Language Selection

English French German Italian Portuguese Spanish

Flaws could open systems to attack

Filed under

Two serious security flaws in a technology widely used for network authentication could expose a swath of software products to hacker attack, experts have warned.

The flaws could allow an online intruder to crash or gain access to computers running Kerberos, a freely available authentication technology that was developed by the Massachusetts Institute of Technology.

MIT rates both flaws "critical," according to two advisories released Tuesday. The university also made available patches to fix the problems and stated that exploitation of the bugs by attackers "is believed to be difficult."

Several software makers have already released updates to their products to address the problem. Red Hat, Turbolinux and Gentoo have issued fixes for their Linux versions, for example. Sun Microsystems on Tuesday issued two alerts acknowledging that several versions of Solaris are vulnerable, but it does not have a patch available yet.

Because Kerberos is so widely used, more vendors are likely to publish security alerts, said Brian Grayek, chief technology officer at Preventsys, a vulnerability management company in Carlsbad, Calif. "I think you are going to see a floodgate of patches open," he said.

Microsoft also uses Kerberos, but a homegrown version that is not affected by the flaws.

Both bugs affect Kerberos 5 Release 1.4.1 as well as earlier versions, according to MIT.

Independent security-monitoring company Secunia rates the issues "highly critical," its second most serious rating. The French Security Incident Response Team, or FrSIRT, deems the bugs "critical," its highest ranking.

Preventsys' Grayek agreed that the vulnerabilities are serious but noted that crafting attacks is difficult. "It is going to take somebody with a great deal of knowledge to turn these vulnerabilities into exploits," he said.

This isn't the first flaw in Kerberos. In March, MIT warned of a "serious" bug in the telnet program supplied with Kerberos. Last August, a "critical" flaw was discovered and patched.

Earlier this month a vulnerability in another widely used software component exposed some of the same products to attack. That flaw affects the open-source "zlib" data compression technology. Using a specially crafted file, an attacker could take control over a computer or crash applications that use zlib.


More in Tux Machines

Radeon GPUs Are Increasingly Competing With NVIDIA GPUs On Latest RadeonSI/RADV Drivers

As it's been a few weeks since last delivering a modest Linux GPU comparison and given the continuously evolving state of the Linux kernel Git tree as well as the Mesa project that houses the RadeonSI OpenGL and RADV Vulkan drivers, here are our latest benchmarks showing the current state of the AMD Radeon open-source Linux graphics driver performance relative to NVIDIA's long-standing and high-performance but proprietary driver using several different graphics cards. Read more

AMD And CTS Labs: A Story Of Failed Stock Manipulation

We have attempted to contact Jessica Schaefer from Bevel PR, the listed PR firm on the vulnerability disclosure website, only to be greeted by a full voicemail inbox. We attempted to contact both Bevel PR and CTS Labs by email and inquire about the relationship between CTS and Viceroy, and provided them with ample time to respond. They did not respond to our inquiry. So, let's look at Viceroy Research. According to MoneyWeb, Viceroy Research is headed by a 44-year-old British citizen and ex-social worker, John Fraser Perring, in conjunction with two 23-year-old Australian citizens, Gabriel Bernarde and Aidan Lau. I wonder which of these guys is so fast at typing. Viceroy Research was the group responsible for the uncovering of the Steinhoff accounting scandal, about which you can read more here. After successfully taking down Steinhoff, it tried to manufacture controversy around Capitec Bank, a fast-growing South African bank. This time it didn't work out so well. The Capitec stock price dropped shortly and quickly recovered when the South African reserve bank made a statement that Capitec's business is sound. Just a week ago Viceroy attempted to do the same thing with a German company called ProSieben, also with mixed success, and in alleged breach of German securities laws, according to BaFin (similar to the SEC). Now, it appears it is going after AMD, though it looks to be another unsuccessful attack. Investor Takeaway After the announcement of this news, AMD stock generally traded sideways with slight downward movement, not uncommon for AMD in general. Hopefully this article showed you that CTS's report is largely nonsense and a fabrication with perhaps a small kernel of truth hidden somewhere in the middle. If the vulnerabilities are confirmed by AMD, they are likely to be easily fixed by software patches. If you are long AMD, stay long. If you are looking for an entry point, this might be a good opportunity to use this fake news to your advantage. AMD is a company with a bright future if it continues to execute well, and we see it hitting $20 per share by the end of 2018. Read more

Canonical Officially Announces Mozilla's Firefox as a Snap App for Ubuntu Linux

The Firefox Snap package appears to be maintained by Mozilla, which allows Linux users to test drive the latest features of their Quantum browser on multiple GNU/Linux distributions that support Canonical's Snappy universal binary format. Developed by Canonical, the Snap universal application packaging format for Linux lets Linux users enjoy the most recent release of a software product as soon as it's released upstream. It's secure by design and works natively on multiple popular Linux OSes. Read more

today's leftovers