The Massachusetts Institute of Technology has issued patches for three serious flaws in Kerberos v5, a widely used security authentication system. The worst of the flaws could allow an attacker to gain access to an entire authentication realm, according to MIT.
Separately, Oracle issued a set of 49 patches for its Database Server, Application Server, Collaboration Suite, E-Business and Applications, and Enterprise Manager products.
The Kerberos flaws are serious because Kerberos is one of the most widely implemented authentication protocols on the Internet, and is used in many commercial products such as operating systems and routers.
Two of the flaws affect the Key Distribution Center (KDC), which authenticates users. One of these, a boundary error that can cause a heap-based buffer overflow via a TCP or UDP request, may be used to execute malicious code on a system; MIT warned a successful attack could allow access to the entire authentication realm protected by the KDC. The other KDC vulnerability causes the freeing of memory in random locations, leading to a heap corruption; this can crash the system but can't be used to execute code, MIT said.
A third flaw, affecting the krb5_recvauth() function, could allow a remote attacker to take over a system. However, the but is a double-free error, where a program attempts to free memory that's already been freed. "Exploitation of double-free vulnerabilities is believed to be difficult," MIT said in its advisory.
The bugs all affect version 1.4.1 of Kerberos v5, and impact third-party software using the affected components, MIT said. MIT published patching instructions in its advisories and said the problems would be addressed in the forthcoming version 1.4.2.
Kerberos has been hit by serious flaws about once a year. In October 2002, a flaw in kadmind4 (Kerberos v4 compatibility administration daemon) allowed unauthenticated attackers to gain root privileges on Kerberos v4 and v5 machines; at that time, MIT researchers said an exploit was already circulating when the patch was released.
Oracle issued a cumulative patch for a number of its products, the third time it has rolled out a Critical Patch since introducing cumulative patches in January. The bugs include 12 Database flaws, 12 in Application Server, 17 in E-Business Suite, six in Collaboration Suite and two in Enterprise Manager. Oracle didn't give details on the workings of the flaws, but said they could allow remote or local attackers to execute malicious commands, crash applications and conduct SQL injection attacks.
The company published patching instructions in its advisory.