All releases prior to 0.6.1 and 0.5.3 have a cross-realm vulnerability allowing someone with control over a realm to impersonate anyone in the cross-realm trust path.
0.6.1 and 0.5.3 performs proper consistency checks on cross-realm requests, as well as allowing for better control over transit checks.
If you are running a vulnerable KDC version and have established cross-realm trust with anyone, we recommend that you disable this trust and then upgrade to 0.6.1.
Too see if you have any cross-realm trust enabled you can list all krbtgt principals in the database:
kadmin> get -t krbtgt/* krbtgt/<MY.REALM>@<MY.REALM> krbtgt/<MY.REALM>@<OTHER.REALM> krbtgt/<OTHER.REALM>@<MY.REALM>If you have any <OTHER.REALM> variants, you can temporarily disable them with:
kadmin> mod krbtgt/<MY.REALM>@<OTHER.REALM> Max ticket life [unlimited]: Max renewable life [unlimited]: Principal expiration time [never]: Password expiration time [never]: Attributes []:+disallow-all-tixYou have to repeat this for all such principals as there is no easy way to automate this. If you have a huge number to update, you will probably have to dump the database, edit the dump, and reload. After upgrading the KDC you can reenable them with:
kadmin> mod krbtgt/<MY.REALM>@<OTHER.REALM> Max ticket life [unlimited]: Max renewable life [unlimited]: Principal expiration time [never]: Password expiration time [never]: Attributes [disallow-all-tix]:-disallow-all-tix
See also CAN-2004-0371.