TUCoPS :: Unix :: General
:: a6130.htm
heimdal Cryptographic weakness
10th Apr 2003 [SBWID-6130]
COMMAND
heimdal Cryptographic weakness
SYSTEMS AFFECTED
version 0.5.2 and prior
PROBLEM
In Debian Security Advisory DSA-269:
A cryptographic weakness in version 4 of the Kerberos protocol allows
an attacker to use a chosen-plaintext attack to impersonate any
principal in a realm. Additional cryptographic weaknesses in the krb4
implementation permit the use of cut-and-paste attacks to fabricate
krb4 tickets for unauthorized client principals if triple-DES keys are
used to key krb4 services. These attacks can subvert a site's entire
Kerberos authentication infrastructure.
This version of the heimdal package changes the default behavior and
disallows cross-realm authentication for Kerberos version 4. Because of
the fundamental nature of the problem, cross-realm authentication in
Kerberos version 4 cannot be made secure and sites should avoid its
use. A new option (--kerberos4-cross-realm) is provided to the kdc
command to re-enable version 4 cross-realm authentication for those
sites that must use this functionality but desire the other security
fixes.
SOLUTION
upgrade