Language Selection

English French German Italian Portuguese Spanish

Flaws could open systems to attack

Filed under
Security

Two serious security flaws in a technology widely used for network authentication could expose a swath of software products to hacker attack, experts have warned.

The flaws could allow an online intruder to crash or gain access to computers running Kerberos, a freely available authentication technology that was developed by the Massachusetts Institute of Technology.

MIT rates both flaws "critical," according to two advisories released Tuesday. The university also made available patches to fix the problems and stated that exploitation of the bugs by attackers "is believed to be difficult."

Several software makers have already released updates to their products to address the problem. Red Hat, Turbolinux and Gentoo have issued fixes for their Linux versions, for example. Sun Microsystems on Tuesday issued two alerts acknowledging that several versions of Solaris are vulnerable, but it does not have a patch available yet.

Because Kerberos is so widely used, more vendors are likely to publish security alerts, said Brian Grayek, chief technology officer at Preventsys, a vulnerability management company in Carlsbad, Calif. "I think you are going to see a floodgate of patches open," he said.

Microsoft also uses Kerberos, but a homegrown version that is not affected by the flaws.

Both bugs affect Kerberos 5 Release 1.4.1 as well as earlier versions, according to MIT.

Independent security-monitoring company Secunia rates the issues "highly critical," its second most serious rating. The French Security Incident Response Team, or FrSIRT, deems the bugs "critical," its highest ranking.

Preventsys' Grayek agreed that the vulnerabilities are serious but noted that crafting attacks is difficult. "It is going to take somebody with a great deal of knowledge to turn these vulnerabilities into exploits," he said.

This isn't the first flaw in Kerberos. In March, MIT warned of a "serious" bug in the telnet program supplied with Kerberos. Last August, a "critical" flaw was discovered and patched.

Earlier this month a vulnerability in another widely used software component exposed some of the same products to attack. That flaw affects the open-source "zlib" data compression technology. Using a specially crafted file, an attacker could take control over a computer or crash applications that use zlib.

Source.

More in Tux Machines

Programming: GNU Nano, Software Engineering Talent Shortage, HHVM (PHP)

  • GNU Nano Latest Version 2.9.0
    GNU nano 2.9.0 "Eta" introduces the ability to record and replay keystrokes (M-: to start and stop recording, M-; to play the macro back), makes ^Q and ^S do something useful by default (^Q starts a backward search, and ^S saves the current file), changes ^W to start always a forward search, shows the number of open buffers (when more than one) in the title bar, no longer asks to press Enter when there are errors in an rc file, retires the options '--quiet' and 'set quiet' and 'set backwards', makes indenting and unindenting undoable, will look in $XDG_CONFIG_HOME for a nanorc file and in $XDG_DATA_HOME for the history files, adds a history stack for executed commands (^R^X), does not overwrite the position-history file of another nano, and fixes a score of tiny bugs.
  • GNU Nano Text Editor Can Now Record & Replay Keystrokes
    GNU Nano 2.9 is now available as the latest feature release of this popular CLI text editor and it's bringing several new capabilities. First up, GNU Nano 2.9 has the ability to record and replay keystrokes within the text editor. M-: is used to start/stop the keystroke recording session while M-; is used to playback the macro / recorded keystrokes.
  • 2018's Software Engineering Talent Shortage— It’s quality, not just quantity

    The software engineering shortage is not a lack of individuals calling themselves “engineers”, the shortage is one of quality — a lack of well-studied, experienced engineers with a formal and deep understanding of software engineering.

  • HHVM 3.23
    HHVM 3.23 is released! This release contains new features, bug fixes, performance improvements, and supporting work for future improvements. Packages have been published in the usual places, however we have rotated the GPG key used to sign packages; see the installation instructions for more information.
  • Facebook Releases HHVM 3.23 With OpenSSL 1.1 Support, Experimental Bytecode Emitter
    HHVM 3.23 has been released as their high performance virtual machine for powering their Hack programming language and current PHP support. As mentioned back in September though, Facebook will stop focusing on PHP 7 compatibility in favor of driving their own Hack programming language forward. It's after their next release, HHVM 3.24, in early 2018 they will stop their commitment to supporting PHP5 features and at the same time not focus on PHP7 support. Due to the advancements made by upstream PHP on improving their performance, etc, Facebook is diverting their attention to instead just bolstering Hack and thus overtime the PHP support within HHVM will degrade.

Linux 4.14 File-System Benchmarks: Btrfs, EXT4, F2FS, XFS

Our latest Linux file-system benchmarking is looking at the performance of the mainline Btrfs, EXT4, F2FS, and XFS file-systems on the Linux 4.14 kernel compared to 4.13 and 4.12. In looking to see how the file-system/disk performance has changed if at all under the newly released Linux 4.14 kernel, I carried out some 4.12/4.13/4.14 benchmarks using Btrfs/EXT4/F2FS/XFS while freshly formatting the drive each time and using the default mount options. Read more Also: Freedreno Gallium3D Supports A Fair Amount Of OpenGL 4.x

Android Leftovers

Canonical Releases Snapcraft 2.35 with Support for Ubuntu 14.04 LTS and Solus

Snapcraft 2.35 comes approximately two months after the September release of Snapcraft 2.34, and it's a major update that finally adds support for the Ubuntu 14.04 LTS (Trusty Tahr) operating system series, which is maintained by Canonical for five years, until April 2019. Ubuntu 14.04 LTS support in Snapcraft is particularly important for running Snaps based on ROS (Robot Operating System) Indigo, which is based on this LTS Ubuntu release. In addition, Snapcraft also appears to have received support for the Solus Linux-based operating system. Read more