search menu icon-carat-right cmu-wordmark

CERT Coordination Center


Multiple vendor telnet daemons vulnerable to buffer overflow via crafted protocol options

Vulnerability Note VU#745371

Original Release Date: 2001-07-24 | Last Revised: 2002-04-16

Overview

The telnetd program is a server for the telnet remote virtual terminal protocol. There is a remotely exploitable buffer overflow in telnet daemons derived from BSD source code. This vulnerability can crash the server, or be leveraged to gain root access.

Description

There is a remotely exploitable buffer overflow in telnet daemons derived from BSD source code. The buffer overflow occurs in the server's processing of protocol options. A function of the telnet daemon, 'telrcv', processes the protocol options. During the processing of the options, the results of 'telrcv' are assumed to be smaller than an unchecked storage buffer. The size of this buffer is statically defined.

TESO claims that they have a working exploit for the BSDI, FreeBSD, and NetBSD versions affected(see http://www.team-teso.net/advisories/teso-advisory-011.tar.gz). Their exploit has been publicly posted on the BugTraq mailing list. We have verified the exploit works against at least one target system.

According to a TESO advisory, the following systems with telnetd running are vulnerable to the buffer overflow:

- BSDI 4.x default
- FreeBSD [2345].x default
- IRIX 6.5
- Linux netkit-telnetd version 0.14 and earlier
- NetBSD 1.x default
- OpenBSD 2.x
- Solaris 2.x sparc

TESO indicates that other vendor's telnet daemons have a high probability of being vulnerable as well. FreeBSD has confirmed the following releases are vulnerable:

"All releases of FreeBSD 3.x, 4.x prior to 4.4, FreeBSD 4.3-STABLE prior to the correction date."

Impact

An intruder can execute arbitrary code as the user running telnetd, typically root.

Solution

Install a patch from your vendor when available. Please continue to check this document for information available from the CERT/CC.

Disallow access to the telnet service (typically port 23/tcp) using firewall or packet-filtering technology. Blocking access to the telnet service will limit your exposure to attacks from outside your network perimeter. However, blocking port 23/tcp at a network perimeter would still allow any users, remote or local, within the perimeter of your network to exploit the vulnerability. It is important to understand your network's configuration and service requirements prior to deciding what changes are appropriate.

Vendor Information

745371
Expand all

Apple

Notified:  July 24, 2001 Updated:  October 04, 2001

Status

  Vulnerable

Vendor Statement

http://www.apple.com/support/security/security_updates.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

BSDI

Notified:  July 23, 2001 Updated:  August 15, 2001

Status

  Vulnerable

Vendor Statement

All current versions of BSD/OS are vulnerable. Patches will be available via our web site at http://www.bsdi.com/services/support/patches and via ftp at ftp://ftp.bsdi.com/bsdi/support/patches as soon as testing has been completed.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Caldera

Notified:  July 24, 2001 Updated:  August 20, 2001

Status

  Vulnerable

Vendor Statement

Caldera has determined that OpenServer, UnixWare 7 and OpenUnix 8 are vulnerable, and we are working on fixes. All of Caldera's Linux supported products are unaffected by this problem if all previously released security updates have been applied. If you're running either OpenLinux 2.3 or OpenLinux eServer 2.3, make sure you've updated your systems to netkit-telnet-0.16. This patch was released in March 2000, and are available from ftp://ftp.caldera.com

OpenLinux 2.3:

/pub/openlinux/updates/2.3/022/RPMS/netkit-telnet-0.16-1.i386.rpm

OpenLinux eServer 2.3.1:

/pub/eServer/2.3/updates/2.3/007/RPMS/netkit-telnet-0.16-1.i386.rpm

OpenLinux eDesktop 2.4, OpenLinux 3.1 Server, and OpenLinux 3.1 Workstation are not affected.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Caldera has recently released CSSA-2001-030.0 which indicates that the following systems are indeed vulnerable:

All packages previous to netkit-telnet-0.17-12a on

- OpenLinux 2.3
- OpenLinux eServer 2.3.1 and OpenLinux eBuilder
- OpenLinux eDesktop 2.4
- OpenLinux Server 3.1
- OpenLinux Workstation 3.1

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Cisco

Notified:  July 24, 2001 Updated:  February 01, 2002

Status

  Vulnerable

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----

Cisco Security Advisory: Cisco CatOS Telnet Buffer Vulnerability
================================================================

Revision 1.0

For Public Release 2002 January 29 at 1500 UTC

- -------------------------------------------------------------------------------

Summary
- -------
Some Cisco Catalyst switches, running certain CatOS based software releases,
have a vulnerability wherein a buffer overflow in the telnet option handling
can cause the telnet daemon to crash and result in a switch reload. This
vulnerability can be exploited to initiate a denial of service (DoS) attack.

This vulnerability is documented as Cisco bug ID CSCdw19195. There are
workarounds available to mitigate the vulnerability.

This advisory will be posted at http://www.cisco.com/warp/public/707/
catos-telrcv-vuln-pub.shtml .

Affected Products
- -----------------
Cisco's various Catalyst family of switches run CatOS-based releases or
IOS-based releases. IOS-based releases are not vulnerable.

The following Cisco Catalyst Switches are vulnerable :

  * Catalyst 6000 series
 * Catalyst 5000 series
 * Catalyst 4000 series
 * Catalyst 2948G
 * Catalyst 2900

For the switches above, the following CatOS based switch software revisions are
vulnerable.

+-----------------------------------------------------------------------------+
|               |   Release 4   |   Release 5   |  Release 6   |  Release 7   |
|               |   code base   |   code base   |  code base   |  code base   |
|---------------+---------------+---------------+--------------+--------------|
| Catalyst 6000 |      Not      | earlier than  | earlier than | earlier than |
| series        |  Applicable   |    5.5(13)    |    6.3(4)    |    7.1(2)    |
|---------------+---------------+---------------+--------------+--------------|
| Catalyst 5000 | earlier than  | earlier than  | earlier than |     Not      |
| series        |   4.5(13a)    |    5.5(13)    |    6.3(4)    |  Applicable  |
|---------------+---------------+---------------+--------------+--------------|
| Catalyst 4000 | All releases  | earlier than  | earlier than | earlier than |
| series        |               |    5.5(13)    |    6.3(4)    |    7.1(2)    |
+-----------------------------------------------------------------------------+

To determine your software revision, type show version at the command line
prompt.

Not Affected Products
- ---------------------
The following Cisco Catalyst Switches are not vulnerable :

  * Catalyst 8500 series
 * Catalyst 4800 series
 * Catalyst 4200 series
 * Catalyst 3900 series
 * Catalyst 3550 series
 * Catalyst 3500 XL series
 * Catalyst 4840G
 * Catalyst 4908G-l3
 * Catalyst 2948G-l3
 * Catalyst 2950
 * Catalyst 2900 XL
 * Catalyst 2900 LRE XL
 * Catalyst 2820
 * Catalyst 1900

No other Cisco product is currently known to be affected by this vulnerability.

Details
- -------
Some Cisco Catalyst switches, running certain CatOS-based software releases,
have a vulnerability wherein a buffer overflow in the telnet option handling
can cause the telnet daemon to crash and result in a switch reload. This
vulnerability can be exploited to initiate a denial of service (DoS) attack.
Once the switch has reloaded, it is still vulnerable and the attack can be
repeated as long as the switch is IP reachable on port 23 and has not been
upgraded to a fixed version of CatOS switch software.

This vulnerability is documented as Cisco bug ID CSCdw19195, which requires a
CCO account to view and can be viewed after 2002 January 30 at 1500 UTC.

Impact
- ------
This vulnerability can be exploited to produce a denial of service (DoS)
attack. When the vulnerability is exploited it can cause the Cisco Catalyst
switch to crash and reload.

Software Versions and Fixes
- ---------------------------
This vulnerability has been fixed in the following switch software revisions
and the fix will be carried forward in all future releases.

+-------------------------------------------------------------------------------+
|               |   Release 4   |   Release 5   |   Release 6   |   Release 7   |
|               |   code base   |   code base   |   code base   |   code base   |
|---------------+---------------+---------------+---------------+---------------|
| Catalyst 6000 |      Not      |  5.5(13) and  |  6.3(4) and   |  7.1(2) and   |
| series        |  Applicable   |     later     |     later     |     later     |
|---------------+---------------+---------------+---------------+---------------|
| Catalyst 5000 |   4.5(13a)    |  5.5(13) and  |  6.3(4) and   |      Not      |
| series        |               |     later     |     later     |  Applicable   |
|---------------+---------------+---------------+---------------+---------------|
| Catalyst 4000 | Not Available |  5.5(13) and  |  6.3(4) and   |  7.1(2) and   |
| series        |               |     later     |     later     |     later     |
+-------------------------------------------------------------------------------+

All previous releases must upgrade to the above releases. CatOS switch software
release 4.5(13a) for the Catalyst 5000 series is expected on CCO by 2002
February 4. CatOS switch software release 7.1(2) is expected on CCO by 2002
February 4.

Software upgrade can be performed via the console interface. Please refer to
software release notes for instructions.

Obtaining Fixed Software
- ------------------------
Cisco is offering free software upgrades to remedy this vulnerability for all
affected customers. Customers with service contracts may upgrade to any
software release containing the feature sets they have purchased.

Customers with contracts should obtain upgraded software through their regular
update channels. For most customers, this means that upgrades should be
obtained through the Software Center on Cisco's Worldwide Web site at http://
www.cisco.com .

Customers whose Cisco products are provided or maintained through prior or
existing agreement with third-party support organizations such as Cisco
Partners, authorized resellers, or service providers should contact that
support organization for assistance with the upgrade, which should be free of
charge.

Customers who purchased directly from Cisco but who do not hold a Cisco service
contract, and customers who purchase through third party vendors but are
unsuccessful at obtaining fixed software through their point of sale, should
get their upgrades by contacting the Cisco Technical Assistance Center (TAC).
TAC contacts are as follows:

  * +1 800 553 2447 (toll free from within North America)
 * +1 408 526 7209 (toll call from anywhere in the world)
 * e-mail: tac@cisco.com

See http://www.cisco.com/warp/public/687/Directory.shtml for additional TAC
contact information, including instructions and e-mail addresses for use in
various languages.

Please have your product serial number available and give the URL of this
notice as evidence of your entitlement to a free upgrade. Free upgrades for non
contract customers must be requested through the TAC.

Please do not contact either "psirt@cisco.com" or "security-alert@cisco.com"
for software upgrades.

Workarounds
- -----------
The following workarounds can be implemented.

  * If ssh is available in the code base use ssh instead of Telnet and disable
   Telnet.

    For instructions how to do this please refer http://www.cisco.com/warp/
   public/707/ssh_cat_switches.html

  * Apply Access Control Lists (ACLs) on routers / switches / firewalls in
   front of the vulnerable switches such that traffic destined for the Telnet
   port 23 on the vulnerable switches is only allowed from the network
   management subnets.

    For an example see http://www.cisco.com/univercd/cc/td/doc/product/lan/
   cat6000/sw_5_4/msfc/acc_list.htm

Exploitation and Public Announcements
- -------------------------------------
This vulnerability has been exploited to initiate Denial of Service (DoS)
attacks.

This vulnerability was reported by TESO and is detailed at http://www.cert.org/
advisories/CA-2001-21.html

Status of This Notice: Final
- ----------------------------
This is a final notice. Although Cisco cannot guarantee the accuracy of all
statements in this notice, all of the facts have been checked to the best of
our ability. Cisco does not anticipate issuing updated versions of this notice
unless there is some material change in the facts. Should there be a
significant change in the facts, Cisco may update this notice.

A standalone copy or paraphrase of the text of this security advisory that
omits the distribution URL in the following section is an uncontrolled copy,
and may lack important information or contain factual errors.

Distribution
- ------------
This notice will be posted on Cisco's Worldwide Web site at http://
www.cisco.com/warp/public/707/catos-telrcv-vuln-pub.shtml .

In addition to Worldwide Web posting, a text version of this notice is
clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail
and Usenet news recipients:

  * cust-security-announce@cisco.com
 * bugtraq@securityfocus.com
 * firewalls@lists.gnac.com
 * first-teams@first.org (includes CERT/CC)
 * cisco@spot.colorado.edu
 * cisco-nsp@puck.nether.net
 * comp.dcom.sys.cisco
 * Various internal Cisco mailing lists

Future updates of this notice, if any, will be placed on Cisco's Worldwide Web
server, but may or may not be actively announced on mailing lists or
newsgroups. Users concerned about this problem are encouraged to check the
above URL for any updates.

Revision History
- ----------------
+-----------------------------------------------------------------------------+
| Revision 1.0 | 2002-Jan-29 | For Public Release 2002 January 29 at 1500 UTC |
+-----------------------------------------------------------------------------+

Cisco Security Procedures
- -------------------------
Complete information on reporting security vulnerabilities in Cisco products,
obtaining assistance with security incidents, and registering to receive
security information from Cisco, is available on Cisco's Worldwide Web site at
http://www.cisco.com/go/psirt . This includes instructions for press inquiries
regarding Cisco security notices.
- -------------------------------------------------------------------------------
This notice is copyright 2002 by Cisco Systems, Inc. This notice may be
redistributed freely after the release date given at the top of the text,
provided that redistributed copies are complete and unmodified, including all
date and version information.
- -------------------------------------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
Comment: Signed by Sharad Ahlawat, Cisco Systems PSIRT

iQEVAwUBPFa4iw/VLJ+budTTAQGkywf9GkyUO77MFWJHqhGR+ZtNpk63NAzK4ath
TGE/GyRJlht4YXvP4sTuKgRmsBkefXRoFttN0T8G1HytxTfFP75THbh5kk2kRFYo
R4qcxM6QExs1FbJwx42MOjmD5Cyds8pdZ8ZSGdVTDe96k/0D+BNiN1oe672x1hkM
6Nrt1wnyRzKj7ZfF7NRnlN7DsR4gAPIIP0yLiP2KLJheqDnZNThANng97i9YP1Mz
gve9jAwZtiKij6mv0LDG/Jkk/NUl5VijxfuoRFM4ZvAEn8hFYDLnvPJUVb+CvKpt
3AJ3/J+MBS8EAKTM98sGr5ywp7/cQfXWZsoJAYgHbGtEs3Qy6xbK+w==
=1bxQ
-----END PGP SIGNATURE-----
.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Conectiva

Updated:  August 27, 2001

Status

  Vulnerable

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT
- --------------------------------------------------------------------------

PACKAGE   : telnet
SUMMARY   : Remote root vulnerability
DATE      : 2001-08-24 15:43:00
ID        : CLA-2001:413
RELEVANT
RELEASES  : 4.0, 4.0es, 4.1, 4.2, 5.0, prg graficos, ecommerce, 5.1, 6.0, 7.0

- -------------------------------------------------------------------------

DESCRIPTION
The TESO crew reported on Bugtraq a vulnerability affecting the
telnet server which can be used by remote attackers to obtain root
privileges. Initially it was thought that the netkit-telnet package,
used by most linux distributions, was not vulnerable starting with
version 0.14, but zen-parse showed later on that those versions,
including the 0.17 one, are also vulnerable.


SOLUTION
We recommend that all users currently using telnet start using
openssh instead or some other form of encrypted communication.
Users who cannot switch to openssh now should upgrade the telnet
package immediately. Please note that no restart is necessary after
the upgrade, since telnet is started on demand by inetd.


 REFERENCES:
1.
http://www.securityfocus.com/bid/3064


DIRECT DOWNLOAD LINKS TO THE UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/4.0/SRPMS/telnet-0.17-1U40_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.0/i386/telnet-0.17-1U40_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/SRPMS/telnet-0.17-1U40_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/i386/telnet-0.17-1U40_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/SRPMS/telnet-0.17-1U41_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/telnet-0.17-1U41_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/SRPMS/telnet-0.17-1U42_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/telnet-0.17-1U42_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/telnet-0.17-1U50_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/telnet-0.17-1U50_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/telnet-server-0.17-1U50_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/telnet-0.17-1U51_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/telnet-server-0.17-1U51_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/telnet-0.17-1U51_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/telnet-0.17-2U60_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/telnet-server-0.17-2U60_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/telnet-0.17-2U60_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/telnet-0.17-2U70_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/telnet-0.17-2U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/telnet-server-0.17-2U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/SRPMS/telnet-0.17-1U50_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/telnet-0.17-1U50_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/telnet-server-0.17-1U50_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/SRPMS/telnet-0.17-1U50_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/telnet-0.17-1U50_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/telnet-server-0.17-1U50_1cl.i386.rpm


ADDITIONAL INSTRUCTIONS
Users of Conectiva Linux version 6.0 or higher may use apt to perform
upgrades of RPM packages:
- add the following line to /etc/apt/sources.list if it is not there yet
  (you may also use linuxconf to do this):

 rpm [cncbr] ftp://atualizacoes.conectiva.com.br 6.0/conectiva updates

(replace 6.0 with the correct version number if you are not running CL6.0)

 - run:                 apt-get update
- after that, execute: apt-get upgrade

 Detailed instructions reagarding the use of apt and upgrade examples
can be found at
http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en


- -------------------------------------------------------------------------
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can be
found at
http://distro.conectiva.com.br/seguranca/politica/?idioma=en
- -------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en

- -------------------------------------------------------------------------
subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br
unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see
http://www.gnupg.org

iD8DBQE7hqHX42jd0JmAcZARAq2tAKDTiE4tzCaFXf8ZCGMLNCE1m+PUfwCg2hpZ
vPyXIWcdPbi77u2qfgBpUDc=
=DWFX
-----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Cray

Updated:  September 07, 2001

Status

  Vulnerable

Vendor Statement

Cray, Inc. has found UNICOS and UNICOS/mk to be vulnerable. Please see Field Notice 5062 and spr 720789 for fix information. We are currently investigating the MTA for vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Debian

Notified:  July 24, 2001 Updated:  August 20, 2001

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

FreeBSD

Notified:  July 24, 2001 Updated:  August 21, 2001

Status

  Vulnerable

Vendor Statement

All released versions of FreeBSD are vulnerable to this problem, which was fixed in FreeBSD 4.3-STABLE and FreeBSD 3.5.1-STABLE on July 23, 2001. An advisory has been released, along with a patch to correct the vulnerability and a binary upgrade package suitable for use on FreeBSD 4.3-RELEASE systems. For more information, see the advisory at the following location:

ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:49.telnetd.asc

or use an FTP mirror site from the following URL:

http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/mirrors-ftp.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

FreeBSD has also released ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01%3A54.ports-telnetd.asc, a follow up advisory releated to third party implementations found in FreeBSD ports collection.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hewlett Packard

Notified:  July 24, 2001 Updated:  October 19, 2001

Status

  Vulnerable

Vendor Statement

----------------------------------------------------------------

HEWLETT-PACKARD COMPANY SECURITY BULLETIN: #0172
Originally issued: 16 October 2001
-----------------------------------------------------------------

The information in the following Security Bulletin should be acted
upon as soon as possible. Hewlett-Packard Company will not be
liable for any consequences to any customer resulting from customer's
failure to fully implement instructions in this Security Bulletin as
soon as possible.

------------------------------------------------------------------
PROBLEM: Systems running telnetd may permit unauthorized remote
access.
See: http://www.cert.org/advisories/CA-2001-21.html

This vulnerability has been assigned the identifier
CAN-2001-0554 by the Common Vulnerabilities and Exposures
(CVE) group:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0554


PLATFORM: HP9000 Servers running HP-UX releases 10.X only.

DAMAGE: An intruder can potentially execute arbitrary code
with the privileges of the telnetd process.

SOLUTION: Apply the following patches to the release specified.

10.01 PHNE_24820,
10.10 PHNE_24820,
10.20 PHNE_24821,
SIS 10.20 PHNE_24822 (Telnet kerberos Patch),
10.24 PHNE_25217.

MANUAL ACTIONS: The Secure Internet Services (SIS) product, if
enabled, has to be disabled before the installation
or removal of PHNE_24822 (Telnet kerberos Patch).

AVAILABILITY: The patches are available now from http://itrc.hp.com.

------------------------------------------------------------------
A. Background
A potential remotely exploitable buffer overflow in telnetd has
been reported to Hewlett-Packard Company. It is unique to HP-UX
releases 10.X only.

B. Fixing the problem
Disable telnetd (by commenting out the /etc/inetd.conf entry for
telnetd and running '/usr/sbin/inetd -c') if telentd is not needed
on your system.

Install the appropriate patch from the list below.

C. Recommended solution

Apply the following patches to the release specified.

10.01 PHNE_24820,
10.10 PHNE_24820,
10.20 PHNE_24821,
SIS 10.20 PHNE_24822,
10.24 PHNE_25217.

All patches are available now from http://itrc.hp.com.

D. To subscribe to automatically receive future NEW HP Security
Bulletins from the HP IT Resource Center via electronic
mail, do the following:

Use your browser to get to the HP IT Resource Center page
at:

http://itrc.hp.com

Use the 'Login' tab at the left side of the screen to login
using your ID and password. Use your existing login or the
"Register" button at the left to create a login, in order to
gain access to many areas of the ITRC. Remember to save the
User ID assigned to you, and your password.

In the left most frame select "Maintenance and Support".

Under the "Notifications" section (near the bottom of
the page), select "Support Information Digests".

To -subscribe- to future HP Security Bulletins or other
Technical Digests, click the check box (in the left column)
for the appropriate digest and then click the "Update
Subscriptions" button at the bottom of the page.

or

To -review- bulletins already released, select the link
(in the middle column) for the appropriate digest.

To -gain access- to the Security Patch Matrix, select
the link for "The Security Bulletins Archive". (near the
bottom of the page) Once in the archive the third link is
to the current Security Patch Matrix. Updated daily, this
matrix categorizes security patches by platform/OS release,
and by bulletin topic. Security Patch Check completely
automates the process of reviewing the patch matrix for
11.XX systems.

For information on the Security Patch Check tool, see:
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/
displayProductInfo.pl?productNumber=B6834AA"

The security patch matrix is also available via anonymous
ftp:

ftp.itrc.hp.com:~ftp/export/patches/hp-ux_patch_matrix

On the "Support Information Digest Main" page:
click on the "HP Security Bulletin Archive".


E. To report new security vulnerabilities, send email to

security-alert@hp.com

Please encrypt any exploit information using the
security-alert PGP key, available from your local key
server, or by sending a message with a -subject- (not body)
of 'get key' (no quotes) to security-alert@hp.com.

Permission is granted for copying and circulating this
Bulletin to Hewlett-Packard (HP) customers (or the Internet
community) for the purpose of alerting them to problems,
if and only if, the Bulletin is not edited or changed in
any way, is attributed to HP, and provided such reproduction
and/or distribution is performed for non-commercial purposes.

Any other use of this information is prohibited. HP is not
liable for any misuse of this information by any third party.
_____________________________________________________________

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IBM

Notified:  July 24, 2001 Updated:  August 10, 2001

Status

  Vulnerable

Vendor Statement

IBM's AIX operating system, versions 5.1L and under, is vulnerable to this exploit.

An emergency fix (efix) is now available for downloading from the ftp site ftp://aix.software.ibm.com/aix/efixes/security. The efix package name to fix this vulnerability is "telnetd_efix.tar.Z". An advisory is included in the tarfile that gives installation instructions for the appropriate patched telnetd binary. Two patches are in the tarfile: one for AIX 4.3.3 (telnetd.433) and for AIX 5.1 (telnetd.510).

IBM has these APAR assignments for this vulnerability: For AIX 4.3.3, the APAR number is IY22029. For AIX 5.1, the APAR number is IY22021.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MiT Kerberos Development Team

Updated:  August 09, 2001

Status

  Vulnerable

Vendor Statement

Please see http://web.mit.edu/kerberos/www/advisories/telnetd.txt

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

-----BEGIN PGP SIGNED MESSAGE-----

KRB5 TELNETD BUFFER OVERFLOWS

2001-07-31

SUMMARY:

Buffer overflows exist in the telnet daemon included with MIT krb5.
Exploits are believed to exist for various operating systems on at
least the i386 architecture.

IMPACT:

If telnetd is running, a remote user may gain unauthorized root
access.

VULNERABLE DISTRIBUTIONS:

* MIT Kerberos 5, all releases to date.

FIXES:

The recommended approach is to apply the appropriate patches and to
rebuild your telnetd. Patches for the krb5-1.2.2 release may be found
at:

http://web.mit.edu/kerberos/www/advisories/telnetd_122_patch.txt

The associated detached PGP signature is at:

http://web.mit.edu/kerberos/www/advisories/telnetd_122_patch.txt.asc

These patches might apply successfully to older releases with some
amount of fuzz.

Please note that if you are using GNU make to build your krb5 sources,
the build system may attempt to rebuild the configure script from the
changed configure.in. This may cause trouble if you don't have
autoconf installed properly. To prevent this, you should use the
touch command or some similar means to ensure that the file
modification time on the configure script is newer than that of the
configure.in file.

If you are unable to patch your telnetd, you may should disable the
telnet service altogether.

This announcement and code patches related to it may be found on the
MIT Kerberos security advisory page at:

http://web.mit.edu/kerberos/www/advisories/index.html

The main MIT Kerberos web page is at:

http://web.mit.edu/kerberos/www/index.html

ACKNOWLEDGMENTS:

Thanks to TESO for the original alert / Bugtraq posting.

Thanks to Jeffrey Altman for assistance in developing these patches.

DETAILS:

A buffer overflow bug was discovered in telnet daemons derived from
BSD source code. Since the telnet daemon in MIT krb5 uses code
largely derived originally from BSD sources, it too is vulnerable.

By carefully constructing a series of telnet options to send to a
telnet server, a remote attacker may exercise a bug relating to lack
of bounds-checking, causing an overflow of a fixed-size buffer. This
overflow may possibly force the execution of malicious code.

It is not known how difficult this vulnerability is to exploit, since
the buffer is not on the stack. Some discussion seems to indicate
that exploits exist for this vulnerability that are believed to work
against various operating systems for i386-based machines. It is not
known whether these existing exploits have been successfully ported to
other processors.

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQCVAwUBO2cP4qbDgE/zdoE9AQEdhQQAsAxuzVwWu7pbtZ8ouNK7VAFrODGBHJ6R
AxizbvpPMEUAPmHtNqyC+J7hmdcumAxm4ro1dQ6qqZrpV8e8X+MykNoOkt7jbzqz
Q3KgfV8DkEthtoZ7M6asMrNScE6tBU6hfBAk33RU25vHMM42PRdRjliIDCCJl3pu
/slqReyHFTg=
=i6/X
-----END PGP SIGNATURE-----

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NetBSD

Notified:  July 24, 2001 Updated:  August 15, 2001

Status

  Vulnerable

Vendor Statement

All releases of NetBSD are affected. The issue was patched in NetBSD-current on July 19th. A Security Advisory including patches will be available shortly, at:

ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2001-012.txt.asc

NetBSD releases since July 2000 have shipped with telnetd disabled by default. If it has been re-enabled on a system, it is highly recommended to disable it at least until patches are installed. Furthermore, NetBSD recommends the use of a Secure Shell instead of telnet for most applications."

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OpenBSD

Notified:  July 24, 2001 Updated:  August 15, 2001

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

RedHat

Notified:  July 24, 2001 Updated:  August 13, 2001

Status

  Vulnerable

Vendor Statement

Please see https://www.redhat.com/support/errata/RHSA-2001-100.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SGI

Notified:  July 24, 2001 Updated:  July 26, 2001

Status

  Vulnerable

Vendor Statement

SGI acknowledges the telnetd vulnerability reported by CERT and is currently investigating. Until SGI has more definitive information to provide, customers are encouraged to assume all security vulnerabilities as exploitable and take appropriate steps according to local site security policies and requirements.

As further information becomes available, additional advisories will be issued via the normal SGI security information distribution methods including the wiretap mailing list and

http://www.sgi.com/support/security/

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SuSE

Updated:  October 11, 2001

Status

  Vulnerable

Vendor Statement

The 7.x distribution update directories contain update packages for the recently discovered in.telnetd security problem (buffer overflow). While we are working for a solution for the 6.x distribution, the available packages are ready for use. It is recommended to apply these updates as soon as possible. The packages for the 7.1 distribution are called nkitserv.rpm, for 7.2 it's called telnet-server.rpm. The packages for the 6.x distributions prove to worksome because of a much older codebase and changed behaviour of parts of the glibc. We hope to be able to provide a suitable solution soon.
We recommend to disable the telnet service by commenting it out from the /etc/inetd.conf file (with a following "killall -HUP inetd" to make inetd re-read its config file) until an update package for your distribution is available. If you do not need the telnet server service, you should leave the service disabled even if you have applied an update package to your system.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

SuSE has released a security announcement related to this vulnerability. It is located at http://www.suse.com/de/support/security/2001_029_nkitb_txt.txt.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sun

Notified:  July 24, 2001 Updated:  April 16, 2002

Status

  Vulnerable

Vendor Statement

A buffer overflow has been discovered in in.telnetd which allows a local or a remote attacker to kill the in.telnetd daemon on the affected SunOS system. Sun does not believe that this issue can be exploited on SunOS systems to gain elevated privileges. As there was a buffer overflow, Sun has generated patches for this issue. The patches are described in the following SunAlert:


and are available from:

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Compaq Computer Corporation

Notified:  July 24, 2001 Updated:  August 01, 2001

Status

  Not Vulnerable

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________
SOURCE: Compaq Computer Corporation
Compaq Services
Software Security Response Team USA

Compaq case id SSRT0745U

ref: potential telnetd option handling vulnerability

x-ref: TESO Security Advisory 06/2001
CERT CA2001-21 Advisory 07/2001


Compaq has evaluated this vulnerability to telnetd
distributed for Compaq Tru64/UNIX and OpenVMS Operating
Systems Software and has determined that telnetd is not
vulnerable to unauthorized command execution or
root compromise.

Compaq appreciates your cooperation and patience.
We regret any inconvenience applying this information
may cause.

As always, Compaq urges you to periodically review your system
management and security procedures. Compaq will continue to
review and enhance the security features of its products and work
with customers to maintain and improve the security and integrity
of their systems.

To subscribe to automatically receive future NEW Security
Advisories from the Compaq's Software Security Response Team
via electronic mail,

Use your browser select the URL
http://www.support.compaq.com/patches/mailing-list.shtml
Select "Security and Individual Notices" for immediate dispatch
notifications directly to your mailbox.

To report new Security Vulnerabilities, send mail to:
security-ssrt@compaq.com

(c) Copyright 2001 Compaq Computer Corporation. All rights reserved.


-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.1

iQA/AwUBO2C5JjnTu2ckvbFuEQKmqwCg/m87d9k22+qV5GY2vJAR409KFD4AoIbR
vsQaZ9DOI4D4sj5Feg4bRZmS
=F5Nq
-----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Secure Computing Corporation

Updated:  July 31, 2001

Status

  Not Vulnerable

Vendor Statement

The telnetd vulnerability referenced is not applicable to Sidewinder as a result of disciplined security software design practices in combination with Secure Computing's patented Type Enforcement(tm) technology. Sidewinder's telnetd services are greatly restricted due to both known and theoretical vulnerabilities. This least privilege design renders the attack described in the CERT-2001-21 Advisory useless. In addition, Sidewinder's operating system, SecureOS(tm), built on Secure's Type Enforcement technology, has further defenses against this attack that would trigger multiple security violations.

Specifically, the attack first attempts to start a shell process. Sidewinder's embedded Type Enforcement security rules prevent telnetd from replicating itself and accessing the system shell programs. Even without this embedded, tamper proof rule in place, other Type Enforcement rules also defend against this attack. As an example, the new shell would need administrative privileges and those privileges are not available to the telnetd services.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Data General

Notified:  July 24, 2001 Updated:  August 15, 2001

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Fujitsu

Notified:  July 24, 2001 Updated:  August 15, 2001

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Microsoft

Notified:  July 24, 2001 Updated:  August 15, 2001

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NEC

Notified:  July 24, 2001 Updated:  August 15, 2001

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Nokia

Notified:  July 24, 2001 Updated:  July 24, 2001

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SCO

Notified:  July 24, 2001 Updated:  August 15, 2001

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sequent

Notified:  July 24, 2001 Updated:  August 15, 2001

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sony

Notified:  July 24, 2001 Updated:  August 15, 2001

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Unisys

Notified:  July 24, 2001 Updated:  August 15, 2001

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

The CERT Coordination Center thanks TESO, who published an advisory on this issue. We would also like to thank Jeff Polk <polk@BSDI.COM> for technical assistance.

This document was written by Ian A. Finlay & Jason Rafail.

Other Information

CVE IDs: CVE-2001-0554
CERT Advisory: CA-2001-21
Severity Metric: 74.81
Date Public: 2001-07-18
Date First Published: 2001-07-24
Date Last Updated: 2002-04-16 19:36 UTC
Document Revision: 42

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.