Vulnerability Note VU#220816
MIT Kerberos 5 telnet daemon allows login as arbitrary user
Overview
A vulnerability exists in the version of the telnet daemon included with the MIT Kerberos 5 distribution that may allow a remote, unauthorized attacker to log on to the system with elevated privileges.
Description
A vulnerability exists version of the telnet daemon included with the MIT Kerberos 5 distribution that may allow a remote, unauthenticated user to login as any valid user, including root. According to MIT krb5 Security Advisory MITKRB5-SA-2007-001: The MIT krb5 telnet daemon fails to adequately check the provided username. A malformed username beginning with "-e" can be interpreted as a command-line flag by the login.krb5 program, which is executed by telnetd. This causes login.krb5 to execute part of the BSD rlogin protocol, where an arbitrary username may be injected, allowing login as that user without a password or any further authentication. |
Impact
A remote attacker could log on to a vulnerable system via telnet with elevated privileges. This impact is limited to authenticated users if the telnet daemon is configured to only allow authenticated login. |
Solution
Apply Patch |
Systems Affected (Learn More)
| Vendor | Status | Date Notified | Date Updated |
|---|---|---|---|
| Debian GNU/Linux | Affected | - | 04 Apr 2007 |
| Fedora Project | Affected | 21 Mar 2007 | 12 Apr 2007 |
| Gentoo Linux | Affected | 21 Mar 2007 | 04 Apr 2007 |
| Mandriva, Inc. | Affected | 21 Mar 2007 | 05 Apr 2007 |
| MIT Kerberos Development Team | Affected | 21 Mar 2007 | 03 Apr 2007 |
| Red Hat, Inc. | Affected | 21 Mar 2007 | 04 Apr 2007 |
| rPath | Affected | - | 05 Apr 2007 |
| Sun Microsystems, Inc. | Affected | 21 Mar 2007 | 23 Apr 2007 |
| SUSE Linux | Affected | 21 Mar 2007 | 05 Apr 2007 |
| Trustix Secure Linux | Affected | 21 Mar 2007 | 06 Apr 2007 |
| Ubuntu | Affected | 21 Mar 2007 | 04 Apr 2007 |
| AttachmateWRQ, Inc. | Not Affected | 21 Mar 2007 | 02 Apr 2007 |
| CyberSafe, Inc. | Not Affected | 21 Mar 2007 | 22 Mar 2007 |
| Force10 Networks, Inc. | Not Affected | 21 Mar 2007 | 28 Mar 2007 |
| Heimdal Kerberos Project | Not Affected | 21 Mar 2007 | 30 Mar 2007 |
CVSS Metrics (Learn More)
| Group | Score | Vector |
|---|---|---|
| Base | N/A | N/A |
| Temporal | N/A | N/A |
| Environmental | N/A | N/A |
References
- http://web.mit.edu/Kerberos/advisories/MITKRB5-SA-2007-001-telnetd.txt
- http://secunia.com/advisories/24757/
- http://secunia.com/advisories/24735/
- http://secunia.com/advisories/24750/
- http://secunia.com/advisories/24740/
- http://secunia.com/advisories/24755/
- http://securitytracker.com/alerts/2007/Apr/1017848.html
Credit
This issue was reported in MIT krb5 Security Advisory MITKRB5-SA-2007-001.
This document was written by Chris Taschner.
Other Information
- CVE IDs: CVE-2007-0956
- Date Public: 03 Apr 2007
- Date First Published: 03 Apr 2007
- Date Last Updated: 16 May 2007
- Severity Metric: 17.85
- Document Revision: 38
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.
View Notes By
Report a Vulnerability
Please use the Vulnerability Reporting Form to report a vulnerability. Alternatively, you can send us email. Be sure to read our vulnerability disclosure policy.