Language Selection

English French German Italian Portuguese Spanish

Flaws could open systems to attack

Filed under
Security

Two serious security flaws in a technology widely used for network authentication could expose a swath of software products to hacker attack, experts have warned.

The flaws could allow an online intruder to crash or gain access to computers running Kerberos, a freely available authentication technology that was developed by the Massachusetts Institute of Technology.

MIT rates both flaws "critical," according to two advisories released Tuesday. The university also made available patches to fix the problems and stated that exploitation of the bugs by attackers "is believed to be difficult."

Several software makers have already released updates to their products to address the problem. Red Hat, Turbolinux and Gentoo have issued fixes for their Linux versions, for example. Sun Microsystems on Tuesday issued two alerts acknowledging that several versions of Solaris are vulnerable, but it does not have a patch available yet.

Because Kerberos is so widely used, more vendors are likely to publish security alerts, said Brian Grayek, chief technology officer at Preventsys, a vulnerability management company in Carlsbad, Calif. "I think you are going to see a floodgate of patches open," he said.

Microsoft also uses Kerberos, but a homegrown version that is not affected by the flaws.

Both bugs affect Kerberos 5 Release 1.4.1 as well as earlier versions, according to MIT.

Independent security-monitoring company Secunia rates the issues "highly critical," its second most serious rating. The French Security Incident Response Team, or FrSIRT, deems the bugs "critical," its highest ranking.

Preventsys' Grayek agreed that the vulnerabilities are serious but noted that crafting attacks is difficult. "It is going to take somebody with a great deal of knowledge to turn these vulnerabilities into exploits," he said.

This isn't the first flaw in Kerberos. In March, MIT warned of a "serious" bug in the telnet program supplied with Kerberos. Last August, a "critical" flaw was discovered and patched.

Earlier this month a vulnerability in another widely used software component exposed some of the same products to attack. That flaw affects the open-source "zlib" data compression technology. Using a specially crafted file, an attacker could take control over a computer or crash applications that use zlib.

Source.

More in Tux Machines

Servers/Networks

  • Rackspace to be Acquired for $4.3B
    Rackspace announced that it is being acquired in an all-cash deal valued at $4.3B. Pending regulatory anti-trust approval, the firm will be taken private by a group of investors led by Apollo Global Management in Q4 of 2016. This valuation equates to a price of $32/share. The 38% premium cited in the announcement is calculated against a base share price from August 3, as the news about the pending acquisition began increasing the company stock price as early as August 4. For historical context, this valuation falls considerably below the company’s peak market capitalization in January 2013 when Rackspace was worth $10.9B. This means that the company’s current valuation – including the premium – is less than 40% of what it was at its highest point.
  • More on Open Source Tools for Data Science
    Open source tools are having a transformative impact on the world of data science. In a recent guest post here on OStatic, Databricks' Kavitha Mariappan (shown here), who is Vice President of Marketing, discussed some of the most powerful open source solutions for use in the data science arena. Databricks was founded by the creators of the popular open source Big Data processing engine Apache Spark, which is itself transforming data science. Here are some other open source tools in this arena to know about. As Mariappan wrote: "Apache Spark, a project of the Apache Software Foundation, is an open source platform for distributed in-memory data processing. Spark supports complete data science pipelines with libraries that run on the Spark engine, including Spark SQL, Spark Streaming, Spark MLlib and GraphX. Spark SQL supports operations with structured data, such as queries, filters, joins, and selects. In Spark 2.0, released in July 2016, Spark SQL comprehensively supports the SQL 2003 standard, so users with experience working with SQL on relational databases can learn how to work with Spark quickly."
  • SDN, open source nexus to accelerate service creation
    What's new in the SDN blog world? One expert says SDN advancements will be accelerated, thanks to SDN and open source convergence, while another points out the influence SDN has in the cloud industry.
  • Platform9 & ZeroStack Make OpenStack a Little More VMware-Friendly
    Platform9 and ZeroStack are adding VMware high availability to their prefab cloud offerings, part of the ongoing effort to make OpenStack better accepted by enterprises. OpenStack is a platform, an archipelago of open source projects that help you run a cloud. But some assembly is required. Both Platform9 and ZeroStack are operating on the theory that OpenStack will better succeed if it’s turned into more of a shrink-wrapped product.
  • Putting Ops Back in DevOps
    What Agile means to your typical operations staff member is, “More junk coming faster that I will get blamed for when it breaks.” There always is tension between development and operations when something goes south. Developers are sure the code worked on their machine; therefore, if it does not work in some other environment, operations must have changed something that made it break. Operations sees the same code perform differently on the same machine with the same config, which means if something broke, the most recent change must have caused it … i.e. the code did it. The finger-pointing squabbles are epic (no pun intended). So how do we get Ops folks interested in DevOps without promising them only a quantum order of magnitude more problems—and delivered faster?
  • Cloud chronicles
    How open-source software and cloud computing have set up the IT industry for a once-in-a-generation battle

KDE and Qt

GNOME News

  • Fresh From the Oven: GNOME Pie 0.6.9 Released
    For a slice of something this weekend you might want to check out the latest update to GNOME Pie, the circular app launcher for Linux desktops.
  • GUADEC 2016 and the Butterfly Effect
  • GUADEC 2016 Notes
    I’m back from GUADEC and wanted to share a few thoughts on the conference itself and the post-conference hackfest days. All the talks including the opening and closing sessions and the GNOME Foundation AGM are available online. Big thanks goes to the organization team for making this possible.

Security News

  • Thursday's security updates
  • Priorities in security
  • How Core Infrastructure Initiative Aims to Secure the Internet
    In the aftermath of the Heartbleed vulnerability's emergence in 2014, the Linux Foundation created the Core Infrastructure Initiative (CII)to help prevent that type of issue from recurring. Two years later, the Linux Foundation has tasked its newly minted CTO, Nicko van Someren, to help lead the effort and push it forward. CII has multiple efforts under way already to help improve open-source security. Those efforts include directly funding developers to work on security, a badging program that promotes security practices and an audit of code to help identify vulnerable code bases that might need help. In a video interview with eWEEKat the LinuxCon conference here, Van Someren detailed why he joined the Linux Foundation and what he hopes to achieve.
  • Certificate Authority Gave Out Certs For GitHub To Someone Who Just Had A GitHub Account
    For many years now, we've talked about the many different problems today's web security system has based on the model of security certificates issued by Certificate Authorities. All you need is a bad Certificate Authority be trusted and a lot of bad stuff can happen. And it appears we've got yet another example. A message on Mozilla's security policy mailing list notes that a free certificate authority named WoSign appeared to be doing some pretty bad stuff, including handing out certificates for a base domain if someone merely had control over a subdomain. This was discovered by accident, but then tested on GitHub... and it worked.