A vulnerability exists in the Telnet Authentication Option and Telnet Data Encryption Option specifications. An ordered list of authentication and encryption options sent from the server to client during negotiation is not cryptographically protected. As a result, an attacker may be able to modify the list and cause less secure authentication and encryption options to be negotiated. An active attacker may be able to disable Telnet data encryption without the client's knowledge.
Simon Josefsson has published a paper describing several active man-in-the-middle attacks against the Kerberos Telnet protocol. Kerberos is a trusted third-party authentication protocol that can be used to secure applications that otherwise transmit authentication information in plain text. Kerberos can further be used to establish encrypted communications channels for applications that normally transmit data in plain text. RFC 1510 defines the Kerberos V protocol.
Telnet (RFC 854) transmits data in plain text, including authentication information. Two RFCs describe options to secure Telnet communications: the Telnet Authentication Option (RFC 2941) and the Telnet Data Encryption Option (RFC 2946). Kerberos can be used to provide these options for Telnet, as specified in RFC 1411 (Kerberos IV) and RFC 2942 (Kerberos V).
An attacker with the ability to modify Kerberos Telnet negotiation commands sent from server to client may be able to cause the connection to negotiate less secure authentication and encryption options, including no encryption. The attacker may then be able to read data that the user presumes to be securely encrypted. This is exacerbated by another vulnerability in KTH Kerberos Telnet clients. When a user requests encryption and the server does not appear to support it, KTH Kerberos Telnet clients continue negotiation and establish a connection with no encryption (VU#390280).
Modify Protocol Specification
The CERT Coordination Center thanks Simon Josefsson for information used in this document.
This document was written by Art Manion.
|Date First Published:||2002-02-04|
|Date Last Updated:||2002-02-25 21:49 UTC|