Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
Microsoft Security

Microsoft Update Servers Left All Azure RHEL Instances Hackable (theregister.co.uk) 35

An anonymous reader shares a report on The Register: Microsoft has patched flaws that attackers could exploit to compromise all Azure Red Hat Enterprise Linux (RHEL) instances. Software engineer Ian Duffy found the flaws while building a secure RHEL image for Microsoft Azure. During that process he noticed an installation script Azure uses in its preconfigured RPM Package Manager contains build host information that allows attackers to find all four Red Hat Update Appliances which expose REST APIs over HTTPS. From there Duffy found a package labeled PrepareRHUI (Red Hat Update Infrastructure) that runs on all Azure RHEL boxes, and contains the rhui-monitor.cloud build host. Duffy accessed that host and found it had broken username and password authentication. This allowed him to access a backend log collector application which returned logs and configuration files along with a SSL certificate that granted full administrative access to the four Red Hat Update Appliances. Duffy says all Azure RHEL images are configured without GPG validation checks meaning all would accept malicious package updates on their next run of yum updates.
This discussion has been archived. No new comments can be posted.

Microsoft Update Servers Left All Azure RHEL Instances Hackable

Comments Filter:
  • ... why would you go to Microsoft, instead of Amazon or someone else? Doesn't Red Hat have any cloud services?
    • Re: (Score:2, Informative)

      by Anonymous Coward

      They do it because Microsoft, with a laughably inferior cloud offering, resorts to FUD, bribery, and extortion to force companies to migrate to Azure.

      These companies usually endure it for a couple of years then migrate back.

    • Microsoft's management ui for their cloud services is actually really quite nice. Plus if you already have a paid developer account - you get a decent amount of time for free on Azure.

  • by TheDarkener ( 198348 ) on Monday November 28, 2016 @02:24PM (#53378629) Homepage

    Just kidding.

  • Is the Red Hat Certification any good for Linux jobs?
  • by WoodstockJeff ( 568111 ) on Monday November 28, 2016 @02:47PM (#53378805) Homepage

    ... that clouds are places to hide big rocks.

  • While this is a serious flaw and it is good to know that it has been fixed, it is easily avoidable. I can't speak for other Azure customers, but my organization does not use the default Microsoft OS images. We provide our own. If there is an issue in our base builds, it is because our internal security team screwed up.

    Azure is an okay platform, but it is also a very new platform. The old adage of "Trust but verify." definitely applies.

    I mostly trust that Microsoft can put together a clean Windows Server

    • I would not trust Microsoft to secure a Linux build.

      This^^^

      I can understand a business using Azure, but using MS-built RHEL images? Particularly when this is a relatively-new service/product MS offers? I'd think any competent admins at these companies would have been extremely wary given the MS track record on new builds of even their own code, never mind a linux system. I know I'd have kicked up a fuss and insisted on thorough testing and vetting of these builds before rolling them out to production servers. Maybe many did but were overruled by PHBs. In eit

      • by dave562 ( 969951 )

        I mean, it's MS...you *expect* that crap! Or, at least one should.

        Exactly. I say this all the time, "If Microsoft always got things right, I would be out of a job."

  • Microsoft loves Linux

news: gotcha

Working...