Kerberos Bug Compromises Networks Worldwide
MIT has announced a serious bug in its widely used Kerberos network security software. If the network's critical "key distribution center," or KDC, is running kadmind4 (a server program, or daemon, that helps with administration of the network), an attacker can take advantage of a buffer overflow vulnerability to take full control of the network. The attacker doesn't need to have any special privileges on the network, or even be authorized to use it, to do this. MIT reports that at least one exploit for the bug is known to be "in the wild," putting all machines running kadmind4 at risk. Machines that might be vulnerable include all of those running Kerberos 4, Kerberos 5, or a derivative thereof (such as Cygnus Network Security).
The US Department of Energy's CIAC (Computer Incident Advisory Capability) stated, in an advisory published yesterday evening, that the risk from this bug is "high."
More at ExtremeTech