Monday, 30 May 2016

On 02:25 by admin   No comments
CoreOS Linux Alpha one major flaw has been fixed, the security team said that this issue affects only the Linux release version 104x.0.0.
In the blog article " presence CoreOS Linux Alpha Remote SSH major security issues, some users affected " in, CoreOS security team, said in the description of this problem:
A misconfigured CoreOS Linux Alpha 1045.0.0 and 1047.0.0 of the PAM subsystem will be able to make an unauthorized user without a password, or do not have any other necessary authentication tokens to access your account situation. The vulnerability affects the part of the run CoreOS Linux Alpha computer.
According to the team presentation, this problem was originally reported on at 20:21 on May 15, just six hours after the release of the available fixes. Run CoreOS Linux Beta version of the system or the stability of the computer is not affected.
In CoreOS on May 19 released the event briefing, said the senior security engineer Matthew Garrett received notice that someone has "found a compromised system." It was reported that an attacker logged on to the Operator user, and "the use of compromised systems to send spam."
"In the beginning we wondered, because Operator user is disabled, but we can also reproduce this issue internally," Garett said: finally found someone by any password Operator and other core accounts, "even if the account is not set any password. "
Garrett efforts to narrow the cause of the problem to coreos-overlay a content submitted, which, in order to achieve user authentication, you need to Red Hat's System Security Services tools and CoreOS integration.Eventually we found the problem is due to a system based on Gentoo difference between Red Hat-based system caused, and the former default with an optional pam_permit end as PAM configuration, which uses a default mandatory the pam_deny . In this case, the configuration will eventually be translated intopam_permit , thereby causing the user can log on.
In explaining why this problem, Garrett said that despite Operator user is disabled, but the user "is still present in many UNIX-like systems, and will appear in many automated SSH attacks script, so long as there is Operator user, you may without a valid password to access the situation, which also makes such systems in the face of such automated attacks more vulnerable. "
In Hacker News for this brief discussion, Kamil Choudhury, comments asked: "The problem is that such a fuss, my thoughts wrong?"
Garrett reply explains, "not very credible reasons" make us believe Alhpa beta software is worse than the other versions.
I think, one of the advantages of distributed computing is the ability to run Alpha beta software deployments in part, without fear of Bug will drag the entire deployment. So that users can more easily convinced that the newly released stable version of the software will not cause more trouble, but it also means that users can more quickly spend the stable version, and avoid security risks continue to run older versions of the software may cause.


Post a comment