Vulnerability Note VU#341908

Multiple Telnet Clients vulnerable to buffer overflow via the env_opt_add() function in telnet.c

Original Release date: 01 Apr 2005 | Last revised: 28 Jul 2005


Multiple Telnet clients contain a data length validation flaw that may allow a malicious server to execute arbitrary code on the client host with privs of client.


The Telnet network protocol is described in RFC854 and RFC855 as a general, bi-directional communications facility. The Telnet protocol is commonly used for command-line login sessions between Internet hosts.

Many Telnet clients are vulnerable to a buffer overflow condition.

The env_opt_add() function of telnet.c contains a 256-byte buffer that may be expanded to 512 bytes if needed. While checks are in place to ensure that the input buffer for this function is within the size allocated, the Telnet protocol may escape characters contained in the input buffer. If the number of characters escaped causes the resulting input to exceed the 512 byte allocated buffer, a heap overflow occurs.

Several Telnet clients derived from a variety of lineages are confirmed to be affected. Please review the "Systems Affected" section below, or consult with your vendor to determine if you are affected.


Exploitation of this vulnerability may permit a malicious server to execute arbitrary code with the privileges of the user that invoked the telnet client. An attacker would have to trick a victim into initiating a telnet connection using a vulnerable client. This may be accomplished with an HTML rendered email or web page, using the TELNET:// URI handler, however further user interaction may be required.


Apply a patch or upgrade as specified by your vendor.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Apple Computer Inc.Affected28 Mar 200501 Apr 2005
ConectivaAffected28 Mar 200506 Jun 2005
DebianAffected-04 Apr 2005
F5 NetworksAffected28 Mar 200503 May 2005
Fedora ProjectAffected-04 Apr 2005
FreeBSDAffected28 Mar 200530 Mar 2005
Gentoo LinuxAffected-01 Apr 2005
HeimdalAffected-21 Apr 2005
MandrakeSoftAffected28 Mar 200507 Apr 2005
MIT Kerberos Development TeamAffected-30 Mar 2005
OpenBSDAffected28 Mar 200507 Apr 2005
Openwall GNU/*/LinuxAffected28 Mar 200530 Mar 2005
Red Hat Inc.Affected28 Mar 200528 Jul 2005
SCO UnixAffected28 Mar 200514 Apr 2005
SGIAffected28 Mar 200527 Apr 2005
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A



Thanks to iDEFENSE Labs for reporting this vulnerability.

This document was written by Robert Mead and Jason Rafail, and is based on information in iDefense's advisory.

Other Information

  • CVE IDs: CAN-2005-0468
  • Date Public: 28 Mar 2005
  • Date First Published: 01 Apr 2005
  • Date Last Updated: 28 Jul 2005
  • Severity Metric: 29.95
  • Document Revision: 28


If you have feedback, comments, or additional information about this vulnerability, please send us email.