search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Multiple Telnet Clients vulnerable to buffer overflow via the env_opt_add() function in telnet.c

Vulnerability Note VU#341908

Original Release Date: 2005-04-01 | Last Revised: 2005-07-28

Overview

Multiple Telnet clients contain a data length validation flaw that may allow a malicious server to execute arbitrary code on the client host with privs of client.

Description

The Telnet network protocol is described in RFC854 and RFC855 as a general, bi-directional communications facility. The Telnet protocol is commonly used for command-line login sessions between Internet hosts.

Many Telnet clients are vulnerable to a buffer overflow condition.

The env_opt_add() function of telnet.c contains a 256-byte buffer that may be expanded to 512 bytes if needed. While checks are in place to ensure that the input buffer for this function is within the size allocated, the Telnet protocol may escape characters contained in the input buffer. If the number of characters escaped causes the resulting input to exceed the 512 byte allocated buffer, a heap overflow occurs.

Several Telnet clients derived from a variety of lineages are confirmed to be affected. Please review the "Systems Affected" section below, or consult with your vendor to determine if you are affected.

Impact

Exploitation of this vulnerability may permit a malicious server to execute arbitrary code with the privileges of the user that invoked the telnet client. An attacker would have to trick a victim into initiating a telnet connection using a vulnerable client. This may be accomplished with an HTML rendered email or web page, using the TELNET:// URI handler, however further user interaction may be required.

Solution

Apply a patch or upgrade as specified by your vendor.

Vendor Information

341908
 
Affected   Unknown   Unaffected

Apple Computer Inc.

Notified:  March 28, 2005 Updated:  April 01, 2005

Status

  Vulnerable

Vendor Statement

This is fixed in Security Update 2005-003, and further information is available from http://docs.info.apple.com/article.html?artnum=301061

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Conectiva

Notified:  March 28, 2005 Updated:  June 06, 2005

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Conectiva has released Linux Security Announcement CLA-2005:962 about this issue.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Debian

Updated:  April 04, 2005

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have confirmed with the vendor that very early versions of Debian shipped a Telnet client vulnerable to this issue. However, more recent and the current builds of Debian are not affected. However note, the Debian krb5 implementation includes a telnet client as well which is vulnerable. This will be fixed with an update. Version 1.2.4-5woody8 has the corrections to both CAN-2005-0468 and CAN-2005-0469.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

F5 Networks

Notified:  March 28, 2005 Updated:  May 03, 2005

Status

  Vulnerable

Vendor Statement

The telnet client vulnerabilities are considered local vulnerabilities on BIG-IP 4.x products and will be patched in releases 4.5.13 and 4.6.3.

BIG-IP 9.x, FirePass and TrafficShield are not vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Fedora Project

Updated:  April 04, 2005

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Fedora update notification is available from https://www.redhat.com/archives/fedora-announce-list/2005-March/msg00088.html, the notification indicates that patches are available.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

FreeBSD

Notified:  March 28, 2005 Updated:  March 30, 2005

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

FreeBSD has released FreeBSD-SA-05:01.telnet to address this issue. Please see ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:01.telnet.asc.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Gentoo Linux

Updated:  April 01, 2005

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Gentoo has released http://www.gentoo.org/security/en/glsa/glsa-200504-01.xml to address this issue.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Heimdal

Updated:  April 21, 2005

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

An advisory has been released for the Heimdal implementation of Kerbos 5 which includes a vulnerable telnet client implementation. The advisory is available at http://www.pdc.kth.se/heimdal/advisory/2005-04-20/ and indicates the vulnerability is fixed in version 0.6.4 of the product.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MIT Kerberos Development Team

Updated:  March 30, 2005

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

See http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2005-001-telnet.txt.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MandrakeSoft

Notified:  March 28, 2005 Updated:  April 07, 2005

Status

  Vulnerable

Vendor Statement

Mandrakesoft has released http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:061 to address this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OpenBSD

Notified:  March 28, 2005 Updated:  April 07, 2005

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see http://www.openbsd.org/errata.html number 014.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Openwall GNU/*/Linux

Notified:  March 28, 2005 Updated:  March 30, 2005

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see http://www.openwall.com/Owl/CHANGES-current.shtml.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Red Hat Inc.

Notified:  March 28, 2005 Updated:  July 28, 2005

Status

  Vulnerable

Vendor Statement

Vendor Statement: Red Hat, Inc

Updates are available for Red Hat Enterprise Linux 2.1, 3 and 4 to correct this
issue. New telnet and Kerberos packages along with our advisory are available
at the URL below and by using the Red Hat Network 'up2date' tool.

http://rhn.redhat.com/errata/CAN-2005-0468.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see http://rhn.redhat.com/errata/RHSA-2005-330.html.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SCO Unix

Notified:  March 28, 2005 Updated:  April 14, 2005

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

SCO has released a security advisory and patches for UnixWare 7.1.4, 7.1.3 and 7.1.1 to address this issue. The advisory can found at:

ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.21/SCOSA-2005.21.txt

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SGI

Notified:  March 28, 2005 Updated:  April 27, 2005

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

SGI has released Patch 10159 - SGI Advanced Linux Environment 3 Security
Update #33, for more information see:

ftp://patches.sgi.com/support/free/security/advisories/20050401-01-U.asc

SGI has released Patch 5892 for IRIX, for more information see:
ftp://patches.sgi.com/support/free/security/advisories/20050405-01-P.asc

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sun Microsystems Inc.

Notified:  March 28, 2005 Updated:  April 14, 2005

Status

  Vulnerable

Vendor Statement

Sun is impacted by the telnet(1) vulnerabilities described in CERT Vulnerability Notes VU#291924 and VU#341908. Sun has published two Sun Alerts for these issues which describe the impact, contributing factors, workaround options, and resolution details.

Sun Alert 57755 which is available here:

http://sunsolve.sun.com/search/document.do?assetkey=1-26-57755-1

is for the telnet client shipped with Solaris. The second Sun Alert, 57761, is for the Kerberized telnet shipped with the SEAM product and is available here:

http://sunsolve.sun.com/search/document.do?assetkey=1-26-57761-1

The SEAM Sun Alert is currently unresolved but will be updated with patch details as soon as they are available.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Microsoft Corporation

Notified:  March 28, 2005 Updated:  April 01, 2005

Status

  Not Vulnerable

Vendor Statement

We have investigated these reports and have determined that there are no Microsoft platforms affected.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Cray Inc.

Notified:  March 28, 2005 Updated:  March 30, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

EMC Corporation

Notified:  March 28, 2005 Updated:  March 30, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Engarde

Notified:  March 28, 2005 Updated:  March 30, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Fujitsu

Notified:  March 28, 2005 Updated:  March 30, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hewlett-Packard Company

Notified:  March 28, 2005 Updated:  March 30, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hitachi

Notified:  March 28, 2005 Updated:  March 30, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IBM

Notified:  March 28, 2005 Updated:  March 30, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IBM eServer

Notified:  March 28, 2005 Updated:  March 30, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IBM zSeries

Notified:  March 28, 2005 Updated:  March 30, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Immunix

Notified:  March 28, 2005 Updated:  March 30, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Ingrian Networks

Notified:  March 28, 2005 Updated:  March 30, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Juniper Networks

Notified:  March 28, 2005 Updated:  March 30, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MontaVista Software

Notified:  March 28, 2005 Updated:  March 30, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NEC Corporation

Notified:  March 28, 2005 Updated:  March 30, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NetBSD

Notified:  March 28, 2005 Updated:  March 30, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Nokia

Notified:  March 28, 2005 Updated:  March 30, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Novell

Notified:  March 28, 2005 Updated:  March 30, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SCO Linux

Notified:  March 28, 2005 Updated:  March 30, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sequent

Notified:  March 28, 2005 Updated:  March 30, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sony Corporation

Notified:  March 28, 2005 Updated:  March 30, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SuSE Inc.

Notified:  March 28, 2005 Updated:  March 30, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

TurboLinux

Notified:  March 28, 2005 Updated:  March 30, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Unisys

Notified:  March 28, 2005 Updated:  March 30, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

WRS

Notified:  March 28, 2005 Updated:  March 30, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

Thanks to iDEFENSE Labs for reporting this vulnerability.

This document was written by Robert Mead and Jason Rafail, and is based on information in iDefense's advisory.

Other Information

CVE IDs: CVE-2005-0468
Severity Metric: 29.95
Date Public: 2005-03-28
Date First Published: 2005-04-01
Date Last Updated: 2005-07-28 21:01 UTC
Document Revision: 28

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.