search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Microsoft Windows 2000 Telnet Service fails to reject oversized username input values

Vulnerability Note VU#405075

Original Release Date: 2001-09-18 | Last Revised: 2001-09-18


The Microsoft Windows 2000 Telnet Service contains a denial-of-service vulnerability that allows remote attackers to disrupt the telnet service on affected servers.


The Microsoft Windows 2000 Telnet Service contains a vulnerability in the section of code that performs range checking on incoming telnet session requests. By sending a large sequence of characters, the delete character (ASCII 0x7F), and an additional sequence of characters, it is possible to crash the Telnet Service.


This vulnerability allows a remote attacker to crash the Telnet Service, resulting in a denial-of-service condition.


Apply a patch from your vendor

Microsoft has released a patch for this vulnerability; for further information, please consult the systems affected section below.

Vendor Information

Affected   Unknown   Unaffected


Updated:  September 14, 2001



Vendor Statement

Microsoft has addressed this vulnerability in the following Microsoft Security Bulletin

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


The CERT/CC has archived Microsoft's announcement of MS01-031 at

CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A



This document was written by Jeffrey P. Lanza and is based on information provided by Microsoft and the BindView Razor Team.

Other Information

CVE IDs: CVE-2001-0348
Severity Metric: 27.56
Date Public: 2001-06-07
Date First Published: 2001-09-18
Date Last Updated: 2001-09-18 23:27 UTC
Document Revision: 11

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.