Stories
Slash Boxes
Comments

SoylentNews is people

posted by n1 on Tuesday November 29 2016, @11:56AM   Printer-friendly
from the lost-my-keys dept.

Submitted via IRC for Bytram

Microsoft has patched flaws that attackers could exploit to compromise all Azure Red Hat Enterprise Linux (RHEL) instances.

Software engineer Ian Duffy found the flaws while building a secure RHEL image for Microsoft Azure. [...] Duffy says all Azure RHEL images are configured without GPG validation checks meaning all would accept malicious package updates on their next run of yum updates.

[...] Duffy found another vulnerability within the mandatory Microsoft Azure Linux Agent (WaLinuxAgent) which exposed API keys for debugging purposes.

[...] Duffy says he was paid less than US$3500 for the vulnerability disclosures under Microsoft's bug bounty but did not name a precise figure.

Source: The Register


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by zocalo on Tuesday November 29 2016, @02:28PM

    by zocalo (302) on Tuesday November 29 2016, @02:28PM (#434464)
    I don't see how this has anything to do with anti-trust; they made a dumb mistake with the default configuration of their RHEL instance, that's all. I'm actually at a loss to figure out how they managed it since I can't recall ever having to manually enable GPG checks on a RHEL install as they seem to get enabled as part of the default install process, which implies that they changed the defaults somehow. Either went they went in post-install and switched it off/broke it for some reason or (perhaps more likely) they took a stock Red Hat install and rolled their own version of it to include stuff like the Azure Linux Agent mentioned in TFS and missed a trick - easy to do given the huge number of configuration options in a typical server OS install and deployment.
    --
    UNIX? They're not even circumcised! Savages!
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 2) by DannyB on Tuesday November 29 2016, @03:05PM

    by DannyB (5839) Subscriber Badge on Tuesday November 29 2016, @03:05PM (#434480) Journal

    This has everything to do with anti trust if it was not a dumb mistake but more likely a deliberate plan. Remember this IS Microsoft we're talking about. Destroying competitors is in their DNA. It's deep. They cannot escape it.

    --
    People today are educated enough to repeat what they are taught but not to question what they are taught.
    • (Score: 3, Insightful) by TheRaven on Tuesday November 29 2016, @03:19PM

      by TheRaven (270) on Tuesday November 29 2016, @03:19PM (#434490) Journal
      Unlikely. This is Azure, which employs a lot of Linux (and FreeBSD) developers. Most likely, they're rolling their own packages with tweaks for Azure and set their default image to fetch from there instead. They didn't bother adding a new signing key because (a) it's hard to do key management securely, and (b) they thought that there was no need given that they controlled the server, the client, and the network between the two. Only it turns out that that's not quite true.
      --
      sudo mod me up
    • (Score: 2) by zocalo on Tuesday November 29 2016, @04:53PM

      by zocalo (302) on Tuesday November 29 2016, @04:53PM (#434535)
      Yes, *IF* it was deliberate, but that's one hell of a stretch if you can manage to set aside the anti-MS sentiment when you think it though. The default RHEL install does not have this problem, so any failure here points straight back at those responsible for configuring and managing the Azure instances rather than the base RHEL build. Given that it's extremely unlikely that wouldn't come out if Microsoft had actually tried to use this to their advantage (which they have not) which would then reflect badly on them, what would be the point? To use the obligatory car analogy, trying to blame Red Hat instead of Microsoft for this would be like trying to blame the maker of the car after the driver had changed the wheels and one of them fell off while they were driving it.

      There are times and reasons to bash Microsoft, and even accuse them of anti-trust (the latest fun and games with Edge for users of Chrome and Firefox spring to mind), but this isn't one of them.
      --
      UNIX? They're not even circumcised! Savages!
      • (Score: 2) by jcross on Tuesday November 29 2016, @07:23PM

        by jcross (4009) on Tuesday November 29 2016, @07:23PM (#434629)

        Yeah, I think you're probably right and in this case it's easy enough to presume incompetence rather than malice. A string of incidents like this could land them in hot water though, I'm just pointing out that they could stand to be a bit more cautious.

      • (Score: 2) by HiThere on Tuesday November 29 2016, @08:11PM

        by HiThere (866) Subscriber Badge on Tuesday November 29 2016, @08:11PM (#434658) Journal

        I don't find it much of a stretch...but it isn't inherently convincing, either. This is a case where I'm predisposed to believe MS did it on purpose, but I am well aware that this isn't because of evidence in this particular case.

        --
        Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
  • (Score: 3, Insightful) by Gaaark on Tuesday November 29 2016, @03:23PM

    by Gaaark (41) on Tuesday November 29 2016, @03:23PM (#434492) Journal

    I don't see how this has anything to do with anti-trust; they made a dumb mistake

    Followed quickly by...

    I'm actually at a loss to figure out how they managed it

    Because... they did it on purpose?
    Make RedHat less secure by introducing their own 'malicious packages' and saying "Hey, businesses, RH is less secure than windows!"
    ANTI-TRUST!!!

    --
    --- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
    • (Score: 0) by Anonymous Coward on Tuesday November 29 2016, @03:44PM

      by Anonymous Coward on Tuesday November 29 2016, @03:44PM (#434504)

      Actually even though this is labeled MS Azure, it's RedHat that manages the infrastructure for them.
      This is 100% RedHat's fault. They're liable for the day to day running of these things.

    • (Score: 3, Insightful) by Desler on Tuesday November 29 2016, @07:48PM

      by Desler (880) on Tuesday November 29 2016, @07:48PM (#434641)

      So then why would they have acknowledged the problem and fixed it? That seems to be a shitty way to sabotage them.

    • (Score: 0) by Anonymous Coward on Wednesday November 30 2016, @11:31AM

      by Anonymous Coward on Wednesday November 30 2016, @11:31AM (#434862)

      Make RedHat less secure by introducing their own 'malicious packages' and saying "Hey, businesses, RH is less secure than windows!"

      That's not how it works. It would be "Hey, MS Redhat is less secure than genuine Redhat".

      Besides, it takes a lot more than one hole to be less secure than Windows.