Security breach hits Kerberos software

Massachusetts Institute of Technology officials have issued security warnings regarding two serious vulnerabilities in the Kerberos computer authentication software, which is regularly used by Dartmouth and many other universities and businesses.

The first security hole, a “double-free vulnerability,” could allow a hacker to execute harmful code on the Kerberos server. If a Dartmouth Kerberos server were compromised, the security of the entire network on that server would also be jeopardized.

The second vulnerability, causes an infinite loop in the software’s decoder, leaving Kerberos vulnerable to denial-of-service attacks on the Dartmouth network. This problem is more relevant to students, as it could cause the program and system to crash.

“The problem is more of a theoretical thing. It’s like a window on the 17th floor that’s unlocked,” said David Gelhar, a software developer for Dartmouth Computing Services. “We take these [security holes] very seriously, but at the same time, it’s not something to panic about.”

As of yet, MIT does not believe that any intrusions utilizing the vulnerability have occurred, as an exploitation of the double-free bug would be extremely difficult and complex. MIT’s latest edition of Kerberos, released in September, provided a fix for both security holes.

Computing Services officials say that they are not too worried about the security holes because Dartmouth’s network is very well maintained.

“We receive updates from software companies almost on a daily basis, and we have system administrators who add these updates to the system,” said Brad Noblet, director of Technical Services.

Furthermore, the Kerberos software is run on the Linux platform, as opposed to Windows. Since most exploits take advantage of Windows, programs run on Linux are more secure in general, as well as less of a target, Gelhar noted.

Students do not need to be too worried about the security holes either. According to Gelhar, individual Kerberos clients are not at risk, but rather the main Dartmouth server is.

Computing Services also hopes to make logging into the Dartmouth server easier for those who are off-campus, and especially for those behind corporate firewalls, since the software installation required for Kerberos can be difficult.

Top Stories