Vulnerability Note VU#745371
Multiple vendor telnet daemons vulnerable to buffer overflow via crafted protocol options
The telnetd program is a server for the telnet remote virtual terminal protocol. There is a remotely exploitable buffer overflow in telnet daemons derived from BSD source code. This vulnerability can crash the server, or be leveraged to gain root access.
There is a remotely exploitable buffer overflow in telnet daemons derived from BSD source code. The buffer overflow occurs in the server's processing of protocol options. A function of the telnet daemon, 'telrcv', processes the protocol options. During the processing of the options, the results of 'telrcv' are assumed to be smaller than an unchecked storage buffer. The size of this buffer is statically defined.
TESO claims that they have a working exploit for the BSDI, FreeBSD, and NetBSD versions affected(see http://www.team-teso.net/advisories/teso-advisory-011.tar.gz). Their exploit has been publicly posted on the BugTraq mailing list. We have verified the exploit works against at least one target system.
An intruder can execute arbitrary code as the user running telnetd, typically root.
Install a patch from your vendor when available. Please continue to check this document for information available from the CERT/CC.
Disallow access to the telnet service (typically port 23/tcp) using firewall or packet-filtering technology. Blocking access to the telnet service will limit your exposure to attacks from outside your network perimeter. However, blocking port 23/tcp at a network perimeter would still allow any users, remote or local, within the perimeter of your network to exploit the vulnerability. It is important to understand your network's configuration and service requirements prior to deciding what changes are appropriate.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Apple||Affected||24 Jul 2001||04 Oct 2001|
|BSDI||Affected||23 Jul 2001||15 Aug 2001|
|Caldera||Affected||24 Jul 2001||20 Aug 2001|
|Cisco||Affected||24 Jul 2001||01 Feb 2002|
|Conectiva||Affected||-||27 Aug 2001|
|Cray||Affected||-||07 Sep 2001|
|Debian||Affected||24 Jul 2001||20 Aug 2001|
|FreeBSD||Affected||24 Jul 2001||21 Aug 2001|
|Hewlett Packard||Affected||24 Jul 2001||19 Oct 2001|
|IBM||Affected||24 Jul 2001||10 Aug 2001|
|MiT Kerberos Development Team||Affected||-||09 Aug 2001|
|NetBSD||Affected||24 Jul 2001||15 Aug 2001|
|OpenBSD||Affected||24 Jul 2001||15 Aug 2001|
|RedHat||Affected||24 Jul 2001||13 Aug 2001|
|SGI||Affected||24 Jul 2001||26 Jul 2001|
CVSS Metrics (Learn More)
The CERT Coordination Center thanks TESO, who published an advisory on this issue. We would also like to thank Jeff Polk <polk@BSDI.COM> for technical assistance.
This document was written by Ian A. Finlay & Jason Rafail.
- CVE IDs: CAN-2001-0554
- CERT Advisory: CA-2001-21
- Date Public: 18 Jul 2001
- Date First Published: 24 Jul 2001
- Date Last Updated: 16 Apr 2002
- Severity Metric: 74.81
- Document Revision: 42
If you have feedback, comments, or additional information about this vulnerability, please send us email.