CERT® Advisory CA-2001-21 Buffer Overflow in telnetd
Original release date: July 24, 2001
Last revised: Thu Jul 26 11:09:18 EDT 2001
Source: CERT/CC
A complete revision history can be found at the end of this file.
Systems Affected
Systems running versions of telnetd derived from BSD source.Overview
The telnetd program is a server for the Telnet remote virtual terminal
protocol. There is a remotely exploitable buffer overflow in Telnet
daemons derived from BSD source code. This vulnerability can crash the
server, or be leveraged to gain root access.I. Description
There is a remotely exploitable buffer overflow in Telnet daemons derived
from BSD source code. During the processing of the Telnet protocol
options, the results of the “telrcv” function are stored in a fixed-size
buffer. It is assumed that the results are smaller than the buffer and no
bounds checking is performed.
The vulnerability was discovered by TESO. An exploit for this
vulnerability has been publicly released; internal testing at CERT/CC
confirms this exploit works against at least one target system. For more
information, see
http://www.team-teso.net/advisories/teso-advisory-011.tar.gz> .
This vulnerability has been assigned the identifier CAN-2001-0554 by the
Common Vulnerabilities and Exposures (CVE) group:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0554II. Impact
An intruder can execute arbitrary code with the privileges of the telnetd
process, typically root.III. Solution
Apply a patch
Appendix A contains information from vendors who have provided information
for this advisory. We will update the appendix as we receive more
information. If you do not see your vendor’s name, the CERT/CC did not
hear from that vendor. Please contact your vendor directly.
Restrict access to the Telnet service (typically port 23/tcp) using a
firewall or packet-filtering technology.
Until a patch can be applied, you may wish to block access to the Telnet
service from outside your network perimeter. This will limit your exposure
to attacks. However, blocking port 23/tcp at a network perimeter would
still allow attackers within the perimeter of your network to exploit the
vulnerability. It is important to understand your network’s configuration
and service requirements before deciding what changes are appropriate.Appendix A. - Vendor Information
This appendix contains information provided by vendors for this advisory.
When vendors report new information to the CERT/CC, we update this section
and note the changes in our revision history. If a particular vendor is
not listed below, we have not received their comments.BSDI
All current versions of BSD/OS are vulnerable. Patches are available via
our web site at > http://www.bsdi.com/services/support/patches > and via ftp
at > ftp://ftp.bsdi.com/bsdi/support/patches > as soon as testing has been
completed.Caldera
Caldera has determined that OpenServer, UnixWare 7 and OpenUnix 8 are
vulnerable, and we are working on fixes. All of Caldera’s Linux supported
products are unaffected by this problem if all previously released
security updates have been applied. If you’re running either OpenLinux 2.3
or OpenLinux eServer 2.3, make sure you’ve updated your systems to
netkit-telnet-0.16. This patch was released in March 2000, and are
available from > ftp://ftp.caldera.com
OpenLinux 2.3:
/pub/openlinux/updates/2.3/022/RPMS/netkit-telnet-0.16-1.i386.rpm
OpenLinux eServer 2.3.1:
/pub/eServer/2.3/updates/2.3/007/RPMS/netkit-telnet-0.16-1.i386.rpm
OpenLinux eDesktop 2.4, OpenLinux 3.1 Server, and OpenLinux 3.1
Workstation are not affected.Cisco Systems
Cisco IOS does not appear to be vulnerable. Certain non-IOS products are
supplied on other operating system platforms which themselves may be
vulnerable as described elsewhere in this CERT Advisory. The Cisco PSIRT
is continuing to investigate the vulnerability to be certain and, if
necessary, will provide updates to the CERT and publish an advisory. Cisco
Security Advisories are on-line at > http://www.cisco.com/go/psirt/> .FreeBSD
All released versions of FreeBSD are vulnerable to this problem, which was
fixed in FreeBSD 4.3-STABLE and FreeBSD 3.5.1-STABLE on July 23, 2001. An
advisory has been released, along with a patch to correct the
vulnerability and a binary upgrade package suitable for use on FreeBSD
4.3-RELEASE systems. For more information, see the advisory at the
following location:
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:49.telnetd
.asc
or use an FTP mirror site from the following URL:
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/mirrors-ftp.html
Hewlett-Packard
[This issue is] actively under investigation to determine vulnerability
ramifications.IBM
IBM’s AIX operating system, versions 5.1L and under, is vulnerable to this
exploit.
We have developed an emergency fix (efix) for this vulnerability, and are
testing it. This efix will be posted as soon as possible to the ftp site
ftp://ftp.software.ibm.com/aix/efixes/security> . An APAR number will also
be assigned very soon.
IBM is investigating the severity of the exploitation of this
vulnerability.NetBSD
All releases of NetBSD are affected. The issue was patched in
NetBSD-current on July 19th. A Security Advisory including patches will be
available shortly, at:
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2001-012.txt> .
asc
NetBSD releases since July 2000 have shipped with telnetd disabled by
default. If it has been re-enabled on a system, it is highly recommended
to disable it at least until patches are installed. Furthermore, NetBSD
recommends the use of a Secure Shell instead of telnet for most
applications."SGI
SGI acknowledges the telnetd vulnerability reported by CERT and is
currently investigating. Until SGI has more definitive information to
provide, customers are encouraged to assume all security vulnerabilities
as exploitable and take appropriate steps according to local site security
policies and requirements.
As further information becomes available, additional advisories will be
issued via the normal SGI security information distribution methods
including the wiretap mailing list and
http://www.sgi.com/support/security/
Sun Microsystems
Sun is currently investigating and have confirmed that one can make the
in.telnetd daemon dump core but Sun has not yet determined if this issue
is potentially exploitable on Solaris.Appendix B. - References
http://www.ietf.org/rfc/rfc0854.txt
http://www.team-teso.net/advisories/teso-advisory-011.tar.gz
http://www.kb.cert.org/vuls/id/745371
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:49.telnetd
.asc
The CERT Coordination Center thanks TESO, who published an advisory on
this issue. We would also like to thank Jeff Polk for technical
assistance.
To answer the quesion on the Subject line, Yes.
Many of QNX/Neutrino utilities share the same BSD lineage.
–
alain