COMMAND

    Kerberos

SYSTEMS AFFECTED

    Windows 2000

PROBLEM

    Following is based on a Defcom Labs Advisory def-2001-24 by  Peter
    Grundl.   The  Kerberos  service  and  kerberos  password  service
    contain a flaw  that could allow  a malicious attacker  to cause a
    Denial of  Service on  the Kerberos  service and  thus making  all
    domain authentication impossible.

    By  creating  a  connection  to  the  kerberos  service  and   the
    disconnecting  again,  without  reading  from  the socket, the LSA
    subsystem  will  leak  memory.   After  about 4000 connections the
    kerberos service will stop  accepting connections to tcp  ports 88
    (kerberos) and  464 (kpasswd)  and all  domain authentication will
    effectively have died (if the target was a domain controller).

    It requires a reboot to recover from the attack.

SOLUTION

    Disallow access to  TCP ports 88  and 464 from  untrusted networks
    or/and apply the patch located at the following URL:

        http://www.microsoft.com/technet/security/bulletin/MS01-024.asp