|
|
|
View Notes By
|
|
|
|
Other Documents
|
|
|
|
|
Vulnerability Note VU#291924
Multiple Telnet clients fail to properly handle the "LINEMODE" SLC suboption
OverviewMultiple Telnet clients contain a data length validation flaw which may allow a server to induce arbitrary code execution on the client host.
I. DescriptionThe Telnet network protocol is described in RFC854 and RFC855 as a general, bi-directional communications facility. The Telnet protocol is commonly used for command line login sessions between Internet hosts.
Many Telnet client implementations may be vulnerable to a flaw which may allow arbitrary code to be executed on the connected client. The Telnet server may supply a specially crafted reply containing a larger number of RFC1184 LINEMODE "Set Local Character" (SLC) suboption commands, which are not checked for proper length before being stored into a fixed length buffer. Affected Telnet clients possibly include the BSD Telnet implementation and the MIT Kerberos distribution.
The Telnet LINEMODE mode is enabled by default in a majority of modern Telnet clients and servers, and is often negotiated automatically before user input is required. Therefore, an attacker may be able to launch a vulnerable client, for example, through commands embedded in web pages such as an IFRAME with a "telnet:" URL, and exploit this flaw requiring only minimal or no user interaction.
II. ImpactA remote server may be able to execute arbitrary code under the permissions of the user running the Telnet client on the local host.
III. SolutionApply an update from your vendor
Patches, updates, and fixes are available from multiple vendors.
As a workaround, the client may explicitly disable the LINEMODE mode before connecting in order to prevent LINEMODE command processing. In addition, as a best practice clients should never connect to unknown servers.
Systems Affected
| Vendor | Status | Date Updated |
| Apple Computer, Inc. | Vulnerable | 1-Apr-2005 |
| Cray Inc. | Unknown | 29-Mar-2005 |
| Debian Linux | Vulnerable | 29-Mar-2005 |
| EMC Corporation | Unknown | 29-Mar-2005 |
| Engarde | Unknown | 29-Mar-2005 |
| F5 Networks, Inc. | Vulnerable | 2-May-2005 |
| FreeBSD, Inc. | Unknown | 29-Mar-2005 |
| Fujitsu | Unknown | 29-Mar-2005 |
| Hitachi | Unknown | 29-Mar-2005 |
| HP | Unknown | 29-Mar-2005 |
| IBM Corporation | Unknown | 29-Mar-2005 |
| IBM eServer | Unknown | 29-Mar-2005 |
| IBM zSeries | Unknown | 29-Mar-2005 |
| Immunix | Unknown | 29-Mar-2005 |
| Ingrian Networks, Inc. | Unknown | 29-Mar-2005 |
| Juniper Networks, Inc. | Unknown | 29-Mar-2005 |
| Mandriva, Inc. | Vulnerable | 1-Apr-2005 |
| Mandriva, Inc. | Unknown | 29-Mar-2005 |
| Microsoft Corporation | Not Vulnerable | 1-Apr-2005 |
| MiT Kerberos Development Team | Vulnerable | 29-Mar-2005 |
| MontaVista Software, Inc. | Unknown | 29-Mar-2005 |
| NEC Corporation | Unknown | 29-Mar-2005 |
| NetBSD | Unknown | 29-Mar-2005 |
| Nokia | Unknown | 29-Mar-2005 |
| Novell, Inc. | Unknown | 29-Mar-2005 |
| OpenBSD | Unknown | 29-Mar-2005 |
| Openwall GNU/*/Linux | Unknown | 29-Mar-2005 |
| Red Hat, Inc. | Vulnerable | 22-Dec-2005 |
| Sequent Computer Systems, Inc. | Unknown | 29-Mar-2005 |
| SGI | Unknown | 29-Mar-2005 |
| Sony Corporation | Unknown | 29-Mar-2005 |
| Sun Microsystems, Inc. | Vulnerable | 29-Mar-2005 |
| SUSE Linux | Unknown | 29-Mar-2005 |
| The SCO Group (SCO Linux) | Unknown | 29-Mar-2005 |
| The SCO Group (SCO Unix) | Unknown | 29-Mar-2005 |
| TurboLinux | Unknown | 29-Mar-2005 |
| Unisys | Unknown | 29-Mar-2005 |
| Wind River Systems, Inc. | Unknown | 8-Aug-2005 |
References
http://www.idefense.com/application/poi/display?id=220&type=vulnerabilities
https://rhn.redhat.com/errata/RHSA-2005-327.html
http://secunia.com/advisories/14745/
http://web.mit.edu/kerberos/www/...s/MITKRB5-SA-2005-001-telnet.txt
http://sunsolve.sun.com/search/document.do?assetkey=1-26-57755-1
http://www.auscert.org.au/5134
Credit
Thanks to iDEFENSE Labs for reporting this vulnerability.
This document was written by Ken MacInnis.
Other Information
| Date Public | 03/28/2005 |
| Date First Published | 03/29/2005 06:01:41 PM |
| Date Last Updated | 12/22/2005 |
| CERT Advisory | |
| CVE Name | CVE-2005-0469 |
| US-CERT Technical Alerts | |
| Metric | 12.60 |
| Document Revision | 29 |
If you have feedback, comments, or additional information about this vulnerability, please send us
email.
|
|