Language Selection

English French German Italian Portuguese Spanish

Flaws could open systems to attack

Filed under
Security

Two serious security flaws in a technology widely used for network authentication could expose a swath of software products to hacker attack, experts have warned.

The flaws could allow an online intruder to crash or gain access to computers running Kerberos, a freely available authentication technology that was developed by the Massachusetts Institute of Technology.

MIT rates both flaws "critical," according to two advisories released Tuesday. The university also made available patches to fix the problems and stated that exploitation of the bugs by attackers "is believed to be difficult."

Several software makers have already released updates to their products to address the problem. Red Hat, Turbolinux and Gentoo have issued fixes for their Linux versions, for example. Sun Microsystems on Tuesday issued two alerts acknowledging that several versions of Solaris are vulnerable, but it does not have a patch available yet.

Because Kerberos is so widely used, more vendors are likely to publish security alerts, said Brian Grayek, chief technology officer at Preventsys, a vulnerability management company in Carlsbad, Calif. "I think you are going to see a floodgate of patches open," he said.

Microsoft also uses Kerberos, but a homegrown version that is not affected by the flaws.

Both bugs affect Kerberos 5 Release 1.4.1 as well as earlier versions, according to MIT.

Independent security-monitoring company Secunia rates the issues "highly critical," its second most serious rating. The French Security Incident Response Team, or FrSIRT, deems the bugs "critical," its highest ranking.

Preventsys' Grayek agreed that the vulnerabilities are serious but noted that crafting attacks is difficult. "It is going to take somebody with a great deal of knowledge to turn these vulnerabilities into exploits," he said.

This isn't the first flaw in Kerberos. In March, MIT warned of a "serious" bug in the telnet program supplied with Kerberos. Last August, a "critical" flaw was discovered and patched.

Earlier this month a vulnerability in another widely used software component exposed some of the same products to attack. That flaw affects the open-source "zlib" data compression technology. Using a specially crafted file, an attacker could take control over a computer or crash applications that use zlib.

Source.

More in Tux Machines

Your Beard Doesn’t Intimidate Me Anymore!

Linux is a community environment. Whether it’s the professionals over at RedHat, Canonical, and Suse or the guys who got together and decided to create Hannah Montana Linux, behind every project there’s usually a community. My first attempt at Linux came in the desert in Iraq. We were building a router lab and I had a couple of blade servers lying around but couldn’t get the Microsoft 2003 server key from our IT guys. So the other resident nerd on site and I started downloading Linux Distros to check them out. OpenSuse was awesome, Ubuntu was in its infancy, and I had no idea what I was doing. At night I’d trudge through forum after forum trying to figure out how the OS could help solve the problems I was creating and experiencing. There were a lot of posts for post-windows users and not all of them were kind. Many of them were written with a rather mocking or haughty tone. There was almost a standard litmus tests on posts where the person would casually mention how long they’ve been running Linux. Anything less than five years was a noob and others on the forum would point it out. There were a lot of good, kind voices, but they were often drowned out by those with a chip on their shoulder. (Read the rest)

Red Hat News

  • Red Hat Data Science talks at Apache Big Data 2016
    Unfortunately, my talk is at the same time as Suneel’s, so I won’t be able to attend his, but these are all great talks and you should be sure to put as many as possible on your schedule if you’ll be in Vancouver!
  • Red Hat Platform Selected As Reference Platform For Telefonica Operators
    Red Hat, Inc. (RHT) and Telefonica Business Solutions, a provider of a wide range of integrated communication solutions for the B2B market, announced an agreement establishing Red Hat Mobile Application Platform as the global reference platform for operators within the Telefonica Group to mobilize the business processes of its customers on their path to digital transformation.
  • Telefonica and Red Hat Sign a Global Agreement to Help Companies Mobilize Business Processes
    Red Hat, Inc. (NYSE: RHT), the world's leading provider of open source solutions, and Telefonica Business Solutions, a leading provider of a wide range of integrated communication solutions for the B2B market, today announced an agreement establishing Red Hat Mobile Application Platform as the global reference platform for operators within the Telefonica Group to mobilize the business processes of its customers on their path to digital transformation.
  • Fedora “update testing” with Bodhi
    Before and after Fedora releases, there are updates that keep coming in to fix bugs or add minor features to packages included in Fedora. To ensure that these are stable and don’t affect the performance of the existing system, we do “update testing”. Once testing is complete, we share our results and make sure that the developer is aware about the bugs and the success rate of the package. This article will explain how to participate in update testing and contribute to a high quality Fedora release!

Android Leftovers

This Is How the New Linux Mint 18 Cinnamon Theme Looks Like

Linux Mint project leader and maintainer Clement Lefebvre dropped some exciting news today about what users should expect from the upcoming Linux Mint 18 "Sarah" operating system. Read more