Language Selection

English French German Italian Portuguese Spanish

Flaws could open systems to attack

Filed under
Security

Two serious security flaws in a technology widely used for network authentication could expose a swath of software products to hacker attack, experts have warned.

The flaws could allow an online intruder to crash or gain access to computers running Kerberos, a freely available authentication technology that was developed by the Massachusetts Institute of Technology.

MIT rates both flaws "critical," according to two advisories released Tuesday. The university also made available patches to fix the problems and stated that exploitation of the bugs by attackers "is believed to be difficult."

Several software makers have already released updates to their products to address the problem. Red Hat, Turbolinux and Gentoo have issued fixes for their Linux versions, for example. Sun Microsystems on Tuesday issued two alerts acknowledging that several versions of Solaris are vulnerable, but it does not have a patch available yet.

Because Kerberos is so widely used, more vendors are likely to publish security alerts, said Brian Grayek, chief technology officer at Preventsys, a vulnerability management company in Carlsbad, Calif. "I think you are going to see a floodgate of patches open," he said.

Microsoft also uses Kerberos, but a homegrown version that is not affected by the flaws.

Both bugs affect Kerberos 5 Release 1.4.1 as well as earlier versions, according to MIT.

Independent security-monitoring company Secunia rates the issues "highly critical," its second most serious rating. The French Security Incident Response Team, or FrSIRT, deems the bugs "critical," its highest ranking.

Preventsys' Grayek agreed that the vulnerabilities are serious but noted that crafting attacks is difficult. "It is going to take somebody with a great deal of knowledge to turn these vulnerabilities into exploits," he said.

This isn't the first flaw in Kerberos. In March, MIT warned of a "serious" bug in the telnet program supplied with Kerberos. Last August, a "critical" flaw was discovered and patched.

Earlier this month a vulnerability in another widely used software component exposed some of the same products to attack. That flaw affects the open-source "zlib" data compression technology. Using a specially crafted file, an attacker could take control over a computer or crash applications that use zlib.

Source.

More in Tux Machines

Microsoft v GNU/Linux

  • Illinois residents sue Microsoft over forced Windows 10 upgrades

    The lawyers who have acted on behalf of the trio are looking to have the case expanded to a class action covering every person who has been affected by a forced upgrade from Windows 7 to Windows 10. They allege that there are thousands of such cases.

    The trio claim that Microsoft uses various tactics to get users to upgrade and does not give them a chance to refuse.

  • New Windows 10 courts govt deals

    The system was developed by its joint venture with China Electronics Technology Group Corp, a State-owned company. Equipped with tailor-made security {sic} features, it is expected to allow the US tech giant to regain access to China's lucrative government software procurement market.

  • Microsoft One Drive Bug In Chrome OS And Linux Fixed

Linux Mint KDE Review: Easy And Beautiful

Linux mint, the most popular Linux distribution is recommended by almost all Linux users for newbies. By default, Linux mint is released with cinnamon. But thanks to the Kubuntu team, we now have a KDE edition. Well, new users are probably wondering what all this KDE thing is? KDE is a community. KDE is a compilation of software. We will look at it in more detail on the way. Mint is a whole distro, so we will look at some specific aspects, But KDE is more than just a DE and we cannot review all of its features here. I will try to cover as much as possible in limited space. Read more

today's leftovers

  • Puppet Wins Best DevOps Tool for Open Source at the 2017 DevOps Excellence Awards
  • The goal of HP's radical The Machine: Reshaping computing around memory
    Not every computer owner would be as pleased as Andrew Wheeler that their new machine could run "all weekend" without crashing. But not everyone's machine is "The Machine," an attempt to redefine a relationship between memory and processor that has held since the earliest days of parallel computing. Wheeler is a vice president and deputy labs director at Hewlett Packard Enterprise. He's at the Cebit trade show in Hanover, Germany, to tell people about The Machine, a key part of which is on display in HPE's booth. [...] HPE has tweaked the Linux operating system and other software to take advantage of The Machine's unusual architecture, and released its changes under open source licenses, making it possible for others to simulate the performance of their applications in the new memory fabric.
  • Eudyptula Challenge Status report
    Welcome to another very semi-irregular update from the Eudyptula Challenge.
  • Eudyptula Challenge Status report
    The Eudyptula Challenge is a series of programming exercises for the Linux kernel. It starts from a very basic "Hello world" kernel module, moves up in complexity to getting patches accepted into the main kernel. The challenge will be closed to new participants in a few months, when 20,000 people have signed up.
  • Daimler Jumps on Linux Bandwagon
    Not long ago, if a major corporation were to take out membership in an open source project, that would be big news -- doubly so for a company whose primary business isn't tech related. Times have changed. These days the corporate world's involvement in open source is taken for granted, even for companies whose business isn't computer related. Actually, there's really no such thing anymore. One way or another, computer technology is at the core of nearly every product on the market. So it wasn't surprising that hardly anyone noticed earlier this month when Daimler AG, maker of Mercedes-Benz and the world's largest manufacturer of commercial vehicles, announced it had joined the Open Invention Network (OIN), an organization that seeks to protect open source projects from patent litigation. According to a quick and unscientific search of Google, only one tech site covered the news, and that didn't come until a full 10 days after the announcement was made.
  • ONAP: Raising the Standard for NFV/SDN Telecom Networks [Ed: Amdocs pays the Linux Foundation for editorial control and puff pieces]
    This article is paid for by Amdocs...
  • Plamo 6.2 リリース
    Plamo 6.2 をリリースしました。
  • Dominique Leuenberger: [Tumbleweed] Review of the week 2017/12
    What a week! Tumbleweed once again is the first (to my knowledge) to ship the just released GNOME 3.24.0 as part of its main repository. Being shipped to the users in less than 48 hours since the official release announcement is something we can only do thanks to all the automatic building and testing AND the efforts put into the packages! If packagers would not be at the ball the whole time, this would not be possible. Even though the week has seen ‘only’ 4 snapshots (0317, 0318, 0320 and 0322) the changes delivered to the user base is enormous.
  • VMware Workstation 12.x.x for latest openSUSE Tumbleweed
  • Zero Terminal Mini Linux Laptop Created Using Raspberry Pi Zero W And Smartphone Keyboard
  • Zero Terminal: A DIY handheld Linux PC made from a Raspberry Pi and a cheap iPhone keyboard accessory

today's howtos