Vulnerability Note VU#220816

MIT Kerberos 5 telnet daemon allows login as arbitrary user

Overview

A vulnerability exists in the version of the telnet daemon included with the MIT Kerberos 5 distribution that may allow a remote, unauthorized attacker to log on to the system with elevated privileges.

I. Description

A vulnerability exists version of the telnet daemon included with the MIT Kerberos 5 distribution that may allow a remote, unauthenticated user to login as any valid user, including root. According to MIT krb5 Security Advisory MITKRB5-SA-2007-001:

The MIT krb5 telnet daemon fails to adequately check the provided username. A malformed username beginning with "-e" can be interpreted as a command-line flag by the login.krb5 program, which is executed by telnetd. This causes login.krb5 to execute part of the BSD rlogin protocol, where an arbitrary username may be injected, allowing login as that user without a password or any further authentication.

Note that this issue affects all releases of MIT krb5 up to and including krb5-1.6.

II. Impact

A remote attacker could log on to a vulnerable system via telnet with elevated privileges. This impact is limited to authenticated users if the telnet daemon is configured to only allow authenticated login.

III. Solution

Apply Patch

A patch can be obtained from MIT krb5 Security Advisory MITKRB5-SA-2007-001. MIT also states that this will be addressed in the upcoming krb5-1.6.1 release.

Systems Affected

Vendor	Status	Date Notified
3com, Inc.	Unknown	21-Mar-2007
Alcatel	Unknown	21-Mar-2007
Apple Computer, Inc.	Unknown	21-Mar-2007
AttachmateWRQ, Inc.	Not Vulnerable	2-Apr-2007
AT&T	Unknown	21-Mar-2007
Avaya, Inc.	Unknown	21-Mar-2007
Avici Systems, Inc.	Unknown	21-Mar-2007
Borderware Technologies	Unknown	21-Mar-2007
Charlotte's Web Networks	Unknown	21-Mar-2007
Check Point Software Technologies	Unknown	21-Mar-2007
Chiaro Networks, Inc.	Unknown	21-Mar-2007
Cisco Systems, Inc.	Unknown	21-Mar-2007
Clavister	Unknown	21-Mar-2007
Computer Associates	Unknown	21-Mar-2007
Conectiva Inc.	Unknown	21-Mar-2007
Cray Inc.	Unknown	21-Mar-2007
CyberSafe, Inc.	Not Vulnerable	22-Mar-2007
D-Link Systems, Inc.	Unknown	21-Mar-2007
Data Connection, Ltd.	Unknown	21-Mar-2007
Debian GNU/Linux	Vulnerable	4-Apr-2007
EMC, Inc. (formerly Data General Corporation)	Unknown	21-Mar-2007
Engarde Secure Linux	Unknown	21-Mar-2007
Ericsson	Unknown	21-Mar-2007
eSoft, Inc.	Unknown	21-Mar-2007
Extreme Networks	Unknown	21-Mar-2007
F5 Networks, Inc.	Unknown	21-Mar-2007
Fedora Project	Vulnerable	12-Apr-2007
Force10 Networks, Inc.	Not Vulnerable	28-Mar-2007
Fortinet, Inc.	Unknown	21-Mar-2007
Foundry Networks, Inc.	Unknown	21-Mar-2007
FreeBSD, Inc.	Unknown	21-Mar-2007
Fujitsu	Unknown	21-Mar-2007
Gentoo Linux	Vulnerable	4-Apr-2007
Global Technology Associates	Unknown	21-Mar-2007
Heimdal Kerberos Project	Not Vulnerable	30-Mar-2007
Hewlett-Packard Company	Not Vulnerable	16-May-2007
Hitachi	Not Vulnerable	2-Apr-2007
Hyperchip	Unknown	21-Mar-2007
IBM Corporation	Unknown	21-Mar-2007
IBM Corporation (zseries)	Unknown	21-Mar-2007
IBM eServer	Unknown	21-Mar-2007
Immunix Communications, Inc.	Unknown	21-Mar-2007
Ingrian Networks, Inc.	Unknown	21-Mar-2007
Intel Corporation	Unknown	21-Mar-2007
Internet Security Systems, Inc.	Unknown	21-Mar-2007
Intoto	Not Vulnerable	28-Mar-2007
IP Filter	Unknown	21-Mar-2007
Juniper Networks, Inc.	Not Vulnerable	28-Mar-2007
KTH Kerberos Team	Unknown	21-Mar-2007
Linksys (A division of Cisco Systems)	Unknown	21-Mar-2007
Lucent Technologies	Unknown	21-Mar-2007
Luminous Networks	Unknown	21-Mar-2007
Mandriva, Inc.	Vulnerable	5-Apr-2007
Microsoft Corporation	Not Vulnerable	28-Mar-2007
MIT Kerberos Development Team	Vulnerable	3-Apr-2007
MontaVista Software, Inc.	Unknown	21-Mar-2007
Multinet (owned Process Software Corporation)	Unknown	21-Mar-2007
Multitech, Inc.	Unknown	21-Mar-2007
NEC Corporation	Not Vulnerable	6-Apr-2007
NetBSD	Unknown	21-Mar-2007
netfilter	Unknown	21-Mar-2007
Network Appliance, Inc.	Unknown	21-Mar-2007
NextHop Technologies, Inc.	Unknown	21-Mar-2007
Nokia	Unknown	21-Mar-2007
Nortel Networks, Inc.	Unknown	21-Mar-2007
Novell, Inc.	Unknown	21-Mar-2007
OpenBSD	Unknown	21-Mar-2007
Openwall GNU/*/Linux	Not Vulnerable	28-Mar-2007
QNX, Software Systems, Inc.	Unknown	21-Mar-2007
Red Hat, Inc.	Vulnerable	4-Apr-2007
Redback Networks, Inc.	Unknown	21-Mar-2007
Riverstone Networks, Inc.	Unknown	21-Mar-2007
rPath	Vulnerable	5-Apr-2007
Secure Computing Network Security Division	Unknown	21-Mar-2007
Secureworx, Inc.	Unknown	21-Mar-2007
Silicon Graphics, Inc.	Unknown	21-Mar-2007
Slackware Linux Inc.	Unknown	21-Mar-2007
Sony Corporation	Unknown	21-Mar-2007
Stonesoft	Unknown	21-Mar-2007
Sun Microsystems, Inc.	Vulnerable	23-Apr-2007
SUSE Linux	Vulnerable	5-Apr-2007
Symantec, Inc.	Not Vulnerable	5-Apr-2007
The SCO Group	Unknown	21-Mar-2007
Trustix Secure Linux	Vulnerable	6-Apr-2007
Turbolinux	Unknown	21-Mar-2007
Ubuntu	Vulnerable	4-Apr-2007
Unisys	Unknown	21-Mar-2007
Watchguard Technologies, Inc.	Unknown	21-Mar-2007
Wind River Systems, Inc.	Unknown	21-Mar-2007
ZyXEL	Unknown	21-Mar-2007

References

http://web.mit.edu/Kerberos/advisories/MITKRB5-SA-2007-001-telnetd.txt
http://secunia.com/advisories/24757/
http://secunia.com/advisories/24735/
http://secunia.com/advisories/24750/
http://secunia.com/advisories/24740/
http://secunia.com/advisories/24755/
http://securitytracker.com/alerts/2007/Apr/1017848.html

Credit

This issue was reported in MIT krb5 Security Advisory MITKRB5-SA-2007-001.

This document was written by Chris Taschner.

Other Information

Date Public:	2007-04-03
Date First Published:	2007-04-03
Date Last Updated:	2007-05-16
CERT Advisory:
CVE-ID(s):	CVE-2007-0956
NVD-ID(s):	CVE-2007-0956
US-CERT Technical Alerts:
Metric:	17.85
Document Revision:	38

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Produced 2007 by US-CERT, a government organization
Disclaimers and copyright information

Get Adobe Reader