Remote Bug Found In Ubuntu Kerberos

← Back to Stories (view on slashdot.org)

Remote Bug Found In Ubuntu Kerberos

Posted by timothy on Tuesday February 15, 2011 @12:47PM from the owning-up-to-it dept.

Trailrunner7 writes "There's a remote vulnerability in the Kerberos implementation in several versions of Ubuntu, which could allow an attacker to cause a denial-of-service on vulnerable servers. The bug is in Ubuntu 8.04, Ubuntu 9.10, Ubuntu 10.04 and Ubuntu 10.10. The bug is in the Ubuntu implementation of the Kerberos authentication protocol. Ubuntu has released a slew of new packages to fix the flaw. The group said that in most cases, a normal system update will add the new fixes."

23 of 93 comments (clear)

Min score:

Reason:

Sort:

Dear MS trolls: by Anonymous Coward · 2011-02-15 12:55 · Score: 3, Insightful

Notice how this has already been patched before most of the world knew about it?
This is the difference in the GNU/Linux world and your world.
Love,
An ex-MS person that will never go back
1. Re:Dear MS trolls: by Anonymous Coward · 2011-02-15 13:04 · Score: 2, Interesting
  
  This difference is caused by the fact that hackers and malware programmers generally love GNU/Linux. Therefor they report the bug first, then disclose it to the public and never exploit it. For Windows bugs they do it exactly the other way around.
2. Re:Dear MS trolls: by black3d · 2011-02-15 13:37 · Score: 3, Insightful
  
  It was discovered in (actually, discovered much earlier but acknowledged in) October 2010, thus the difference between the two worlds is that folks who discover Linux bugs tend not to share them with anyone but the vendor, and the folks who discover Windows bugs tells everyone and their dog, before even notifying Microsoft. Interestingly, often the same folks in both cases.
  Thus, there's nothing wrong with our world. There's something wrong with the mindset of the white-hats.
  
  --
  "The true measure of a person is how they act when they know they won't get caught." - DSRilk
3. Re:Dear MS trolls: by steeleyeball · 2011-02-15 13:45 · Score: 2
  
  Interesting, you said Lunix... http://lng.sourceforge.net/ instead of Linux http://www.linux.com/
4. Re:Dear MS trolls: by Anonymous Coward · 2011-02-15 15:18 · Score: 3, Informative
  
  Except that here back in reality we have multitudes of real, published news stories about the building animosity between MS and whitehats who try to disclose bugs that MS doesn't care about and/or recognize, or possibly just ignore until they get around to it. There's problem #1 with your argument.
5. Re:Dear MS trolls: by smash · 2011-02-15 20:48 · Score: 2
  
  Notice how the bug is not present in FreeBSD?
  
  --
  I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
Re:Just asking by scdeimos · 2011-02-15 13:02 · Score: 4, Informative

Just to answer my own question, it seems Cannonical have their own maintainers for this. http://packages.ubuntu.com/maverick-updates/i386/krb5-kdc
ftfa by Lehk228 · 2011-02-15 13:06 · Score: 5, Informative

Keiichi Mori discovered that the MIT krb5 KDC database propagation daemon (kpropd) is vulnerable to a denial of service attack due to improper logic when a worker child process exited because of invalid network input.

Kevin Longfellow and others discovered that the MIT krb5 Key Distribution Center (KDC) daemon is vulnerable to denial of service attacks when using an LDAP back end due to improper handling of network input.

certainly not a good thing, but this isn't a remote hole

--
Snowden and Manning are heroes.
1. Re:ftfa by Lehk228 · 2011-02-15 14:10 · Score: 2
  
  more to clarify for anyone skimming the thread without RTFA that, as of yet anyways, there is no means to compromise a machine with this.
  
  --
  Snowden and Manning are heroes.
Re:Responsible disclosure by fuzzyfuzzyfungus · 2011-02-15 13:29 · Score: 2

That would be a scary thought, except that it is a vulnerability that can be solved just by throwing more highly competitive assholes at the problem...

If there is one thing that the world has in abundance, those are it.
Re:Responsible disclosure by Nerdfest · 2011-02-15 13:35 · Score: 2

I have a lot of packages installed on a variety of Ubuntu machines, and I'm actually surprised when it goes a few days without updates being available. I'm not saying that this is a bad thing ... I much prefer the instant fix model as opposed to MS and Adobe's batch based patch cycle, especially since I pretty much never need to reboot (on machines where it matters more I use KSplice).

There are very few cases where any problems occur, even with large updates. I'm not quite confident enough to update versions blindly on most machines, but I've done it a couple of times without a problem. It's pretty amazing how well the system works.
Re:Just asking by un1xl0ser · 2011-02-15 13:51 · Score: 4, Informative

It is MIT Kerberos, so yes. This came out last week.
http://web.mit.edu/Kerberos/advisories/MITKRB5-SA-2011-002.txt

--
v4sw6PU$hw6ln6pr4F$ck 4/6$ma3+6u7LNS$w2m4l7U$i2e4+7en6a2X h
Kerberos issue, Denial of Service, not critical by seifried · 2011-02-15 13:55 · Score: 5, Informative

This is a Kerberos (server side) issue affecting vendors shipping Kerberos, not an Ubuntu specific issue. All 4 of the issues are denial of service only (which is bad for authentication infrastructure since you can basically prevent everyone from getting any work done). Nothing to get terribly worked up about.
http://www.mit.edu/afs/athena/astaff/project/kerberos/www/advisories/MITKRB5-SA-2011-001.txt
http://www.mit.edu/afs/athena/astaff/project/kerberos/www/advisories/MITKRB5-SA-2011-002.txt
Re:Responsible disclosure by isopropanol · 2011-02-15 14:29 · Score: 3, Informative

Kerberos is not in the Linux Kernel.
Re:Responsible disclosure by Anonymous Coward · 2011-02-15 14:33 · Score: 2, Interesting

Just because a system has an update applied doesn't mean it's actually using it. The updates usually only fix things on disk and won't affect in-memory images of running executables.
Re:Responsible disclosure by 0123456 · 2011-02-15 14:51 · Score: 4, Informative

The updates usually only fix things on disk and won't affect in-memory images of running executables.
post-install script: /sbin/service restart thing-i-just-fixed
Fortunately Linux doesn't have three zillion things running in the background that can't easily be restarted, unlike Windows.
Re:Responsible disclosure by Bobakitoo · 2011-02-15 14:51 · Score: 2

This is why the services are restarted after the new package is installed. The only patch that need a reboot are kernel fix.
Gosh, denial is a popular place by SmallFurryCreature · 2011-02-15 15:30 · Score: 4, Informative

Except for the countless times that people have disclosed security problems to MS, found that MS didn't give a toss and finally after months release it to the public because if THEY know it, some one else might ALSO know it and be exploiting it.
But I guess a MS fanboy truly believes ignorance is bliss.

--

MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
1. Re:Gosh, denial is a popular place by TrancePhreak · 2011-02-15 16:00 · Score: 2
  
  FOSS projects have the same mentality sometimes. I sometimes come across bugs that are marked WNF by the project maintainers.
  
  --
  
  -]Phreak Out[-
2. Re:Gosh, denial is a popular place by Trogre · 2011-02-15 19:42 · Score: 2
  
  Security bugs?
  
  --
  "Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
3. Re:Gosh, denial is a popular place by unapersson · 2011-02-15 22:07 · Score: 4, Insightful
  
  Does your rant have any basis in reality?
  I'm not used Mac OSX for any significant length of time, but have been using Windows and Linux for years. Plenty of Windows software breaks on updates and/or becomes abandonware when the vendor goes out of business or stops making drivers for the older hardware on newer versions. One of the reasons I shifted my home PC to Linux was to escape all that nonsense of stuff you'd bought just suddenly stopping working on upgrade. Or degrading over time unless you do a complete re-install. I've always found Linux with it's updates a breath of fresh air compared to the hassles of keeping Windows up and running. My hardware and peripherals keeps working through many OS updates, user facing software is updated frequently. I assure you that Linux users would definitely be upset if user facing programs suddenly stopped working on update, so that seems a bizarre distinction to make.
  And billions of dollars of software does run on Linux, I know we've got millions of dollars worth of software running on Linux just where I'm working. And there is that choice between running the latest and greatest, for stable but behind the curve which strong support from vendors.
  Microsoft tends to tie its wagons together, despite having separate server and consumer versions.
Re:Responsible disclosure by Gadget_Guy · 2011-02-15 16:08 · Score: 3, Insightful

Fortunately Linux doesn't have three zillion things running in the background that can't easily be restarted, unlike Windows.
Quite right, because Windows doesn't have a restart option like Linux. You have to manually type it as
net stop "service" && net start "service"
That is so much harder.
This is news? by mr_lizard13 · 2011-02-15 20:44 · Score: 3, Informative

Bug in software. Update fixes bug.

Doesn't this happen all the time?

--
"We live in a global world" - Harvey Pitt, former Securities and Exchange Commission Chairman