Remote Bug Found In Ubuntu Kerberos

Trailrunner7 writes "There's a remote vulnerability in the Kerberos implementation in several versions of Ubuntu, which could allow an attacker to cause a denial-of-service on vulnerable servers. The bug is in Ubuntu 8.04, Ubuntu 9.10, Ubuntu 10.04 and Ubuntu 10.10. The bug is in the Ubuntu implementation of the Kerberos authentication protocol. Ubuntu has released a slew of new packages to fix the flaw. The group said that in most cases, a normal system update will add the new fixes."

Re:

[HomelessInLaJolla]

Sometimes I have the feeling that kernel level programmers only disclose bugs which they are able to use to discredit a competitive colleague. The remainder of the exploits they quietly continue to use.

Consider: who would know?

Re:

[fuzzyfuzzyfungus]

That would be a scary thought, except that it is a vulnerability that can be solved just by throwing more highly competitive assholes at the problem...

If there is one thing that the world has in abundance, those are it.

Re:

[isopropanol]

Kerberos is not in the Linux Kernel.

Re:

[QuantumBeep]

Good point. Also, sadly, not going to get looked at very closely due to the glennbeckishness of it.

Re:

[Nerdfest]

I have a lot of packages installed on a variety of Ubuntu machines, and I'm actually surprised when it goes a few days without updates being available. I'm not saying that this is a bad thing ... I much prefer the instant fix model as opposed to MS and Adobe's batch based patch cycle, especially since I pretty much never need to reboot (on machines where it matters more I use KSplice).

There are very few cases where any problems occur, even with large updates. I'm not quite confident enough to update versi

Re:

[Anonymous Coward]

Just because a system has an update applied doesn't mean it's actually using it. The updates usually only fix things on disk and won't affect in-memory images of running executables.

Re:Responsible disclosure

[0123456]

The updates usually only fix things on disk and won't affect in-memory images of running executables.

post-install script: /sbin/service restart thing-i-just-fixed

Fortunately Linux doesn't have three zillion things running in the background that can't easily be restarted, unlike Windows.

Re:

[Anonymous Coward]

But X Windows and similar stuff can't be restarted without killing off all the GUI apps. So "Desktop Linux" is similar to Windows in this area. If X locks up or crashes almost everything that's "Desktop Linux" goes with it.

Re:

[jrumney]

I'm pretty sure Ubuntu can restart gdm without affecting running X sessions. So you won't get the updates to X until you log out and back in, but at least you will get them then.

Re:

[0123456]

But X Windows and similar stuff can't be restarted without killing off all the GUI apps.

Sure, but:

a) exploits in the X server seem fairly rare.
b) most home users log out every day in any case.

Pretty much anything other than the X server or kernel can be restarted without having to log out. The kernel can be patched while running, but Ubuntu doesn't support it as far as I'm aware.

Re:

[enec]

The kernel can be patched while running, but Ubuntu doesn't support it as far as I'm aware.

Yes it does. [ksplice.com]

Re:Responsible disclosure

[Gadget_Guy]

Fortunately Linux doesn't have three zillion things running in the background that can't easily be restarted, unlike Windows.

Quite right, because Windows doesn't have a restart option like Linux. You have to manually type it as

net stop "service" && net start "service"

That is so much harder.

Re:

[0123456]

Except every piece of crap program on Windows wants to run its own helper/updater/taskbar crap which can't trivially be restarted.

Not to mention that any time you want to update a system DLL you have to reboot because Windows is so backward that you can't replace them while the OS is running.

Re:

[Gadget_Guy]

If you look in Windows Task Manager you can see the processes and services running on your computer. Helpers/updaters/taskbar icons don't appear magically on screen. They have corresponding entries in the task manager lists. If it is a service, then the net start/stop code that I posted will work fine. If it is a process, then you can kill it with the "End Task" option. You might claim that this is not trivial way of restarting, but then neither is having type type "/sbin/service restart thing-i-just-fixed"

Re:

[Alex Belits]

If it is a service, then the net start/stop code that I posted will work fine. If it is a process, then you can kill it with the "End Task" option.

Except, of course, it won't be restarted -- it will remain in such state until you reboot or log in again (depending on what triggers the start). And nothing will happen with DLLs.

Re:

[Gadget_Guy]

But this is starting to sound harder than a single command compared to Linux, isn't it now ;)

On the other hand, I don't recall ever having to issue this command after an update. The updates tend to handle it themselves. The ones that require reboots are a lot less common than they used to be.

Re:

[Bobakitoo]

This is why the services are restarted after the new package is installed. The only patch that need a reboot are kernel fix.

Re:

[oliverthered]

google, or whatever.

ubuntu openssl security flaw, it was a Debian package.

I would have thought they would stop playing around patching that kind of stuff after the first cock-up.

"Security Warning: Serious flaw in Debian Linux OpenSSL Package

by Vivek Gite on May 13, 2008 3 comments

There is a serious security flaw in Debian openssl - the random number generator in Debian's openssl package is predictable. As a result, cryptographic key material may be guessable."

Dear MS trolls:

[Anonymous Coward]

Notice how this has already been patched before most of the world knew about it?

This is the difference in the GNU/Linux world and your world.

Love,

An ex-MS person that will never go back

Re:

[Anonymous Coward]

This difference is caused by the fact that hackers and malware programmers generally love GNU/Linux. Therefor they report the bug first, then disclose it to the public and never exploit it. For Windows bugs they do it exactly the other way around.

Re:

[steeleyeball]

All I know is, I installed the updates and never use Kerberos anyway so wasn't at risk to start with.

Re:

[Johnny Loves Linux]

This difference is caused by the fact that hackers and malware programmers generally love GNU/Linux. Therefor they report the bug first, then disclose it to the public and never exploit it. For Windows bugs they do it exactly the other way around.

This is not the first time I've heard something like it, and I still don't understand it. How can all hackers and malware programmers "generally love" Linux so much that they don't attack Linux sites? Can this really be true? I don't see how, but for the sake of argument, assuming that statement is true, WHY would hackers and malware programmer loooovvvvvvvee Linux so much and not Microsoft that they protect Linux and attack Microsoft? Why?

Re:

[bsDaemon]

Maybe because its easier to feel like Robbin Hood from their mom's basement while they're doing battle against the great Satan, Microsoft. They want their pet OS to have every advantage in making them feel superior to all the infidels who haven't been enlightened. But, do note, there's a difference between those who are capable of discovering and exploiting a memory corruption vulnerability by sifting through decompiled binaries, and dumb-ass kids who copy and paste SQL injections until one works with the

Re:

[TrancePhreak]

Because they use Linux and hide behind it. To expose its flaws would be to expose flaws in their defenses. At least, that's one way I've envisioned it.

Windows is still the largest install base as well. For whatever reason OSX goes down quicker at Pwn2Own.

Re:

[IRWolfie-]

That doesn't make sense, just because they don't look at the flaws (even for themselves) doesn't mean they don't exist. (I'd imagine windows malware writers use windows for the most part)

Re:

[TrancePhreak]

It's not that they might not be looking for the flaws, just that they don't want others to know about them. Smart malware writers work on a different system, communicating and testing on their target platform. This ensures the malware does not infect the development platform.

Which reminds me of someone who wrote a virus and accidentally infected themselves.

Re:

[GameboyRMH]

It's a big load of crap. It's exactly like saying armed robbers would report flaws in bank security because they love banks while knocking over gas stations, because they hate gas stations.

Re:

[GameboyRMH]

You think black hats have day jobs? Or that their own boxes aren't secured to the point that practically no flaw poses a serious threat?

Trolling the trolls:

[Anonymous Coward]

Open sores? Can I have my Linux free of physical defects please?

Re:

[steeleyeball]

Interesting, you said Lunix... http://lng.sourceforge.net/ [sourceforge.net] instead of Linux http://www.linux.com/ [linux.com]

Re:Dear MS trolls:

[black3d]

It was discovered in (actually, discovered much earlier but acknowledged in) October 2010, thus the difference between the two worlds is that folks who discover Linux bugs tend not to share them with anyone but the vendor, and the folks who discover Windows bugs tells everyone and their dog, before even notifying Microsoft. Interestingly, often the same folks in both cases.

Thus, there's nothing wrong with our world. There's something wrong with the mindset of the white-hats.

Re:

[Anonymous Coward]

Except that here back in reality we have multitudes of real, published news stories about the building animosity between MS and whitehats who try to disclose bugs that MS doesn't care about and/or recognize, or possibly just ignore until they get around to it. There's problem #1 with your argument.

Gosh, denial is a popular place

[SmallFurryCreature]

Except for the countless times that people have disclosed security problems to MS, found that MS didn't give a toss and finally after months release it to the public because if THEY know it, some one else might ALSO know it and be exploiting it.

But I guess a MS fanboy truly believes ignorance is bliss.

Re:

[TrancePhreak]

FOSS projects have the same mentality sometimes. I sometimes come across bugs that are marked WNF by the project maintainers.

Re:

[Trogre]

Security bugs?

Re:

[Noughmad]

In most projects, these are the bugs saying "make it more like Windows".

Re:Gosh, denial is a popular place

[unapersson]

Does your rant have any basis in reality?

I'm not used Mac OSX for any significant length of time, but have been using Windows and Linux for years. Plenty of Windows software breaks on updates and/or becomes abandonware when the vendor goes out of business or stops making drivers for the older hardware on newer versions. One of the reasons I shifted my home PC to Linux was to escape all that nonsense of stuff you'd bought just suddenly stopping working on upgrade. Or degrading over time unless you do a complete re-install. I've always found Linux with it's updates a breath of fresh air compared to the hassles of keeping Windows up and running. My hardware and peripherals keeps working through many OS updates, user facing software is updated frequently. I assure you that Linux users would definitely be upset if user facing programs suddenly stopped working on update, so that seems a bizarre distinction to make.

And billions of dollars of software does run on Linux, I know we've got millions of dollars worth of software running on Linux just where I'm working. And there is that choice between running the latest and greatest, for stable but behind the curve which strong support from vendors.

Microsoft tends to tie its wagons together, despite having separate server and consumer versions.

Re:

[GameboyRMH]

Ubuntu contains bleeding-edge software. It's the Fedora of Debian-based distros. If you don't want updates to break things, run Debian Stable.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[0123456]

It was patched quickly after languishing for almost three years.

Being patched quickly after only three years seems pretty good compared to the average Windows exploit.

Re:

[Sulphur]

It was patched quickly after languishing for almost three years.

Being patched quickly after only three years seems pretty good compared to the average Windows exploit.

After 17 days of demonstrations in XP, Egypt.

And what about that regression bug

[judeancodersfront]

http://www.theregister.co.uk/2010/09/15/linux_kernel_regression_bug/ [theregister.co.uk]

Get off your high horse, it's too big for you.

Re:

[QuantumBeep]

OH MY GOD not you again.

Why do I cower? What am I afraid of? When I close my eyes I see your dumb ass asking what I'm cowering about.

Re:

[smash]

Notice how the bug is not present in FreeBSD?

Just asking

[scdeimos]

Isn't the krb5 package supplied from upstream? Could this affect other distributions?

Re:Just asking

[scdeimos]

Just to answer my own question, it seems Cannonical have their own maintainers for this. http://packages.ubuntu.com/maverick-updates/i386/krb5-kdc [ubuntu.com]

Re:Just asking

[un1xl0ser]

It is MIT Kerberos, so yes. This came out last week.

http://web.mit.edu/Kerberos/advisories/MITKRB5-SA-2011-002.txt [mit.edu]

ftfa

[Lehk228]

Keiichi Mori discovered that the MIT krb5 KDC database propagation daemon (kpropd) is vulnerable to a denial of service attack due to improper logic when a worker child process exited because of invalid network input.

Kevin Longfellow and others discovered that the MIT krb5 Key Distribution Center (KDC) daemon is vulnerable to denial of service attacks when using an LDAP back end due to improper handling of network input.

certainly not a good thing, but this isn't a remote hole

Re:

[ehntoo]

The title may be a wee bit misleading, but I don't see anything other than your post mentioning anything about a "hole".

Re:

[Lehk228]

more to clarify for anyone skimming the thread without RTFA that, as of yet anyways, there is no means to compromise a machine with this.

Kerberos issue, Denial of Service, not critical

[seifried]

This is a Kerberos (server side) issue affecting vendors shipping Kerberos, not an Ubuntu specific issue. All 4 of the issues are denial of service only (which is bad for authentication infrastructure since you can basically prevent everyone from getting any work done). Nothing to get terribly worked up about.

http://www.mit.edu/afs/athena/astaff/project/kerberos/www/advisories/MITKRB5-SA-2011-001.txt [mit.edu]

http://www.mit.edu/afs/athena/astaff/project/kerberos/www/advisories/MITKRB5-SA-2011-002.txt [mit.edu]

No, it's Karmic, not Kerberos

[Alternate Interior]

That was my first thought, anyway. Silly letter-versions.

Update Manager has it

[grikdog]

Just installed the patches. Nicely, nicely quickstuff.

Re:

[drinkypoo]

I installed the patches before the article came out. Ubuntu has many failings, but time to first patch ain't one of them. Yes, I'm looking at you, Microsoft.

This is news?

[mr_lizard13]

Bug in software. Update fixes bug.

Doesn't this happen all the time?

Slow News day..

[sosaited]

The update was pushed to Automatic Updates and I installed it yesterday. Did a Windows fan-boy got just a bit too excited to see a Linux Vulnerability?