|
Vulnerability Kerberos Affected Windows 2000 Description Following is based on a Defcom Labs Advisory def-2001-24 by Peter Grundl. The Kerberos service and kerberos password service contain a flaw that could allow a malicious attacker to cause a Denial of Service on the Kerberos service and thus making all domain authentication impossible. By creating a connection to the kerberos service and the disconnecting again, without reading from the socket, the LSA subsystem will leak memory. After about 4000 connections the kerberos service will stop accepting connections to tcp ports 88 (kerberos) and 464 (kpasswd) and all domain authentication will effectively have died (if the target was a domain controller). It requires a reboot to recover from the attack. Solution Disallow access to TCP ports 88 and 464 from untrusted networks or/and apply the patch located at the following URL: http://www.microsoft.com/technet/security/bulletin/MS01-024.asp