Remote Bug Found In Ubuntu Kerberos

Trailrunner7 writes "There's a remote vulnerability in the Kerberos implementation in several versions of Ubuntu, which could allow an attacker to cause a denial-of-service on vulnerable servers. The bug is in Ubuntu 8.04, Ubuntu 9.10, Ubuntu 10.04 and Ubuntu 10.10. The bug is in the Ubuntu implementation of the Kerberos authentication protocol. Ubuntu has released a slew of new packages to fix the flaw. The group said that in most cases, a normal system update will add the new fixes."

Dear MS trolls:

Notice how this has already been patched before most of the world knew about it?

This is the difference in the GNU/Linux world and your world.

Love,

An ex-MS person that will never go back

Re:Dear MS trolls:

This difference is caused by the fact that hackers and malware programmers generally love GNU/Linux. Therefor they report the bug first, then disclose it to the public and never exploit it. For Windows bugs they do it exactly the other way around.

Re:Dear MS trolls:

[steeleyeball]

All I know is, I installed the updates and never use Kerberos anyway so wasn't at risk to start with.

Re:Dear MS trolls:

[black3d]

It was discovered in (actually, discovered much earlier but acknowledged in) October 2010, thus the difference between the two worlds is that folks who discover Linux bugs tend not to share them with anyone but the vendor, and the folks who discover Windows bugs tells everyone and their dog, before even notifying Microsoft. Interestingly, often the same folks in both cases.

Thus, there's nothing wrong with our world. There's something wrong with the mindset of the white-hats.

Re:Dear MS trolls:

[steeleyeball]

Interesting, you said Lunix... http://lng.sourceforge.net/ instead of Linux http://www.linux.com/

Re:Dear MS trolls:

[0123456]

It was patched quickly after languishing for almost three years.

Being patched quickly after only three years seems pretty good compared to the average Windows exploit.

Re:Dear MS trolls:

[Johnny+Loves+Linux]

This difference is caused by the fact that hackers and malware programmers generally love GNU/Linux. Therefor they report the bug first, then disclose it to the public and never exploit it. For Windows bugs they do it exactly the other way around.

This is not the first time I've heard something like it, and I still don't understand it. How can all hackers and malware programmers "generally love" Linux so much that they don't attack Linux sites? Can this really be true? I don't see how, but for the sake of argument, assuming that statement is true, WHY would hackers and malware programmer loooovvvvvvvee Linux so much and not Microsoft that they protect Linux and attack Microsoft? Why?

Re:Dear MS trolls:

Except that here back in reality we have multitudes of real, published news stories about the building animosity between MS and whitehats who try to disclose bugs that MS doesn't care about and/or recognize, or possibly just ignore until they get around to it. There's problem #1 with your argument.

Re:Dear MS trolls:

[Sulphur]

It was patched quickly after languishing for almost three years.

Being patched quickly after only three years seems pretty good compared to the average Windows exploit.

After 17 days of demonstrations in XP, Egypt.

Re:Dear MS trolls:

[QuantumBeep]

OH MY GOD not you again.

Why do I cower? What am I afraid of? When I close my eyes I see your dumb ass asking what I'm cowering about.

Re:Dear MS trolls:

[TrancePhreak]

Because they use Linux and hide behind it. To expose its flaws would be to expose flaws in their defenses. At least, that's one way I've envisioned it.

Windows is still the largest install base as well. For whatever reason OSX goes down quicker at Pwn2Own.

Re:Dear MS trolls:

[smash]

Notice how the bug is not present in FreeBSD?

Re:Dear MS trolls:

[GameboyRMH]

It's a big load of crap. It's exactly like saying armed robbers would report flaws in bank security because they love banks while knocking over gas stations, because they hate gas stations.

Re:Dear MS trolls:

[IRWolfie-]

That doesn't make sense, just because they don't look at the flaws (even for themselves) doesn't mean they don't exist. (I'd imagine windows malware writers use windows for the most part)

Re:Dear MS trolls:

[GameboyRMH]

You think black hats have day jobs? Or that their own boxes aren't secured to the point that practically no flaw poses a serious threat?

Re:Dear MS trolls:

[TrancePhreak]

It's not that they might not be looking for the flaws, just that they don't want others to know about them. Smart malware writers work on a different system, communicating and testing on their target platform. This ensures the malware does not infect the development platform.

Which reminds me of someone who wrote a virus and accidentally infected themselves.

Re:Responsible disclosure

[HomelessInLaJolla]

Sometimes I have the feeling that kernel level programmers only disclose bugs which they are able to use to discredit a competitive colleague. The remainder of the exploits they quietly continue to use.

Consider: who would know?

Just asking

[scdeimos]

Isn't the krb5 package supplied from upstream? Could this affect other distributions?

Re:Just asking

[scdeimos]

Just to answer my own question, it seems Cannonical have their own maintainers for this. http://packages.ubuntu.com/maverick-updates/i386/krb5-kdc

Re:Just asking

[un1xl0ser]

It is MIT Kerberos, so yes. This came out last week.

http://web.mit.edu/Kerberos/advisories/MITKRB5-SA-2011-002.txt

ftfa

[Lehk228]

Keiichi Mori discovered that the MIT krb5 KDC database propagation daemon (kpropd) is vulnerable to a denial of service attack due to improper logic when a worker child process exited because of invalid network input.

Kevin Longfellow and others discovered that the MIT krb5 Key Distribution Center (KDC) daemon is vulnerable to denial of service attacks when using an LDAP back end due to improper handling of network input.

certainly not a good thing, but this isn't a remote hole

Re:ftfa

[ehntoo]

The title may be a wee bit misleading, but I don't see anything other than your post mentioning anything about a "hole".

Re:ftfa

[Lehk228]

more to clarify for anyone skimming the thread without RTFA that, as of yet anyways, there is no means to compromise a machine with this.

Trolling the trolls:

Open sores? Can I have my Linux free of physical defects please?

Re:Responsible disclosure

[fuzzyfuzzyfungus]

That would be a scary thought, except that it is a vulnerability that can be solved just by throwing more highly competitive assholes at the problem...

If there is one thing that the world has in abundance, those are it.

Re:Responsible disclosure

[Nerdfest]

I have a lot of packages installed on a variety of Ubuntu machines, and I'm actually surprised when it goes a few days without updates being available. I'm not saying that this is a bad thing ... I much prefer the instant fix model as opposed to MS and Adobe's batch based patch cycle, especially since I pretty much never need to reboot (on machines where it matters more I use KSplice).

There are very few cases where any problems occur, even with large updates. I'm not quite confident enough to update versions blindly on most machines, but I've done it a couple of times without a problem. It's pretty amazing how well the system works.

Kerberos issue, Denial of Service, not critical

[seifried]

This is a Kerberos (server side) issue affecting vendors shipping Kerberos, not an Ubuntu specific issue. All 4 of the issues are denial of service only (which is bad for authentication infrastructure since you can basically prevent everyone from getting any work done). Nothing to get terribly worked up about.

http://www.mit.edu/afs/athena/astaff/project/kerberos/www/advisories/MITKRB5-SA-2011-001.txt

http://www.mit.edu/afs/athena/astaff/project/kerberos/www/advisories/MITKRB5-SA-2011-002.txt

Re:Responsible disclosure

[isopropanol]

Kerberos is not in the Linux Kernel.

Re:Responsible disclosure

Just because a system has an update applied doesn't mean it's actually using it. The updates usually only fix things on disk and won't affect in-memory images of running executables.

And what about that regression bug

[judeancodersfront]

http://www.theregister.co.uk/2010/09/15/linux_kernel_regression_bug/

Get off your high horse, it's too big for you.

No, it's Karmic, not Kerberos

[Alternate+Interior]

That was my first thought, anyway. Silly letter-versions.

Re:Responsible disclosure

[0123456]

The updates usually only fix things on disk and won't affect in-memory images of running executables.

post-install script: /sbin/service restart thing-i-just-fixed

Fortunately Linux doesn't have three zillion things running in the background that can't easily be restarted, unlike Windows.

Re:Responsible disclosure

[Bobakitoo]

This is why the services are restarted after the new package is installed. The only patch that need a reboot are kernel fix.

Gosh, denial is a popular place

[SmallFurryCreature]

Except for the countless times that people have disclosed security problems to MS, found that MS didn't give a toss and finally after months release it to the public because if THEY know it, some one else might ALSO know it and be exploiting it.

But I guess a MS fanboy truly believes ignorance is bliss.

Re:Gosh, denial is a popular place

[TrancePhreak]

FOSS projects have the same mentality sometimes. I sometimes come across bugs that are marked WNF by the project maintainers.

Re:Gosh, denial is a popular place

[Trogre]

Security bugs?

Re:Gosh, denial is a popular place

[Noughmad]

In most projects, these are the bugs saying "make it more like Windows".

Re:Gosh, denial is a popular place

[unapersson]

Does your rant have any basis in reality?

I'm not used Mac OSX for any significant length of time, but have been using Windows and Linux for years. Plenty of Windows software breaks on updates and/or becomes abandonware when the vendor goes out of business or stops making drivers for the older hardware on newer versions. One of the reasons I shifted my home PC to Linux was to escape all that nonsense of stuff you'd bought just suddenly stopping working on upgrade. Or degrading over time unless you do a complete re-install. I've always found Linux with it's updates a breath of fresh air compared to the hassles of keeping Windows up and running. My hardware and peripherals keeps working through many OS updates, user facing software is updated frequently. I assure you that Linux users would definitely be upset if user facing programs suddenly stopped working on update, so that seems a bizarre distinction to make.

And billions of dollars of software does run on Linux, I know we've got millions of dollars worth of software running on Linux just where I'm working. And there is that choice between running the latest and greatest, for stable but behind the curve which strong support from vendors.

Microsoft tends to tie its wagons together, despite having separate server and consumer versions.

Re:Gosh, denial is a popular place

[GameboyRMH]

Ubuntu contains bleeding-edge software. It's the Fedora of Debian-based distros. If you don't want updates to break things, run Debian Stable.

Re:Gosh, denial is a popular place

[hairyfeet]

First of all, let me make this clear: nobody cares about the hardware because unless it is a multi-thousand dollar piece of equipment like a laser cutter it just gets shitcanned after 3 years anyway, same as nearly noone buys Windows retail they get it with a new box, next!

Second, again another bullshit logical fallacy Linux guys continue to pull, so please pay attention: WE ARE TALKING ABOUT THE DESKTOP: not the God damned server! Jesus, why is it Linux guys gotta bring in server into a totally unrelated conversation? Is it because they know it is the only place where it actually functions (and that is due to crazy hoop jumping by server hardware and software vendors to keep up with Linus twiddling with shit). It is like saying "I have a toaster!" when we are talking about truck design. I mean seriously WTF?

Now back to the subject at hand which is THE DESKTOP, and not cell phones, servers, embedded, or your toaster, the simple fact is that I have no trouble running decade old software on the latest and greatest. After installing Win 7 x64 for a ton of clients I ran into ONE app (a PITA version of QuickBooks) that refused to run, installed XP Mode and Tada! It "just works". Can you do that with even a 2 year old app? With Linux if the vendor doesn't jump through the hoops because Linus like twiddling with kernel guts you are well and truly fucked end of story.

To me Linux is a perfect example of why collaboration over the Internet just doesn't work, and this has NOTHING to do with FOSS, because from what I understand it isn't that way in BSD which is FOSS, nor is it this way in Solaris, where in both an app written years ago still "just works" and new apps will still run on the old.

With Linux instead of a cohesive vision and solid plans you have 50 million reinventing the wheel, 50 million little fiefdoms with bad attitudes and BOFH, and 50 million guys that don't care if they fuck everyone else up as long as THEIR itch is scratched, see Linus and his kernel twiddling as an example. Hell the man even says as a boast that Linus has NEVER been designed, it grows like a virus. Right, good plan there Linus, don't design squat just scratch your itches and let it grow like a fungus LOL!

So go ahead and waste modpoints while burying your collective heads in the sand, go ahead and call me names like shill and astroturfer, all for daring to point out your emperor is naked as a jay bird, it won't make 1+1=3 nor will it change reality. Reality is there is a damned good reason why Linux is at 1% and stagnant and it isn't a "conspiracy" and it isn't that people haven't tried, as Walmart and Best Buy and ASUS have all done. Nope it is because Linux is currently a fucking mess and anyone who dares to ask it be fixed is attacked by the mass of koolaid drinkers and zealots that treat it as a religion.

Constant driver breakage, the total mess that is audio with Pulse and ALSA and "update foo broke my" which leaves the user with a labyrinth of forums to navigate that if they are VERY lucky will give them some mess of CLI that A.-They are supposed to be able to understand well enough to "tweak" and B.-Be able to apply with making a single mistake for risk of boning the machine. And this isn't even bringing up my point that God help you if you base anything mission critical ON THE DESKTOP because it is just a mess.

So don't blame me that your OS has had FIFTEEN YEARS and gone exactly nowhere on the desktop. The only places it has gained is where a corp has been willing to either jump through the hoops (like in server, where Windows CALs make jumping through the hoops worthwhile) or in Embedded where they can just "TiVo trick" and only have to support a single device. But on the desktop it is frankly a mess and just isn't getting better, if anything its getting worse. Hell look at what EVERY Linux users trots out when someone says "Linux is too much of a PITA"? UBUNTU! Yes lets take the noob and stick him on an OS so bleeding edge the CD has stigmata, yeah, that's the ticket!

Re:Responsible disclosure

But X Windows and similar stuff can't be restarted without killing off all the GUI apps. So "Desktop Linux" is similar to Windows in this area. If X locks up or crashes almost everything that's "Desktop Linux" goes with it.

Re:Responsible disclosure

[Gadget_Guy]

Fortunately Linux doesn't have three zillion things running in the background that can't easily be restarted, unlike Windows.

Quite right, because Windows doesn't have a restart option like Linux. You have to manually type it as

net stop "service" && net start "service"

That is so much harder.

Re:Responsible disclosure

[jrumney]

I'm pretty sure Ubuntu can restart gdm without affecting running X sessions. So you won't get the updates to X until you log out and back in, but at least you will get them then.

Re:Responsible disclosure

[0123456]

But X Windows and similar stuff can't be restarted without killing off all the GUI apps.

Sure, but:

a) exploits in the X server seem fairly rare.
b) most home users log out every day in any case.

Pretty much anything other than the X server or kernel can be restarted without having to log out. The kernel can be patched while running, but Ubuntu doesn't support it as far as I'm aware.

Re:Responsible disclosure

[0123456]

Except every piece of crap program on Windows wants to run its own helper/updater/taskbar crap which can't trivially be restarted.

Not to mention that any time you want to update a system DLL you have to reboot because Windows is so backward that you can't replace them while the OS is running.

Update Manager has it

[grikdog]

Just installed the patches. Nicely, nicely quickstuff.

Re:Update Manager has it

[drinkypoo]

I installed the patches before the article came out. Ubuntu has many failings, but time to first patch ain't one of them. Yes, I'm looking at you, Microsoft.

Re:Responsible disclosure

[Gadget_Guy]

If you look in Windows Task Manager you can see the processes and services running on your computer. Helpers/updaters/taskbar icons don't appear magically on screen. They have corresponding entries in the task manager lists. If it is a service, then the net start/stop code that I posted will work fine. If it is a process, then you can kill it with the "End Task" option. You might claim that this is not trivial way of restarting, but then neither is having type type "/sbin/service restart thing-i-just-fixed" like the grandparent suggested.

Besides, any decent updater will run a separate process so that it can restart the code that it is updating automatically.

It is true that Windows can't overwrite DLLs that are in use, but I just had to reinstall an old XP system (including uninstalling the pre-installed bloatware then installing apps, drivers and service packs) and it was suprising how few times I had to reboot. Quite often when third party programs say you have to reboot after an install, it is simply not true.

Re:Responsible disclosure

[Alex+Belits]

If it is a service, then the net start/stop code that I posted will work fine. If it is a process, then you can kill it with the "End Task" option.

Except, of course, it won't be restarted -- it will remain in such state until you reboot or log in again (depending on what triggers the start). And nothing will happen with DLLs.

Re:Responsible disclosure

[enec]

The kernel can be patched while running, but Ubuntu doesn't support it as far as I'm aware.

Yes it does.

This is news?

[mr_lizard13]

Bug in software. Update fixes bug.

Doesn't this happen all the time?

Slow News day..

[sosaited]

The update was pushed to Automatic Updates and I installed it yesterday. Did a Windows fan-boy got just a bit too excited to see a Linux Vulnerability?

Re:Responsible disclosure

[Gadget_Guy]

But this is starting to sound harder than a single command compared to Linux, isn't it now ;)

On the other hand, I don't recall ever having to issue this command after an update. The updates tend to handle it themselves. The ones that require reboots are a lot less common than they used to be.

Re:Responsible disclosure

[oliverthered]

google, or whatever.

ubuntu openssl security flaw, it was a Debian package.

I would have thought they would stop playing around patching that kind of stuff after the first cock-up.

"Security Warning: Serious flaw in Debian Linux OpenSSL Package

by Vivek Gite on May 13, 2008 3 comments

There is a serious security flaw in Debian openssl - the random number generator in Debian's openssl package is predictable. As a result, cryptographic key material may be guessable."