IMPORTANT: Remote root vulnerability in telnet daemons (CVE-2011-4862)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
** WHITE information - Unlimited distribution allowed **
** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **
SUMMARY
This is a preliminary advisory about a newly reported vulnerability. Due
to the holiday season, the vulnerability has not gone through full risk
assessment, and has not received a risk rating.
Multiple telnet daemon implementations based on the BSD telnetd suffer
- From a vulnerability (CVE-2011-4862) that allows remote unauthenticated
attackers to gain root privileges on the server.
This vulnerability is known to be currently actively exploited by
intruders. Multiple exploits appear to have been developed, but none is
known to be publicly available.
RECOMMENDATIONS
No mitigating actions are available. We recommend that access to
vulnerable telnet servers is blocked, vendor patches are applied as they
are released, and that as far as possible, replacement services like ssh
are deployed.
AFFECTED COMPONENTS
The telnet daemon implementations from:
- - FreeBSD
- - Heimdal
- - MIT-KRB
- - GNU inetutils
are known to be vulnerable. The latter three are available on multiple
operating systems, including Linux.
In particular, /usr/kerberos/sbin/telnetd, provided by the
krb5-workstation package on RHEL5 and derivates, appears to be
vulnerable.
However, the "ordinary" telnet daemon, /usr/sbin/in.telnetd, provided by
the telnet-server package, does NOT appear to be vulnerable.
It is probable that the OS X telnetd is also vulnerable.
It is likely that additional implementations will turn out to be
vulnerable, including embedded telnet servers in devices like printers
and switches.
PATCHES
Security patches are currently available from FreeBSD and from Debian
(for Heimdal, MIT-KRB and GNU inetutils).
DETAILS
During the negotiation of the telnet encryption option, the length of a
certain client supplied key identifier is not checked by the server
before being written to a memory location of static size. This allows an
attacker to supply an oversize key identifier, which will cause a buffer
overflow and overwrite of critical memory areas with attacker-controlled
data.
Please note that the telnet encryption option is not directly related to
Kerberos; a server does not need to be kerberized to be vulnerable.
- --
Leif Nixon - EGI CSIRT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQEcBAEBAgAGBQJO+s3GAAoJEDP/S+/IdUs1QgkH/iJrsw+z0COlkUMM9MnlwBQR
4Kpb8SPVi641etlS366ngsQWJ+gZTYfKkLqr9lSUynM6q67Mp155X+PgIB9JB+/7
lkLgtNvRnneWRL4BeeajNbuS0iLaP06UZitG6AB77ih73BVx1nkcFpUf0w0uC6AT
1l8Lz87/MuFJYCcLJ7KP5+rmKQRPuKA6gSdyL/3sJYvfdsRZL+w93Jd3Thi3ryXP
ep+zro5NQFzyMBca7W6ffodIxjPuGMwlKROj92rwkq5mjICgeefDS+JiXY9QlDET
qy+d6X5T4kAgKT++O8v+0m6NT9qhrsA9dODLJIp397ZyKwL7J/p1t40BK9PI7es=
=G6pK
-----END PGP SIGNATURE-----
Hash: SHA1
** WHITE information - Unlimited distribution allowed **
** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **
SUMMARY
This is a preliminary advisory about a newly reported vulnerability. Due
to the holiday season, the vulnerability has not gone through full risk
assessment, and has not received a risk rating.
Multiple telnet daemon implementations based on the BSD telnetd suffer
- From a vulnerability (CVE-2011-4862) that allows remote unauthenticated
attackers to gain root privileges on the server.
This vulnerability is known to be currently actively exploited by
intruders. Multiple exploits appear to have been developed, but none is
known to be publicly available.
RECOMMENDATIONS
No mitigating actions are available. We recommend that access to
vulnerable telnet servers is blocked, vendor patches are applied as they
are released, and that as far as possible, replacement services like ssh
are deployed.
AFFECTED COMPONENTS
The telnet daemon implementations from:
- - FreeBSD
- - Heimdal
- - MIT-KRB
- - GNU inetutils
are known to be vulnerable. The latter three are available on multiple
operating systems, including Linux.
In particular, /usr/kerberos/sbin/telnetd, provided by the
krb5-workstation package on RHEL5 and derivates, appears to be
vulnerable.
However, the "ordinary" telnet daemon, /usr/sbin/in.telnetd, provided by
the telnet-server package, does NOT appear to be vulnerable.
It is probable that the OS X telnetd is also vulnerable.
It is likely that additional implementations will turn out to be
vulnerable, including embedded telnet servers in devices like printers
and switches.
PATCHES
Security patches are currently available from FreeBSD and from Debian
(for Heimdal, MIT-KRB and GNU inetutils).
DETAILS
During the negotiation of the telnet encryption option, the length of a
certain client supplied key identifier is not checked by the server
before being written to a memory location of static size. This allows an
attacker to supply an oversize key identifier, which will cause a buffer
overflow and overwrite of critical memory areas with attacker-controlled
data.
Please note that the telnet encryption option is not directly related to
Kerberos; a server does not need to be kerberized to be vulnerable.
- --
Leif Nixon - EGI CSIRT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQEcBAEBAgAGBQJO+s3GAAoJEDP/S+/IdUs1QgkH/iJrsw+z0COlkUMM9MnlwBQR
4Kpb8SPVi641etlS366ngsQWJ+gZTYfKkLqr9lSUynM6q67Mp155X+PgIB9JB+/7
lkLgtNvRnneWRL4BeeajNbuS0iLaP06UZitG6AB77ih73BVx1nkcFpUf0w0uC6AT
1l8Lz87/MuFJYCcLJ7KP5+rmKQRPuKA6gSdyL/3sJYvfdsRZL+w93Jd3Thi3ryXP
ep+zro5NQFzyMBca7W6ffodIxjPuGMwlKROj92rwkq5mjICgeefDS+JiXY9QlDET
qy+d6X5T4kAgKT++O8v+0m6NT9qhrsA9dODLJIp397ZyKwL7J/p1t40BK9PI7es=
=G6pK
-----END PGP SIGNATURE-----