Language Selection

English French German Italian Portuguese Spanish

Flaws could open systems to attack

Filed under
Security

Two serious security flaws in a technology widely used for network authentication could expose a swath of software products to hacker attack, experts have warned.

The flaws could allow an online intruder to crash or gain access to computers running Kerberos, a freely available authentication technology that was developed by the Massachusetts Institute of Technology.

MIT rates both flaws "critical," according to two advisories released Tuesday. The university also made available patches to fix the problems and stated that exploitation of the bugs by attackers "is believed to be difficult."

Several software makers have already released updates to their products to address the problem. Red Hat, Turbolinux and Gentoo have issued fixes for their Linux versions, for example. Sun Microsystems on Tuesday issued two alerts acknowledging that several versions of Solaris are vulnerable, but it does not have a patch available yet.

Because Kerberos is so widely used, more vendors are likely to publish security alerts, said Brian Grayek, chief technology officer at Preventsys, a vulnerability management company in Carlsbad, Calif. "I think you are going to see a floodgate of patches open," he said.

Microsoft also uses Kerberos, but a homegrown version that is not affected by the flaws.

Both bugs affect Kerberos 5 Release 1.4.1 as well as earlier versions, according to MIT.

Independent security-monitoring company Secunia rates the issues "highly critical," its second most serious rating. The French Security Incident Response Team, or FrSIRT, deems the bugs "critical," its highest ranking.

Preventsys' Grayek agreed that the vulnerabilities are serious but noted that crafting attacks is difficult. "It is going to take somebody with a great deal of knowledge to turn these vulnerabilities into exploits," he said.

This isn't the first flaw in Kerberos. In March, MIT warned of a "serious" bug in the telnet program supplied with Kerberos. Last August, a "critical" flaw was discovered and patched.

Earlier this month a vulnerability in another widely used software component exposed some of the same products to attack. That flaw affects the open-source "zlib" data compression technology. Using a specially crafted file, an attacker could take control over a computer or crash applications that use zlib.

Source.

More in Tux Machines

Why Good Linux Sysadmins Use Markdown

The Markdown markup language is perfect for writing system administrator documentation: it is lightweight, versatile, and easy to learn, so you spend your time writing instead of fighting with formatting. The life of a Linux system administrator is complex and varied, and you know that documenting your work is a big time-saver. A documentation web server shared by you and your colleagues is a wonderful productivity tool. Most of us know simple HTML, and can whack up a web page as easily as writing plain text. But using Markdown is better. Read more

Purism’s next product could be a smartphone that runs Linux/free software

Purism is a company that’s been developing laptops and tablets that run Linux-based, free and open source software for a few years. Now Purism is considering building a smartphone and the company is soliciting feedback from potential customers. The idea would be to release a Librem Phone that runs GNU/Linux rather than Android, and which offers security and privacy features to help set it apart from most other phones on the market. Read more

Cinnamon 3.2 in Linux Mint 18.1 Supports Vertical Panels, Better Accelerometers

After informing the community a few days ago about the Mintbox Mini Pro PC and the upcoming improvements and new features shipping with the XApps software projects in Linux Mint 18.1, Clement Lefebvre just published the monthly Linux Mint newsletter. Read more

Blender 2.78 Open-Source 3D Graphics Software Released with Spherical Stereo VR

Today, September 30, 2016, the Blender Foundation is proud to release Blender 2.78, the latest stable and most advanced version of the popular, open-source, free, and cross-platform Blender 3D modelling software. Blender 2.78 comes six months after the release of Blender 2.77, and it's a major update that adds numerous new features and improvements, among which we can mention rendering of spherical stereo images for VR (Virtual Reality), viewport rendering improvements, as well as brand new freehand curves drawing over surfaces. Moreover, the Grease Pencil received awesome improvements and it now doubles as both an animation and drawing tool, powerful new options have been added for B-Bones, it's now possible to import and export basic operators in the Alembic support, and the Cloth Physics feature received new Simulation Speed option and Dynamic Base Mesh support. Read more