An Interest In:
Web News this Week
- April 18, 2024
- April 17, 2024
- April 16, 2024
- April 15, 2024
- April 14, 2024
- April 13, 2024
- April 12, 2024
November 28, 2016 08:00 pm
Original Link: http://rss.slashdot.org/~r/Slashdot/slashdot/~3/lokFk7U-UD0/microsoft-update-servers-left-all-azure-rhel-instances-hackable
Microsoft Update Servers Left All Azure RHEL Instances Hackable
An anonymous reader shares a report on The Register: Microsoft has patched flaws that attackers could exploit to compromise all Azure Red Hat Enterprise Linux (RHEL) instances. Software engineer Ian Duffy found the flaws while building a secure RHEL image for Microsoft Azure. During that process he noticed an installation script Azure uses in its preconfigured RPM Package Manager contains build host information that allows attackers to find all four Red Hat Update Appliances which expose REST APIs over HTTPS. From there Duffy found a package labeled PrepareRHUI (Red Hat Update Infrastructure) that runs on all Azure RHEL boxes, and contains the rhui-monitor.cloud build host. Duffy accessed that host and found it had broken username and password authentication. This allowed him to access a backend log collector application which returned logs and configuration files along with a SSL certificate that granted full administrative access to the four Red Hat Update Appliances. Duffy says all Azure RHEL images are configured without GPG validation checks meaning all would accept malicious package updates on their next run of yum updates.Read more of this story at Slashdot.
Original Link: http://rss.slashdot.org/~r/Slashdot/slashdot/~3/lokFk7U-UD0/microsoft-update-servers-left-all-azure-rhel-instances-hackable
Share this article:
Tweet
View Full Article
Slashdot
Slashdot was originally created in September of 1997 by Rob "CmdrTaco" Malda. Today it is owned by Geeknet, Inc..More About this Source Visit Slashdot