TUCoPS :: BSD :: ca200121.txt

Buffer Overflow in telnetd

CERT Advisory CA-2001-21 Buffer Overflow in telnetd

   Original release date: July 24, 2001
   Last revised: Fri Aug 10 08:36:50 EDT 2001
   Source: CERT/CC
   
   A complete revision history can be found at the end of this file.
   
Systems Affected

     * Systems running versions of telnetd derived from BSD source.
       
Overview

   The telnetd program is a server for the Telnet remote virtual terminal
   protocol. There is a remotely exploitable buffer overflow in Telnet
   daemons derived from BSD source code. This vulnerability can crash the
   server, or be leveraged to gain root access.
   
I. Description

   There is a remotely exploitable buffer overflow in Telnet daemons
   derived from BSD source code. During the processing of the Telnet
   protocol options, the results of the "telrcv" function are stored in a
   fixed-size buffer. It is assumed that the results are smaller than the
   buffer and no bounds checking is performed.
   
   The vulnerability was discovered by TESO. An exploit for this
   vulnerability has been publicly released; internal testing at CERT/CC
   confirms this exploit works against at least one target system. For
   more information, see
   
          http://www.team-teso.net/advisories/teso-advisory-011.tar.gz.
          
   This vulnerability has been assigned the identifier CAN-2001-0554 by
   the Common Vulnerabilities and Exposures (CVE) group:
   
          http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0554
          
II. Impact

   An intruder can execute arbitrary code with the privileges of the
   telnetd process, typically root.
   
III. Solution

Apply a patch

   Appendix A contains information from vendors who have provided
   information for this advisory. We will update the appendix as we
   receive more information. If you do not see your vendor's name, the
   CERT/CC did not hear from that vendor. Please contact your vendor
   directly.
   
Restrict access to the Telnet service (typically port 23/tcp) using a
firewall or packet-filtering technology.

   Until a patch can be applied, you may wish to block access to the
   Telnet service from outside your network perimeter. This will limit
   your exposure to attacks. However, blocking port 23/tcp at a network
   perimeter would still allow attackers within the perimeter of your
   network to exploit the vulnerability. It is important to understand
   your network's configuration and service requirements before deciding
   what changes are appropriate.
   
Appendix A. - Vendor Information

   This appendix contains information provided by vendors for this
   advisory. When vendors report new information to the CERT/CC, we
   update this section and note the changes in our revision history. If a
   particular vendor is not listed below, we have not received their
   comments.
   
Berkeley Software Design, Inc. (BSDI)

   All current versions of BSD/OS are vulnerable. Patches are available
   via our web site at http://www.bsdi.com/services/support/patches and
   via ftp at ftp://ftp.bsdi.com/bsdi/support/patches as soon as testing
   has been completed.
   
Caldera, Inc.

   Caldera has determined that OpenServer, UnixWare 7 and OpenUnix 8 are
   vulnerable, and we are working on fixes. All of Caldera's Linux
   supported products are unaffected by this problem if all previously
   released security updates have been applied. If you're running either
   OpenLinux 2.3 or OpenLinux eServer 2.3, make sure you've updated your
   systems to netkit-telnet-0.16. This patch was released in March 2000,
   and are available from ftp://ftp.caldera.com
   
   OpenLinux 2.3:
   
   /pub/openlinux/updates/2.3/022/RPMS/netkit-telnet-0.16-1.i386.rpm
   
   OpenLinux eServer 2.3.1:
   /pub/eServer/2.3/updates/2.3/007/RPMS/netkit-telnet-0.16-1.i386.rpm
   
   OpenLinux eDesktop 2.4, OpenLinux 3.1 Server, and OpenLinux 3.1
   Workstation are not affected.
   (Caldera has recently released CSSA-2001-030.0 -
   http://www.caldera.com/support/security/advisories/CSSA-2001-030.0.txt
   which updates the above information with other systems that are
   vulnerable.)
   
Cisco Systems

   Cisco IOS does not appear to be vulnerable. Certain non-IOS products
   are supplied on other operating system platforms which themselves may
   be vulnerable as described elsewhere in this CERT Advisory. The Cisco
   PSIRT is continuing to investigate the vulnerability to be certain
   and, if necessary, will provide updates to the CERT and publish an
   advisory. Cisco Security Advisories are on-line at
   http://www.cisco.com/go/psirt/.
   
Conectiva

   (Conectiva has released advisory CLSA-2001:413, located at
   http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000413, to
   address this issue.)
   
Cray, Inc.

   Cray, Inc. has found UNICOS and UNICOS/mk to be vulnerable. Please see
   Field Notice 5062 and spr 720789 for fix information. We are currently
   investigating the MTA for vulnerability.
   
FreeBSD, Inc.

   All released versions of FreeBSD are vulnerable to this problem, which
   was fixed in FreeBSD 4.3-STABLE and FreeBSD 3.5.1-STABLE on July 23,
   2001. An advisory has been released, along with a patch to correct the
   vulnerability and a binary upgrade package suitable for use on FreeBSD
   4.3-RELEASE systems. For more information, see the advisory at the
   following location:
   
          ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01
          :49.telnetd.asc
          
   or use an FTP mirror site from the following URL:
   
          http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/mirro
          rs-ftp.html
          
   (FreeBSD has also released
   ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01%3A54.p
   orts-telnetd.asc, a follow up advisory releated to third party
   implementations found in FreeBSD ports collection.)
   
Hewlett-Packard Company

   ...HP-UX 11.X is not vulnerable, HP_UX 10.X is vulnerable. Patches are
   in process, watch for the associated HP security Bulletin....
   
IBM Corporation

   IBM's AIX operating system, versions 5.1L and under, is vulnerable to
   this exploit. IBM has these APAR assignments for this vulnerability:
   For AIX 4.3.3, the APAR number is IY22029. For AIX 5.1, the APAR
   number is IY22021.
   
   An emergency fix (efix) is now available for downloading from the ftp
   site ftp://aix.software.ibm.com/aix/efixes/security. The efix package
   name to fix this vulnerability is "telnetd_efix.tar.Z". An advisory is
   included in the tarfile that gives installation instructions for the
   appropriate patched telnetd binary. Two patches are in the tarfile:
   one for AIX 4.3.3 (telnetd.433) and for AIX 5.1 (telnetd.510).
   
   IBM is investigating the severity of the exploitation of this
   vulnerability.
   
NetBSD

   All releases of NetBSD are affected. The issue was patched in
   NetBSD-current on July 19th. A Security Advisory including patches
   will be available shortly, at:
   ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2001-012.
   txt.asc
   
   NetBSD releases since July 2000 have shipped with telnetd disabled by
   default. If it has been re-enabled on a system, it is highly
   recommended to disable it at least until patches are installed.
   Furthermore, NetBSD recommends the use of a Secure Shell instead of
   telnet for most applications."
   
Secure Computing Corporation

   The telnetd vulnerability referenced is not applicable to Sidewinder
   as a result of disciplined security software design practices in
   combination with Secure Computing's patented Type Enforcement(tm)
   technology. Sidewinder's telnetd services are greatly restricted due
   to both known and theoretical vulnerabilities. This least privilege
   design renders the attack described in the CERT-2001-21 Advisory
   useless. In addition, Sidewinder's operating system, SecureOS(tm),
   built on Secure's Type Enforcement technology, has further defenses
   against this attack that would trigger multiple security violations.
   
   Specifically, the attack first attempts to start a shell process.
   Sidewinder's embedded Type Enforcement security rules prevent telnetd
   from replicating itself and accessing the system shell programs. Even
   without this embedded, tamper proof rule in place, other Type
   Enforcement rules also defend against this attack. As an example, the
   new shell would need administrative privileges and those privileges
   are not available to the telnetd services.
   
SGI

   SGI acknowledges the telnetd vulnerability reported by CERT and is
   currently investigating. Until SGI has more definitive information to
   provide, customers are encouraged to assume all security
   vulnerabilities as exploitable and take appropriate steps according to
   local site security policies and requirements.
   
   As further information becomes available, additional advisories will
   be issued via the normal SGI security information distribution methods
   including the wiretap mailing list and
   
   http://www.sgi.com/support/security/
   
Sun Microsystems, Inc.

   Sun is currently investigating and have confirmed that one can make
   the in.telnetd daemon dump core but Sun has not yet determined if this
   issue is potentially exploitable on Solaris.
   
Appendix B. - References

    1. http://www.ietf.org/rfc/rfc0854.txt
    2. http://www.team-teso.net/advisories/teso-advisory-011.tar.gz
    3. http://www.kb.cert.org/vuls/id/745371
    4. ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:49
       .telnetd.asc
     _________________________________________________________________
     _________________________________________________________________
   
   The CERT Coordination Center thanks TESO, who published an advisory on
   this issue. We would also like to thank Jeff Polk for technical
   assistance.
     _________________________________________________________________
   
   Authors: Jason A. Rafail, Ian Finlay, and Shawn Hernan.
   ______________________________________________________________________
   
   This document is available from:
   http://www.cert.org/advisories/CA-2001-21.html
   ______________________________________________________________________
   
CERT/CC Contact Information

   Email: cert@cert.org
          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890
          U.S.A.
          
   CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) /
   EDT(GMT-4) Monday through Friday; they are on call for emergencies
   during other hours, on U.S. holidays, and on weekends.
   
Using encryption

   We strongly urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from
   
   http://www.cert.org/CERT_PGP.key
       
   If you prefer to use DES, please call the CERT hotline for more
   information.
   
Getting security information

   CERT publications and other security information are available from
   our web site
   
   http://www.cert.org/
       
   To subscribe to the CERT mailing list for advisories and bulletins,
   send email to majordomo@cert.org. Please include in the body of your
   message
   
   subscribe cert-advisory
   
   * "CERT" and "CERT Coordination Center" are registered in the U.S.
   Patent and Trademark Office.
   ______________________________________________________________________
   
   NO WARRANTY
   Any material furnished by Carnegie Mellon University and the Software
   Engineering Institute is furnished on an "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied as to any matter including, but not limited to, warranty of
   fitness for a particular purpose or merchantability, exclusivity or
   results obtained from use of the material. Carnegie Mellon University
   does not make any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.
     _________________________________________________________________
   
   Conditions for use, disclaimers, and sponsorship information
   
   Copyright 2001 Carnegie Mellon University.
   
   Revision History
July 24, 2001:  Initial release
July 25, 2001:  Fixed HTML tags in vendor section
July 25, 2001:  Added vendor statements
July 25, 2001:  Added CVE number CAN-2001-0554
July 26, 2001:  Added vendor statements
July 27, 2001:  Fixed vendor section HTML tags
July 31, 2001:  Revised IBM statement
July 31, 2001:  Added Secure Computing Corporation statement
July 31, 2001:  Updated HP statement
August 10, 2001: Revised IBM statement
August 20, 2001: Updated Caldera statement
August 21, 2001: Updated FreeBSD statement
August 27, 2001: Added link to Conectiva advisory

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH