CVE-2024-37371: About MIT Kerberos 5 (2nd July 2024)

Preface: Kerberos is built into all major operating systems, including those from Microsoft, Apple, Red Hat, and Sun. Kerberos is the authentication mechanism for some devices like Microsoft Active Directory and even X-Box. LDAP is primarily used for managing and accessing directories, while Kerberos is designed to provide security authentication for client/server applications.

Background: MIT krb5 is a free implementation of Kerberos 5.

It centralizes authentication databases and uses Kerberized applications to work with Kerberos-enabled servers or services, allowing single sign-on and encrypted communication over an internal network or the Internet.

Remark: krb5 Use Kerberos for authentication only. krb5i Use Kerberos for authentication, and include a hash with each transaction to ensure integrity.

Vulnerability detail: In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields.

Official announcement: For detail, please refer to link –

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.