Stories
Slash Boxes
Comments

SoylentNews is people

Microsoft Update Servers Left All Azure RHEL Instances Hackable

posted by n1 on Tuesday November 29 2016, @11:56AM   Printer-friendly
from the lost-my-keys dept.

MrPlow writes:

Submitted via IRC for Bytram

Microsoft has patched flaws that attackers could exploit to compromise all Azure Red Hat Enterprise Linux (RHEL) instances.

Software engineer Ian Duffy found the flaws while building a secure RHEL image for Microsoft Azure. [...] Duffy says all Azure RHEL images are configured without GPG validation checks meaning all would accept malicious package updates on their next run of yum updates.

[...] Duffy found another vulnerability within the mandatory Microsoft Azure Linux Agent (WaLinuxAgent) which exposed API keys for debugging purposes.

[...] Duffy says he was paid less than US$3500 for the vulnerability disclosures under Microsoft's bug bounty but did not name a precise figure.

Source: The Register

Original Submission

 
This discussion has been archived. No new comments can be posted.
Microsoft Update Servers Left All Azure RHEL Instances Hackable | Log In/Create an Account | Top | 17 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by zocalo on Tuesday November 29 2016, @04:53PM

    by zocalo (302) on Tuesday November 29 2016, @04:53PM (#434535)
    Yes, *IF* it was deliberate, but that's one hell of a stretch if you can manage to set aside the anti-MS sentiment when you think it though. The default RHEL install does not have this problem, so any failure here points straight back at those responsible for configuring and managing the Azure instances rather than the base RHEL build. Given that it's extremely unlikely that wouldn't come out if Microsoft had actually tried to use this to their advantage (which they have not) which would then reflect badly on them, what would be the point? To use the obligatory car analogy, trying to blame Red Hat instead of Microsoft for this would be like trying to blame the maker of the car after the driver had changed the wheels and one of them fell off while they were driving it.

    There are times and reasons to bash Microsoft, and even accuse them of anti-trust (the latest fun and games with Edge for users of Chrome and Firefox spring to mind), but this isn't one of them.
    --
    UNIX? They're not even circumcised! Savages!
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2  

  • (Score: 2) by jcross on Tuesday November 29 2016, @07:23PM

    by jcross (4009) on Tuesday November 29 2016, @07:23PM (#434629)

    Yeah, I think you're probably right and in this case it's easy enough to presume incompetence rather than malice. A string of incidents like this could land them in hot water though, I'm just pointing out that they could stand to be a bit more cautious.

  • (Score: 2) by HiThere on Tuesday November 29 2016, @08:11PM

    by HiThere (866) Subscriber Badge on Tuesday November 29 2016, @08:11PM (#434658) Journal

    I don't find it much of a stretch...but it isn't inherently convincing, either. This is a case where I'm predisposed to believe MS did it on purpose, but I am well aware that this isn't because of evidence in this particular case.

    --
    Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.