Language Selection

English French German Italian Portuguese Spanish

Flaws could open systems to attack

Filed under
Security

Two serious security flaws in a technology widely used for network authentication could expose a swath of software products to hacker attack, experts have warned.

The flaws could allow an online intruder to crash or gain access to computers running Kerberos, a freely available authentication technology that was developed by the Massachusetts Institute of Technology.

MIT rates both flaws "critical," according to two advisories released Tuesday. The university also made available patches to fix the problems and stated that exploitation of the bugs by attackers "is believed to be difficult."

Several software makers have already released updates to their products to address the problem. Red Hat, Turbolinux and Gentoo have issued fixes for their Linux versions, for example. Sun Microsystems on Tuesday issued two alerts acknowledging that several versions of Solaris are vulnerable, but it does not have a patch available yet.

Because Kerberos is so widely used, more vendors are likely to publish security alerts, said Brian Grayek, chief technology officer at Preventsys, a vulnerability management company in Carlsbad, Calif. "I think you are going to see a floodgate of patches open," he said.

Microsoft also uses Kerberos, but a homegrown version that is not affected by the flaws.

Both bugs affect Kerberos 5 Release 1.4.1 as well as earlier versions, according to MIT.

Independent security-monitoring company Secunia rates the issues "highly critical," its second most serious rating. The French Security Incident Response Team, or FrSIRT, deems the bugs "critical," its highest ranking.

Preventsys' Grayek agreed that the vulnerabilities are serious but noted that crafting attacks is difficult. "It is going to take somebody with a great deal of knowledge to turn these vulnerabilities into exploits," he said.

This isn't the first flaw in Kerberos. In March, MIT warned of a "serious" bug in the telnet program supplied with Kerberos. Last August, a "critical" flaw was discovered and patched.

Earlier this month a vulnerability in another widely used software component exposed some of the same products to attack. That flaw affects the open-source "zlib" data compression technology. Using a specially crafted file, an attacker could take control over a computer or crash applications that use zlib.

Source.

More in Tux Machines

Leftovers: Ubuntu

  • Ubuntu-based Smartphones And Tablets Sound Good, On Paper, But...Do They Make Any Sense?
    As I previously stated in a recent article, I'm a huge fan of Ubuntu as a desktop operating system. It's friendly, reliable, consumes little resources and is largely virus-free.
  • Elementary OS 0.4 ‘Loki’ expected to be based on Ubuntu 16.04
    Elementary OS 0.4 ‘Loki’ coming soon, to be based on Ubuntu 16.04 and have plenty of new features
  • BQ Aquaris M10 Ubuntu Edition tablet - The heat is on
    Some investments are financial. Some are emotional. When it comes to Linux on tablets, my motives are mostly of the latter kind. I was super-excited to learn BQ was launching a tablet with Ubuntu, something that I have been waiting for a good solid three years now. We had the phone released last spring, and now there's a tablet. The cycle is almost complete. Now, as you know, I was only mildly pleased with the Ubuntu phone. It is a very neat product, but it is not yet as good as the competitors, across all shades of the usability spectrum. But this tablet promises a lot. Full HD, desktop-touch continuum, seamless usage model, and more. Let us have a look.
  • Kubuntu-16.04 — a review
    The kubuntu implementation of Plasma 5 seems to work quite well. It’s close to what I am seeing in other implementations. It includes the Libre Office software, rather than the KDE office suite. But most users will prefer that anyway. I’m not a big fan of the default menu. But the menu can easily be switched to one of the alternative forms. I’ve already done that, and am preferring the “launcher based on cascading popup menus”. If you are trying kubuntu, I suggest you experiment with the alternative formats to see which you prefer.
  • Ubuntu 16.04 LTS Review: Very Stable & Improved, Buggy Software Center, Though
    In almost all the occasions that I tested Ubuntu LTS releases, quite rightly so, they’ve always worked better than the non-LTS releases. And this Ubuntu 16.04 LTS, the 6th of such release is no exception. This one actually is even more impressive than the others because it has addressed some security related issues and even although not critical, subtle issues that I mentioned in the review. As far as the performance was concerned, Ubuntu 16.04 LTS was only largely outperformed by the memory usage where there is a large increase in memory usage. Other than that, those numbers look pretty good to me. That ‘.deb’ file issues with the Software Center is the only major concern that I can come up with. But I’m sure it’ll be fixed very soon.

Devuan Beta, Stumbling Tumbleweed, Ubuntu Too

Today in Linux news Debian-fork Devuan is forging ahead with its plans to create a distribution offering init freedom by releasing a beta for testers. Douglas DeMaio posted today that openSUSE Tumbleweed snapshots have halted due to glibc upgrade rebuilds. Dedoimedo reviewed the BQ Aquaris M10 and liliputing.com posted of another Ubuntu laptop for sale. And finally, the Hectic Geek reviewed Ubuntu 16.04 and Neil Rickert reviewed Kubuntu 16.04. Read more Also: Devuan releases beta Devuan Jessie - beta release announcement

Devuan Jessie beta released

dear Init Freedom Lovers, once again the Veteran Unix Admins salute you. As promised two years ago with the first declaration of Exodus from Debian, today we can proudly state: we do not go gentle into that good night. Now has come the time to announce the Beta release of Devuan. Debian GNU+Linux is a fork of Debian without systemd, on its way to become much more than that. This Beta release marks an important milestone towards the sustainability and the continuation of Devuan as an universal base distribution. Read more Also: Beta Released Of Devuan, The Systemd-Free Version Of Debian

GNOME News