Language Selection

English French German Italian Portuguese Spanish

Flaws could open systems to attack

Filed under
Security

Two serious security flaws in a technology widely used for network authentication could expose a swath of software products to hacker attack, experts have warned.

The flaws could allow an online intruder to crash or gain access to computers running Kerberos, a freely available authentication technology that was developed by the Massachusetts Institute of Technology.

MIT rates both flaws "critical," according to two advisories released Tuesday. The university also made available patches to fix the problems and stated that exploitation of the bugs by attackers "is believed to be difficult."

Several software makers have already released updates to their products to address the problem. Red Hat, Turbolinux and Gentoo have issued fixes for their Linux versions, for example. Sun Microsystems on Tuesday issued two alerts acknowledging that several versions of Solaris are vulnerable, but it does not have a patch available yet.

Because Kerberos is so widely used, more vendors are likely to publish security alerts, said Brian Grayek, chief technology officer at Preventsys, a vulnerability management company in Carlsbad, Calif. "I think you are going to see a floodgate of patches open," he said.

Microsoft also uses Kerberos, but a homegrown version that is not affected by the flaws.

Both bugs affect Kerberos 5 Release 1.4.1 as well as earlier versions, according to MIT.

Independent security-monitoring company Secunia rates the issues "highly critical," its second most serious rating. The French Security Incident Response Team, or FrSIRT, deems the bugs "critical," its highest ranking.

Preventsys' Grayek agreed that the vulnerabilities are serious but noted that crafting attacks is difficult. "It is going to take somebody with a great deal of knowledge to turn these vulnerabilities into exploits," he said.

This isn't the first flaw in Kerberos. In March, MIT warned of a "serious" bug in the telnet program supplied with Kerberos. Last August, a "critical" flaw was discovered and patched.

Earlier this month a vulnerability in another widely used software component exposed some of the same products to attack. That flaw affects the open-source "zlib" data compression technology. Using a specially crafted file, an attacker could take control over a computer or crash applications that use zlib.

Source.

More in Tux Machines

PC-BSD 10.1.2-RC1 Now Available

The PC-BSD team is pleased to announce the availability of RC1 images for the upcoming quarterly 10.1.2 release. Please test these images out and report any issues found on our bug tracker. Read more

Entroware Announces Aura, a Tiny PC That Runs Ubuntu or Ubuntu MATE 15.04

Entroware introduced today, May 2, their first mini-PC called Aura and powered by Canonical's recently released Ubuntu 15.04 (Vivid Vervet) computer operating system, or the popular Ubuntu MATE 15.04 flavor. Read more

Ubuntu-Based Black Lab Linux Enterprise Desktop 6.5 RC2 Released with KDE 4.14, MATE 1.8

Roberto J. Dohnert, the lead developer of Black Lab Linux and owner of Black Lab Software, announced the immediate availability for download and testing of the second and last Release Candidate (RC) version of the forthcoming Black Lab Enterprise Desktop 6.5 computer operating system based on Ubuntu. Read more Also: Black Lab Linux Will Standardize on the KDE Desktop Environment

today's leftovers

  • Kodi 15.0 Isengard Beta 1 Officially Released
    Kodi, a media player and entertainment hub that was named XBMC until a few months ago, has been upgraded to version 15.0 Beta 1 and is now ready for download and testing.
  • RcppArmadillo 0.5.100.1.0
    A new minor release 5.100.1 of Armadillo was released by Conrad yesterday. Armadillo is a powerful and expressive C++ template library for linear algebra aiming towards a good balance between speed and ease of use with a syntax deliberately close to a Matlab.
  • How many Chrome OS devices do you own?
    Chrome OS devices have proven to be quite popular with Chromebooks, Chromeboxes and Chromecast devices all regularly showing up in Amazon's various bestseller lists, and also getting good ratings and reviews by the people who have bought them.
  • Lucid sleep in the free desktop
    One of the areas I'm currently working on is what Google calls Lucid Sleep, which is basically the ability of performing work while the machine is in a low power state such as suspend. I'm writing this blog post because there has been interest on this in different communities and the discussion is currently a bit dispersed.
  • A Request for Help from a Linux Community Member in Nepal
    At the Linux Foundation we focus many of our programs on personalizing and connecting the talented network of Linux developers and users in all corners of the globe. Everyday we are witness to the Linux community innovating irrespective of geographic boundary; that is why this week we were moved by an email we received from one of our community asking for help.
  • Quicklisp and debian
    Common Lisp users are very happy to use Quicklisp when it comes to downloading and maintaining dependencies between their own code and the librairies it is using.
  • Qt4's status and Qt4's webkit removal in Stretch
    Hi everyone! As you might know Qt4 has been deprecated (in the sense "you better start to port your code") since Qt5's first release in December 19th 2012. Since that point on Qt4 received only bugfixes. Upstream is about to release the last point release, 4.8.7. This means that only severe bugs like security ones will get a chance to get solved.
  • LinuxFest NorthWest 2015, ownCloud 8 for stable Fedora / EPEL
    The Fedora booth was extra fun this year. As well as the OLPC XO systems we usually have there (which always do a great job of attracting attention), Brian Monroe set up a whole music recording system running out of a Fedora laptop, with a couple of guitars, bass, keyboard, and even a little all-in-one electronic drum…thing. He had multitrack recording via Ardour and guitar effects from Guitarix. This was a great way to show off the capabilities of Fedora Jam, and was very popular all weekend – sometimes it seemed like every third person who came by was ready to crank out a few guitar chords, and we had several bass players and drummers too. I spent a lot of time away from the booth, but even when I was there we had pretty much a full band going quite often.
  • Rugged, Linux-ready PC/104-Plus SBC offers onboard DAQ
    Diamond’s “Aries” is a Linux-friendly, Atom E3800 based PC/104-Plus SBC for data acquisition, featuring SATA, mSATA, mini-PCIe, and -40 to 85°C support.