Language Selection

English French German Italian Portuguese Spanish

Flaws could open systems to attack

Filed under
Security

Two serious security flaws in a technology widely used for network authentication could expose a swath of software products to hacker attack, experts have warned.

The flaws could allow an online intruder to crash or gain access to computers running Kerberos, a freely available authentication technology that was developed by the Massachusetts Institute of Technology.

MIT rates both flaws "critical," according to two advisories released Tuesday. The university also made available patches to fix the problems and stated that exploitation of the bugs by attackers "is believed to be difficult."

Several software makers have already released updates to their products to address the problem. Red Hat, Turbolinux and Gentoo have issued fixes for their Linux versions, for example. Sun Microsystems on Tuesday issued two alerts acknowledging that several versions of Solaris are vulnerable, but it does not have a patch available yet.

Because Kerberos is so widely used, more vendors are likely to publish security alerts, said Brian Grayek, chief technology officer at Preventsys, a vulnerability management company in Carlsbad, Calif. "I think you are going to see a floodgate of patches open," he said.

Microsoft also uses Kerberos, but a homegrown version that is not affected by the flaws.

Both bugs affect Kerberos 5 Release 1.4.1 as well as earlier versions, according to MIT.

Independent security-monitoring company Secunia rates the issues "highly critical," its second most serious rating. The French Security Incident Response Team, or FrSIRT, deems the bugs "critical," its highest ranking.

Preventsys' Grayek agreed that the vulnerabilities are serious but noted that crafting attacks is difficult. "It is going to take somebody with a great deal of knowledge to turn these vulnerabilities into exploits," he said.

This isn't the first flaw in Kerberos. In March, MIT warned of a "serious" bug in the telnet program supplied with Kerberos. Last August, a "critical" flaw was discovered and patched.

Earlier this month a vulnerability in another widely used software component exposed some of the same products to attack. That flaw affects the open-source "zlib" data compression technology. Using a specially crafted file, an attacker could take control over a computer or crash applications that use zlib.

Source.

More in Tux Machines

Today in Techrights

Leftovers: OSS

  • Communities of Communities: The Next Era of Open Source Software
    We are now about 20 years into the open source software era. You might think that open source simply means publishing the source code for something useful. While this is correct by definition, the most important component of any open source project is its community and how it works together. Open source projects are not isolated islands. In fact, it’s common for them to depend on each other. As new projects are created, it is also common that members come from related projects to work on something new. Apache Arrow is an example of a new project that worked across many related projects, creating a new community that from the beginning knew it needed to build a community of communities.
  • 9 Open Source Storage Solutions: A Perfect Solution To Store Your Precious Data
    Whatever business nature you have, there must be some precious data which you want to store in a secured place. Finding a right storage solution is always critical for business, especially for small and medium, but what if you get a perfect solution at no cost. There is no doubt that business cant runs without data, but while looking for a solution, you might need to spend a fortune to cover all your storage requirements. Open source tools come as the viable solution where you won’t spend money yet get a suitable solution to store your precious data. And don’t worry we will help you to find one of the best.
  • 15 Open Source Solutions To Setup Your Ecommerce Business
    In the past few years, there is a rapid growth in the online sales. According to a survey, more than 40% people are now shifted to online stores and majorly buying products from their smartphones and tablets. With the expeditious rise in the online marketplace, more business introducing online stores. For the big fishes in the industry, the expenses of setting up an online store is like spending peanuts, but for the small or startups, it appears to be a fortune. The smart move could be open source platforms, to begin with as they are not only free also reliable and scalable. One can set up the online store not only quickly as well as, in future if you want to add some of the functionalities, which are available with only premium, can be done by paying quite a small amount.
  • An Industry First: Teradata Debuts Open Source Kylo to Quickly Build, Manage Data Pipelines
  • MUA++ (or on to thunderbird)
  • OpenSSL Re-Licensing to Apache License v. 2.0

    The OpenSSL project, home of the world’s most popular SSL/TLS and cryptographic toolkit, is changing its license to the Apache License v2.0 (ASL v2). As part of this effort, the OpenSSL team launched a new website and has been working with various corporate collaborators to facilitate the re-licensing process.

Linux Graphics

  • Ubuntu 17.04 Still Hasn't Landed X.Org Server 1.19
    While the Ubuntu 17.04 final release is expected to happen in just over two weeks and the final freeze is quickly approaching, X.Org Server 1.19 has yet to land as anticipated into the Zesty Zapus.
  • NV_fill_rectangle Coming To Gallium3D/Nouveau
    Red Hat developer Lyude Paul is working on OpenGL NV_fill_rectangle support for Gallium3D and the Nouveau driver. Lyude has published a set of six patches for adding GL_NV_fill_rectangle support to Gallium3D and wires it up in the Nouveau NVC0 driver for GM200+ hardware.
  • New Engine Reset Capability Being Worked On For Intel DRM Linux Driver
    Intel's Michael Thierry published the fifth version of these patches on Friday. While there has been GPU reset support within the Intel DRM driver in case of hangs, this new engine-reset support is superior as it can reset a particular engine rather than performing a full GPU reset.
  • Vulkan 1.0.45 Released
    Version 1.0.45 is now the latest version of the Vulkan 1.0 specification.

Development News