.purdue.edu> swlodin@cs.purdue.edu (Steve Lodin) writes: My first suggestion is don't use any kerberos based on MIT Kerberos Version 4 for military-grade security requirements. Let me add to Steve's comments in a few ways: 1) If we use a fast machine, like a DEC Alpha, we can get the session keys for an active user in (effectively) real-time: average time is less than 6 seconds per key. 2) This problem appears to have been in MIT Kerberos version 4 for years, and possibly since the initial release. The Cygnus release include alterations to MIT's code that make the problem somewhat worse. We haven't examined any other releases of code, so we can't comment on whether it is present in other releases, but we assume it is. 3) There is no evidence that this is widely known or being actively exploited. Given #1 and #2 above, if it were known, you can bet we all would have heard about it by now. 4) MIT has a reasonable fix in preparation for Kerberos 4. It is a small change in the source. It is easy to put in place. 5) The attack against Kerberos 5 appears to be of theoretical interest only, as it requires extensive computational resources to exploit. In any event, I have discussed a fix for this with Ted Ts'o and there are several ways to eliminate the threat, at least one of which is likely to be included in future releases of version 5. 6) There is no #6. 7) Even when the vulnerability we found is fixed, there are still weaknesses in Kerberos, and especially Kerberos 4, that can be exploited. It is better than passwords in most cases, but it is not a panacea. 8) We hope to have the paper available for general release as a tech report within two weeks after the announcement of the fix.
To: kerberos@MIT.EDU Date: 18 Feb 1996 17:59:29 GMT From: jik@annex-1-slip-jik.cam.ov.com (Jonathan Kamens) In article <w13f8861ta.fsf@uther.cs.purdue.edu>, spaf@cs.purdue.edu (Gene Spafford) writes: |> 5) The attack against Kerberos 5 appears to be of theoretical |> interest only, as it requires extensive computational resources to |> exploit. In any event, I have discussed a fix for this with Ted Ts'o |> and there are several ways to eliminate the threat, at least one of |> which is likely to be included in future releases of version 5. Is an MIT Kerberos V5 KDC running with Kerberos V4 compatibility (i.e., responding to V4 requests) vulnerable to this attack? I suppose another way to ask the same question is, "Does the attack exploit a vlunerability in the V4 protocol or its implementation?"
To: kerberos@MIT.EDU Date: 18 Feb 1996 21:22:17 -0500 From: swlodin@cs.purdue.edu (Steve Lodin) In article <4g7pel$md8@jik.datasrv.co.il>, Jonathan Kamens <jik@annex-1-slip-jik.cam.ov.com> wrote: >Is an MIT Kerberos V5 KDC running with Kerberos V4 compatibility (i.e., >responding to V4 requests) vulnerable to this attack? > >I suppose another way to ask the same question is, "Does the attack exploit a >vlunerability in the V4 protocol or its implementation?" It is an implementation issue, not a protocol design issue. Steve -- Steve Lodin Purdue - swlodin@cs.purdue.edu http://www.cs.purdue.edu/people/swlodin Delco Electronics - swlodin@delcoelect.com (317)451-0479 Home - swlodin@iquest.net http://www.iquest.net/~swlodin/