MIT Kerberos DOS Vulnerability

I just saw thisin the SANS vulnerability alert this week. If you don’t want to parse the text yourself, it is essentially four separate remote denial-of-service vulnerabilities in the MIT Kerberos implementation for krb5-1.8 and later.

It’s amazing to me that we are still finding fatal flaws in a core security service like this. I’m not sure exactly how old the MIT Kerberos implementation is, but the protocol as defined in RFC 1510(which has been obsoleted by RFC 4120) has been around since 1993, and as far as I know, the MIT Kerberos implementation was the original.

Patch your code!