Notified: July 24, 2001 Updated: October 04, 2001
Affected
http://www.apple.com/support/security/security_updates.html
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: July 23, 2001 Updated: August 15, 2001
Affected
All current versions of BSD/OS are vulnerable. Patches will be available via our web site at http://www.bsdi.com/services/support/patches and via ftp at ftp://ftp.bsdi.com/bsdi/support/patches as soon as testing has been completed.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: July 24, 2001 Updated: August 20, 2001
Affected
Caldera has determined that OpenServer, UnixWare 7 and OpenUnix 8 are vulnerable, and we are working on fixes. All of Caldera's Linux supported products are unaffected by this problem if all previously released security updates have been applied. If you're running either OpenLinux 2.3 or OpenLinux eServer 2.3, make sure you've updated your systems to netkit-telnet-0.16. This patch was released in March 2000, and are available from ftp://ftp.caldera.com OpenLinux 2.3: /pub/openlinux/updates/2.3/022/RPMS/netkit-telnet-0.16-1.i386.rpm OpenLinux eServer 2.3.1: /pub/eServer/2.3/updates/2.3/007/RPMS/netkit-telnet-0.16-1.i386.rpm OpenLinux eDesktop 2.4, OpenLinux 3.1 Server, and OpenLinux 3.1 Workstation are not affected.
The vendor has not provided us with any further information regarding this vulnerability.
Caldera has recently released CSSA-2001-030.0 which indicates that the following systems are indeed vulnerable: All packages previous to netkit-telnet-0.17-12a on - OpenLinux 2.3 - OpenLinux eServer 2.3.1 and OpenLinux eBuilder - OpenLinux eDesktop 2.4 - OpenLinux Server 3.1 - OpenLinux Workstation 3.1
Notified: July 24, 2001 Updated: February 01, 2002
Affected
-----BEGIN PGP SIGNED MESSAGE----- Cisco Security Advisory: Cisco CatOS Telnet Buffer Vulnerability Revision 1.0 For Public Release 2002 January 29 at 1500 UTC Summary Some Cisco Catalyst switches, running certain CatOS based software releases, have a vulnerability wherein a buffer overflow in the telnet option handling can cause the telnet daemon to crash and result in a switch reload. This vulnerability can be exploited to initiate a denial of service (DoS) attack. This vulnerability is documented as Cisco bug ID CSCdw19195. There are workarounds available to mitigate the vulnerability. This advisory will be posted at http://www.cisco.com/warp/public/707/ catos-telrcv-vuln-pub.shtml . Affected Products Cisco's various Catalyst family of switches run CatOS-based releases or IOS-based releases. IOS-based releases are not vulnerable. The following Cisco Catalyst Switches are vulnerable : * Catalyst 6000 series * Catalyst 5000 series * Catalyst 4000 series * Catalyst 2948G * Catalyst 2900 For the switches above, the following CatOS based switch software revisions are vulnerable. | | Release 4 | Release 5 | Release 6 | Release 7 | | | code base | code base | code base | code base | | Catalyst 6000 | Not | earlier than | earlier than | earlier than | | series | Applicable | 5.5(13) | 6.3(4) | 7.1(2) | | Catalyst 5000 | earlier than | earlier than | earlier than | Not | | series | 4.5(13a) | 5.5(13) | 6.3(4) | Applicable | | Catalyst 4000 | All releases | earlier than | earlier than | earlier than | | series | | 5.5(13) | 6.3(4) | 7.1(2) | To determine your software revision, type show version at the command line prompt. Not Affected Products The following Cisco Catalyst Switches are not vulnerable : * Catalyst 8500 series * Catalyst 4800 series * Catalyst 4200 series * Catalyst 3900 series * Catalyst 3550 series * Catalyst 3500 XL series * Catalyst 4840G * Catalyst 4908G-l3 * Catalyst 2948G-l3 * Catalyst 2950 * Catalyst 2900 XL * Catalyst 2900 LRE XL * Catalyst 2820 * Catalyst 1900 No other Cisco product is currently known to be affected by this vulnerability. Details Some Cisco Catalyst switches, running certain CatOS-based software releases, have a vulnerability wherein a buffer overflow in the telnet option handling can cause the telnet daemon to crash and result in a switch reload. This vulnerability can be exploited to initiate a denial of service (DoS) attack. Once the switch has reloaded, it is still vulnerable and the attack can be repeated as long as the switch is IP reachable on port 23 and has not been upgraded to a fixed version of CatOS switch software. This vulnerability is documented as Cisco bug ID CSCdw19195, which requires a CCO account to view and can be viewed after 2002 January 30 at 1500 UTC. Impact This vulnerability can be exploited to produce a denial of service (DoS) attack. When the vulnerability is exploited it can cause the Cisco Catalyst switch to crash and reload. Software Versions and Fixes This vulnerability has been fixed in the following switch software revisions and the fix will be carried forward in all future releases. | | Release 4 | Release 5 | Release 6 | Release 7 | | | code base | code base | code base | code base | | Catalyst 6000 | Not | 5.5(13) and | 6.3(4) and | 7.1(2) and | | series | Applicable | later | later | later | | Catalyst 5000 | 4.5(13a) | 5.5(13) and | 6.3(4) and | Not | | series | | later | later | Applicable | | Catalyst 4000 | Not Available | 5.5(13) and | 6.3(4) and | 7.1(2) and | | series | | later | later | later | All previous releases must upgrade to the above releases. CatOS switch software release 4.5(13a) for the Catalyst 5000 series is expected on CCO by 2002 February 4. CatOS switch software release 7.1(2) is expected on CCO by 2002 February 4. Software upgrade can be performed via the console interface. Please refer to software release notes for instructions. Obtaining Fixed Software Cisco is offering free software upgrades to remedy this vulnerability for all affected customers. Customers with service contracts may upgrade to any software release containing the feature sets they have purchased. Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's Worldwide Web site at http:// www.cisco.com . Customers whose Cisco products are provided or maintained through prior or existing agreement with third-party support organizations such as Cisco Partners, authorized resellers, or service providers should contact that support organization for assistance with the upgrade, which should be free of charge. Customers who purchased directly from Cisco but who do not hold a Cisco service contract, and customers who purchase through third party vendors but are unsuccessful at obtaining fixed software through their point of sale, should get their upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows: * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com See http://www.cisco.com/warp/public/687/Directory.shtml for additional TAC contact information, including instructions and e-mail addresses for use in various languages. Please have your product serial number available and give the URL of this notice as evidence of your entitlement to a free upgrade. Free upgrades for non contract customers must be requested through the TAC. Please do not contact either "psirt@cisco.com" or "security-alert@cisco.com" for software upgrades. Workarounds The following workarounds can be implemented. * If ssh is available in the code base use ssh instead of Telnet and disable Telnet. For instructions how to do this please refer http://www.cisco.com/warp/ public/707/ssh_cat_switches.html * Apply Access Control Lists (ACLs) on routers / switches / firewalls in front of the vulnerable switches such that traffic destined for the Telnet port 23 on the vulnerable switches is only allowed from the network management subnets. For an example see http://www.cisco.com/univercd/cc/td/doc/product/lan/ cat6000/sw_5_4/msfc/acc_list.htm Exploitation and Public Announcements This vulnerability has been exploited to initiate Denial of Service (DoS) attacks. This vulnerability was reported by TESO and is detailed at http://www.cert.org/ advisories/CA-2001-21.html Status of This Notice: Final This is a final notice. Although Cisco cannot guarantee the accuracy of all statements in this notice, all of the facts have been checked to the best of our ability. Cisco does not anticipate issuing updated versions of this notice unless there is some material change in the facts. Should there be a significant change in the facts, Cisco may update this notice. A standalone copy or paraphrase of the text of this security advisory that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution This notice will be posted on Cisco's Worldwide Web site at http:// www.cisco.com/warp/public/707/catos-telrcv-vuln-pub.shtml . In addition to Worldwide Web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients: * cust-security-announce@cisco.com * bugtraq@securityfocus.com * firewalls@lists.gnac.com * first-teams@first.org (includes CERT/CC) * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * comp.dcom.sys.cisco * Various internal Cisco mailing lists Future updates of this notice, if any, will be placed on Cisco's Worldwide Web server, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History | Revision 1.0 | 2002-Jan-29 | For Public Release 2002 January 29 at 1500 UTC | Cisco Security Procedures Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's Worldwide Web site at http://www.cisco.com/go/psirt . This includes instructions for press inquiries regarding Cisco security notices. This notice is copyright 2002 by Cisco Systems, Inc. This notice may be redistributed freely after the release date given at the top of the text, provided that redistributed copies are complete and unmodified, including all date and version information. -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 Comment: Signed by Sharad Ahlawat, Cisco Systems PSIRT iQEVAwUBPFa4iw/VLJ+budTTAQGkywf9GkyUO77MFWJHqhGR+ZtNpk63NAzK4ath TGE/GyRJlht4YXvP4sTuKgRmsBkefXRoFttN0T8G1HytxTfFP75THbh5kk2kRFYo R4qcxM6QExs1FbJwx42MOjmD5Cyds8pdZ8ZSGdVTDe96k/0D+BNiN1oe672x1hkM 6Nrt1wnyRzKj7ZfF7NRnlN7DsR4gAPIIP0yLiP2KLJheqDnZNThANng97i9YP1Mz gve9jAwZtiKij6mv0LDG/Jkk/NUl5VijxfuoRFM4ZvAEn8hFYDLnvPJUVb+CvKpt 3AJ3/J+MBS8EAKTM98sGr5ywp7/cQfXWZsoJAYgHbGtEs3Qy6xbK+w== =1bxQ -----END PGP SIGNATURE-----.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: July 24, 2001 Updated: August 01, 2001
Not Affected
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SOURCE: Compaq Computer Corporation Compaq Services Software Security Response Team USA Compaq case id SSRT0745U ref: potential telnetd option handling vulnerability x-ref: TESO Security Advisory 06/2001 CERT CA2001-21 Advisory 07/2001 Compaq has evaluated this vulnerability to telnetd distributed for Compaq Tru64/UNIX and OpenVMS Operating Systems Software and has determined that telnetd is not vulnerable to unauthorized command execution or root compromise. Compaq appreciates your cooperation and patience. We regret any inconvenience applying this information may cause. As always, Compaq urges you to periodically review your system management and security procedures. Compaq will continue to review and enhance the security features of its products and work with customers to maintain and improve the security and integrity of their systems. To subscribe to automatically receive future NEW Security Advisories from the Compaq's Software Security Response Team via electronic mail, Use your browser select the URL http://www.support.compaq.com/patches/mailing-list.shtml Select "Security and Individual Notices" for immediate dispatch notifications directly to your mailbox. To report new Security Vulnerabilities, send mail to: security-ssrt@compaq.com (c) Copyright 2001 Compaq Computer Corporation. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.1 iQA/AwUBO2C5JjnTu2ckvbFuEQKmqwCg/m87d9k22+qV5GY2vJAR409KFD4AoIbR vsQaZ9DOI4D4sj5Feg4bRZmS =F5Nq -----END PGP SIGNATURE-----
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Updated: August 27, 2001
Affected
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CONECTIVA LINUX SECURITY ANNOUNCEMENT PACKAGE : telnet SUMMARY : Remote root vulnerability DATE : 2001-08-24 15:43:00 ID : CLA-2001:413 RELEVANT RELEASES : 4.0, 4.0es, 4.1, 4.2, 5.0, prg graficos, ecommerce, 5.1, 6.0, 7.0 DESCRIPTION The TESO crew reported on Bugtraq a vulnerability affecting the telnet server which can be used by remote attackers to obtain root privileges. Initially it was thought that the netkit-telnet package, used by most linux distributions, was not vulnerable starting with version 0.14, but zen-parse showed later on that those versions, including the 0.17 one, are also vulnerable. SOLUTION We recommend that all users currently using telnet start using openssh instead or some other form of encrypted communication. Users who cannot switch to openssh now should upgrade the telnet package immediately. Please note that no restart is necessary after the upgrade, since telnet is started on demand by inetd. REFERENCES: 1. http://www.securityfocus.com/bid/3064 DIRECT DOWNLOAD LINKS TO THE UPDATED PACKAGES ftp://atualizacoes.conectiva.com.br/4.0/SRPMS/telnet-0.17-1U40_1cl.src.rpm ftp://atualizacoes.conectiva.com.br/4.0/i386/telnet-0.17-1U40_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/4.0es/SRPMS/telnet-0.17-1U40_1cl.src.rpm ftp://atualizacoes.conectiva.com.br/4.0es/i386/telnet-0.17-1U40_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/4.1/SRPMS/telnet-0.17-1U41_1cl.src.rpm ftp://atualizacoes.conectiva.com.br/4.1/i386/telnet-0.17-1U41_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/4.2/SRPMS/telnet-0.17-1U42_1cl.src.rpm ftp://atualizacoes.conectiva.com.br/4.2/i386/telnet-0.17-1U42_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/telnet-0.17-1U50_1cl.src.rpm ftp://atualizacoes.conectiva.com.br/5.0/i386/telnet-0.17-1U50_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/5.0/i386/telnet-server-0.17-1U50_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/telnet-0.17-1U51_1cl.src.rpm ftp://atualizacoes.conectiva.com.br/5.1/i386/telnet-server-0.17-1U51_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/5.1/i386/telnet-0.17-1U51_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/telnet-0.17-2U60_1cl.src.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/telnet-server-0.17-2U60_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/telnet-0.17-2U60_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/telnet-0.17-2U70_1cl.src.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/telnet-0.17-2U70_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/telnet-server-0.17-2U70_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/SRPMS/telnet-0.17-1U50_1cl.src.rpm ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/telnet-0.17-1U50_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/telnet-server-0.17-1U50_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/SRPMS/telnet-0.17-1U50_1cl.src.rpm ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/telnet-0.17-1U50_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/telnet-server-0.17-1U50_1cl.i386.rpm ADDITIONAL INSTRUCTIONS Users of Conectiva Linux version 6.0 or higher may use apt to perform upgrades of RPM packages: - add the following line to /etc/apt/sources.list if it is not there yet (you may also use linuxconf to do this): rpm [cncbr] ftp://atualizacoes.conectiva.com.br 6.0/conectiva updates (replace 6.0 with the correct version number if you are not running CL6.0) - run: apt-get update - after that, execute: apt-get upgrade Detailed instructions reagarding the use of apt and upgrade examples can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en All packages are signed with Conectiva's GPG key. The key and instructions on how to import it can be found at http://distro.conectiva.com.br/seguranca/chave/?idioma=en Instructions on how to check the signatures of the RPM packages can be found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en All our advisories and generic update instructions can be viewed at http://distro.conectiva.com.br/atualizacoes/?idioma=en subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE7hqHX42jd0JmAcZARAq2tAKDTiE4tzCaFXf8ZCGMLNCE1m+PUfwCg2hpZ vPyXIWcdPbi77u2qfgBpUDc= =DWFX -----END PGP SIGNATURE-----
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Updated: September 07, 2001
Affected
Cray, Inc. has found UNICOS and UNICOS/mk to be vulnerable. Please see Field Notice 5062 and spr 720789 for fix information. We are currently investigating the MTA for vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: July 24, 2001 Updated: August 15, 2001
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: July 24, 2001 Updated: August 20, 2001
Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: July 24, 2001 Updated: August 21, 2001
Affected
All released versions of FreeBSD are vulnerable to this problem, which was fixed in FreeBSD 4.3-STABLE and FreeBSD 3.5.1-STABLE on July 23, 2001. An advisory has been released, along with a patch to correct the vulnerability and a binary upgrade package suitable for use on FreeBSD 4.3-RELEASE systems. For more information, see the advisory at the following location: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:49.telnetd.asc or use an FTP mirror site from the following URL: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/mirrors-ftp.html
The vendor has not provided us with any further information regarding this vulnerability.
FreeBSD has also released ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01%3A54.ports-telnetd.asc, a follow up advisory releated to third party implementations found in FreeBSD ports collection.
Notified: July 24, 2001 Updated: August 15, 2001
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: July 24, 2001 Updated: October 19, 2001
Affected
HEWLETT-PACKARD COMPANY SECURITY BULLETIN: #0172 Originally issued: 16 October 2001 The information in the following Security Bulletin should be acted upon as soon as possible. Hewlett-Packard Company will not be liable for any consequences to any customer resulting from customer's failure to fully implement instructions in this Security Bulletin as soon as possible. PROBLEM: Systems running telnetd may permit unauthorized remote access. See: http://www.cert.org/advisories/CA-2001-21.html This vulnerability has been assigned the identifier CAN-2001-0554 by the Common Vulnerabilities and Exposures (CVE) group: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0554 PLATFORM: HP9000 Servers running HP-UX releases 10.X only. DAMAGE: An intruder can potentially execute arbitrary code with the privileges of the telnetd process. SOLUTION: Apply the following patches to the release specified. 10.01 PHNE_24820, 10.10 PHNE_24820, 10.20 PHNE_24821, SIS 10.20 PHNE_24822 (Telnet kerberos Patch), 10.24 PHNE_25217. MANUAL ACTIONS: The Secure Internet Services (SIS) product, if enabled, has to be disabled before the installation or removal of PHNE_24822 (Telnet kerberos Patch). AVAILABILITY: The patches are available now from http://itrc.hp.com. A. Background A potential remotely exploitable buffer overflow in telnetd has been reported to Hewlett-Packard Company. It is unique to HP-UX releases 10.X only. B. Fixing the problem Disable telnetd (by commenting out the /etc/inetd.conf entry for telnetd and running '/usr/sbin/inetd -c') if telentd is not needed on your system. Install the appropriate patch from the list below. C. Recommended solution Apply the following patches to the release specified. 10.01 PHNE_24820, 10.10 PHNE_24820, 10.20 PHNE_24821, SIS 10.20 PHNE_24822, 10.24 PHNE_25217. All patches are available now from http://itrc.hp.com. D. To subscribe to automatically receive future NEW HP Security Bulletins from the HP IT Resource Center via electronic mail, do the following: Use your browser to get to the HP IT Resource Center page at: http://itrc.hp.com Use the 'Login' tab at the left side of the screen to login using your ID and password. Use your existing login or the "Register" button at the left to create a login, in order to gain access to many areas of the ITRC. Remember to save the User ID assigned to you, and your password. In the left most frame select "Maintenance and Support". Under the "Notifications" section (near the bottom of the page), select "Support Information Digests". To -subscribe- to future HP Security Bulletins or other Technical Digests, click the check box (in the left column) for the appropriate digest and then click the "Update Subscriptions" button at the bottom of the page. or To -review- bulletins already released, select the link (in the middle column) for the appropriate digest. To -gain access- to the Security Patch Matrix, select the link for "The Security Bulletins Archive". (near the bottom of the page) Once in the archive the third link is to the current Security Patch Matrix. Updated daily, this matrix categorizes security patches by platform/OS release, and by bulletin topic. Security Patch Check completely automates the process of reviewing the patch matrix for 11.XX systems. For information on the Security Patch Check tool, see: http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/ displayProductInfo.pl?productNumber=B6834AA" The security patch matrix is also available via anonymous ftp: ftp.itrc.hp.com:~ftp/export/patches/hp-ux_patch_matrix On the "Support Information Digest Main" page: click on the "HP Security Bulletin Archive". E. To report new security vulnerabilities, send email to security-alert@hp.com Please encrypt any exploit information using the security-alert PGP key, available from your local key server, or by sending a message with a -subject- (not body) of 'get key' (no quotes) to security-alert@hp.com. Permission is granted for copying and circulating this Bulletin to Hewlett-Packard (HP) customers (or the Internet community) for the purpose of alerting them to problems, if and only if, the Bulletin is not edited or changed in any way, is attributed to HP, and provided such reproduction and/or distribution is performed for non-commercial purposes. Any other use of this information is prohibited. HP is not liable for any misuse of this information by any third party.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: July 24, 2001 Updated: August 10, 2001
Affected
IBM's AIX operating system, versions 5.1L and under, is vulnerable to this exploit. An emergency fix (efix) is now available for downloading from the ftp site ftp://aix.software.ibm.com/aix/efixes/security. The efix package name to fix this vulnerability is "telnetd_efix.tar.Z". An advisory is included in the tarfile that gives installation instructions for the appropriate patched telnetd binary. Two patches are in the tarfile: one for AIX 4.3.3 (telnetd.433) and for AIX 5.1 (telnetd.510). IBM has these APAR assignments for this vulnerability: For AIX 4.3.3, the APAR number is IY22029. For AIX 5.1, the APAR number is IY22021.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: July 24, 2001 Updated: August 15, 2001
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Updated: August 09, 2001
Affected
Please see http://web.mit.edu/kerberos/www/advisories/telnetd.txt
The vendor has not provided us with any further information regarding this vulnerability.
-----BEGIN PGP SIGNED MESSAGE----- KRB5 TELNETD BUFFER OVERFLOWS 2001-07-31 SUMMARY: Buffer overflows exist in the telnet daemon included with MIT krb5. Exploits are believed to exist for various operating systems on at least the i386 architecture. IMPACT: If telnetd is running, a remote user may gain unauthorized root access. VULNERABLE DISTRIBUTIONS: * MIT Kerberos 5, all releases to date. FIXES: The recommended approach is to apply the appropriate patches and to rebuild your telnetd. Patches for the krb5-1.2.2 release may be found at: http://web.mit.edu/kerberos/www/advisories/telnetd_122_patch.txt The associated detached PGP signature is at: http://web.mit.edu/kerberos/www/advisories/telnetd_122_patch.txt.asc These patches might apply successfully to older releases with some amount of fuzz. Please note that if you are using GNU make to build your krb5 sources, the build system may attempt to rebuild the configure script from the changed configure.in. This may cause trouble if you don't have autoconf installed properly. To prevent this, you should use the touch command or some similar means to ensure that the file modification time on the configure script is newer than that of the configure.in file. If you are unable to patch your telnetd, you may should disable the telnet service altogether. This announcement and code patches related to it may be found on the MIT Kerberos security advisory page at: http://web.mit.edu/kerberos/www/advisories/index.html The main MIT Kerberos web page is at: http://web.mit.edu/kerberos/www/index.html ACKNOWLEDGMENTS: Thanks to TESO for the original alert / Bugtraq posting. Thanks to Jeffrey Altman for assistance in developing these patches. DETAILS: A buffer overflow bug was discovered in telnet daemons derived from BSD source code. Since the telnet daemon in MIT krb5 uses code largely derived originally from BSD sources, it too is vulnerable. By carefully constructing a series of telnet options to send to a telnet server, a remote attacker may exercise a bug relating to lack of bounds-checking, causing an overflow of a fixed-size buffer. This overflow may possibly force the execution of malicious code. It is not known how difficult this vulnerability is to exploit, since the buffer is not on the stack. Some discussion seems to indicate that exploits exist for this vulnerability that are believed to work against various operating systems for i386-based machines. It is not known whether these existing exploits have been successfully ported to other processors. -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBO2cP4qbDgE/zdoE9AQEdhQQAsAxuzVwWu7pbtZ8ouNK7VAFrODGBHJ6R AxizbvpPMEUAPmHtNqyC+J7hmdcumAxm4ro1dQ6qqZrpV8e8X+MykNoOkt7jbzqz Q3KgfV8DkEthtoZ7M6asMrNScE6tBU6hfBAk33RU25vHMM42PRdRjliIDCCJl3pu /slqReyHFTg= =i6/X -----END PGP SIGNATURE-----
Notified: July 24, 2001 Updated: August 15, 2001
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: July 24, 2001 Updated: August 15, 2001
Affected
All releases of NetBSD are affected. The issue was patched in NetBSD-current on July 19th. A Security Advisory including patches will be available shortly, at: ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2001-012.txt.asc NetBSD releases since July 2000 have shipped with telnetd disabled by default. If it has been re-enabled on a system, it is highly recommended to disable it at least until patches are installed. Furthermore, NetBSD recommends the use of a Secure Shell instead of telnet for most applications."
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: July 24, 2001 Updated: July 24, 2001
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: July 24, 2001 Updated: August 15, 2001
Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: July 24, 2001 Updated: August 13, 2001
Affected
Please see https://www.redhat.com/support/errata/RHSA-2001-100.html
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: July 24, 2001 Updated: August 15, 2001
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Updated: July 31, 2001
Not Affected
The telnetd vulnerability referenced is not applicable to Sidewinder as a result of disciplined security software design practices in combination with Secure Computing's patented Type Enforcement(tm) technology. Sidewinder's telnetd services are greatly restricted due to both known and theoretical vulnerabilities. This least privilege design renders the attack described in the CERT-2001-21 Advisory useless. In addition, Sidewinder's operating system, SecureOS(tm), built on Secure's Type Enforcement technology, has further defenses against this attack that would trigger multiple security violations. Specifically, the attack first attempts to start a shell process. Sidewinder's embedded Type Enforcement security rules prevent telnetd from replicating itself and accessing the system shell programs. Even without this embedded, tamper proof rule in place, other Type Enforcement rules also defend against this attack. As an example, the new shell would need administrative privileges and those privileges are not available to the telnetd services.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: July 24, 2001 Updated: August 15, 2001
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: July 24, 2001 Updated: July 26, 2001
Affected
SGI acknowledges the telnetd vulnerability reported by CERT and is currently investigating. Until SGI has more definitive information to provide, customers are encouraged to assume all security vulnerabilities as exploitable and take appropriate steps according to local site security policies and requirements. As further information becomes available, additional advisories will be issued via the normal SGI security information distribution methods including the wiretap mailing list and http://www.sgi.com/support/security/
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: July 24, 2001 Updated: August 15, 2001
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: July 24, 2001 Updated: April 16, 2002
Affected
A buffer overflow has been discovered in in.telnetd which allows a local or a remote attacker to kill the in.telnetd daemon on the affected SunOS system. Sun does not believe that this issue can be exploited on SunOS systems to gain elevated privileges. As there was a buffer overflow, Sun has generated patches for this issue. The patches are described in the following SunAlert: http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert%2F28063 and are available from: http://sunsolve.sun.com/securitypatch
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Updated: October 11, 2001
Affected
The 7.x distribution update directories contain update packages for the recently discovered in.telnetd security problem (buffer overflow). While we are working for a solution for the 6.x distribution, the available packages are ready for use. It is recommended to apply these updates as soon as possible. The packages for the 7.1 distribution are called nkitserv.rpm, for 7.2 it's called telnet-server.rpm. The packages for the 6.x distributions prove to worksome because of a much older codebase and changed behaviour of parts of the glibc. We hope to be able to provide a suitable solution soon. We recommend to disable the telnet service by commenting it out from the /etc/inetd.conf file (with a following "killall -HUP inetd" to make inetd re-read its config file) until an update package for your distribution is available. If you do not need the telnet server service, you should leave the service disabled even if you have applied an update package to your system.
The vendor has not provided us with any further information regarding this vulnerability.
SuSE has released a security announcement related to this vulnerability. It is located at http://www.suse.com/de/support/security/2001_029_nkitb_txt.txt.
Notified: July 24, 2001 Updated: August 15, 2001
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.