Vulnerability Note VU#220816

MIT Kerberos 5 telnet daemon allows login as arbitrary user

Original Release date: 03 Apr 2007 | Last revised: 16 May 2007

Overview

A vulnerability exists in the version of the telnet daemon included with the MIT Kerberos 5 distribution that may allow a remote, unauthorized attacker to log on to the system with elevated privileges.

Description

A vulnerability exists version of the telnet daemon included with the MIT Kerberos 5 distribution that may allow a remote, unauthenticated user to login as any valid user, including root. According to MIT krb5 Security Advisory MITKRB5-SA-2007-001:

    The MIT krb5 telnet daemon fails to adequately check the provided username. A malformed username beginning with "-e" can be interpreted as a command-line flag by the login.krb5 program, which is executed by telnetd. This causes login.krb5 to execute part of the BSD rlogin protocol, where an arbitrary username may be injected, allowing login as that user without a password or any further authentication.

Note that this issue affects all releases of MIT krb5 up to and including krb5-1.6.

Impact

A remote attacker could log on to a vulnerable system via telnet with elevated privileges. This impact is limited to authenticated users if the telnet daemon is configured to only allow authenticated login.

Solution

Apply Patch
A patch can be obtained from MIT krb5 Security Advisory MITKRB5-SA-2007-001. MIT also states that this will be addressed in the upcoming krb5-1.6.1 release.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Debian GNU/LinuxAffected-04 Apr 2007
Fedora ProjectAffected21 Mar 200712 Apr 2007
Gentoo LinuxAffected21 Mar 200704 Apr 2007
Mandriva, Inc.Affected21 Mar 200705 Apr 2007
MIT Kerberos Development TeamAffected21 Mar 200703 Apr 2007
Red Hat, Inc.Affected21 Mar 200704 Apr 2007
rPathAffected-05 Apr 2007
Sun Microsystems, Inc.Affected21 Mar 200723 Apr 2007
SUSE LinuxAffected21 Mar 200705 Apr 2007
Trustix Secure LinuxAffected21 Mar 200706 Apr 2007
UbuntuAffected21 Mar 200704 Apr 2007
AttachmateWRQ, Inc.Not Affected21 Mar 200702 Apr 2007
CyberSafe, Inc.Not Affected21 Mar 200722 Mar 2007
Force10 Networks, Inc.Not Affected21 Mar 200728 Mar 2007
Heimdal Kerberos ProjectNot Affected21 Mar 200730 Mar 2007
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

This issue was reported in MIT krb5 Security Advisory MITKRB5-SA-2007-001.

This document was written by Chris Taschner.

Other Information

  • CVE IDs: CVE-2007-0956
  • Date Public: 03 Apr 2007
  • Date First Published: 03 Apr 2007
  • Date Last Updated: 16 May 2007
  • Severity Metric: 17.85
  • Document Revision: 38

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.