Major vulnerabilities of CoreOS Linux Alpha have been fixed

Major vulnerabilities of CoreOS Linux Alpha have been fixed

A major vulnerability in CoreOS Linux Alpha has been fixed. The security team said this issue only affected the version 104x. 0.0 of the Linux release.

In the blog "CoreOS Linux Alpha remote SSH has major security problems and some users are affected", the CoreOS Security Team described the problem as follows:

An incorrect configuration of the PAM subsystem in CoreOS Linux Alpha kernel 5.0.0 and 1047.0.0 will allow unauthorized users to access the account without a password or any other necessary authentication token. This vulnerability affects some computers running CoreOS Linux Alpha.

According to the team, the problem was initially reported at on April 9, May 15, and only six hours later, the available repair program was released. Computers running CoreOS Linux Beta or stable versions are not affected.

In the event briefing released by CoreOS on September 13, senior security engineer Matthew Garnett said he was notified that someone had "found a system under attack ". It is reported that attackers Log On As Operator users and "use the compromised system to send spam ".

"At first we were wondering because Operator users were disabled, but we can also reproduce this problem internally," Garett said: it was finally found that someone could use any password to log on to Operator and other core accounts, "even if the account has not set any password."

Garret tries to narrow down the cause of the problem to a content submitted in coreos-overlay. To implement user authentication, the Red Hat System Security Services tool must be integrated with CoreOS. The final result is a difference between Gentoo-based systems and Red Hat-based systems. The former uses an optional one by default.pam_permitThe end of the PAM Configuration, which uses a requiredpam_deny. In this case, the configuration will eventually be implementedpam_permitAnd the user can log on.

To explain why this problem occurs, Garret said that although the Operator user is disabled, the user "still exists in many UNIX systems, and will appear in many automated SSH attack scripts, so as long as there is an Operator user, it is possible to access without a valid password, this also makes such systems more vulnerable to such automated attacks."

In Hacker News's discussion of this briefing, Kamil Choudhury commented: "I think this is a big problem. Is my idea wrong ?"

Garret replied that "there is no very credible reason" to trust us that the Alhpa beta software is worse than other versions.

In my opinion, one of the advantages of distributed computing is that it can run Alpha Beta software in some deployments without worrying that bugs will drag down the entire deployment. In this way, the user can be more easily confident that the new stable version of the software will not cause greater trouble, and this also means that the user can use the stable version more quickly, and avoid potential security risks caused by continuing to run older versions of software.

To this end, users need to be sure that Alpha testing is not a version that contains "a large number of security issues", Garret said: "Although we did not do this, it is very important ."

For more CoreOS tutorials, see the following:

CoreOS continues to promote Docker container replacement Rockets

Docker learning: Coreos + Docker + rancher is really convenient and simple

Docker learning: Install CoreOS in VirtualBox and configure registry-mirror

CoreOS released Rkt 1.0 to directly run Docker Images

How to deploy a WordPress instance in CoreOS

Initial server operating system CoreOS experience

CoreOS practice: Analyzing etcd

CoreOS practice: Introduction to CoreOS and management tools

[Tutorial] Build your first application on CoreOS

Quick Start of CoreOS installation on PC

Build a private repository using register images in CoreOS

CoreOS details: click here
CoreOS: click here

Major CoreOS Linux Alpha Vulnerability Patched

This article permanently updates the link address: