SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Generic)  >   Telnet Vendors:   FreeBSD
FreeBSD Telnet Encryption Feature Buffer Overflow Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1026460
SecurityTracker URL:  http://securitytracker.com/id/1026460
CVE Reference:   CVE-2011-4862   (Links to External Site)
Date:  Dec 23 2011
Impact:   Execution of arbitrary code via network, Root access via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A vulnerability was reported in FreeBSD Telnet. A remote user can execute arbitrary code on the target system.

If the telnetd(8) is enabled, a remote user can supply a specially crafted encryption key to trigger a buffer overflow and execute arbitrary code on the target system. The code will run with the privileges of the telnet daemon (typically root privileges).

Impact:   A remote user can execute arbitrary code on the target system.
Solution:   The vendor has issued a fix.

The vendor's advisory is available at:

http://security.FreeBSD.org/advisories/FreeBSD-SA-11:08.telnetd.asc

Vendor URL:  security.FreeBSD.org/advisories/FreeBSD-SA-11:08.telnetd.asc (Links to External Site)
Cause:   Boundary error
Underlying OS:   UNIX (FreeBSD)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jan 26 2012 (Cisco Issues Fix for Cisco IronPort) FreeBSD Telnet Encryption Feature Buffer Overflow Lets Remote Users Execute Arbitrary Code   (Cisco Systems Product Security Incident Response Team <psirt@cisco.com>)
Cisco has issued a fix for Cisco IronPort/Cisco Email Security Appliance/Cisco Web Security Appliance.



 Source Message Contents

Date:  Fri, 23 Dec 2011 15:36:43 GMT
Subject:  FreeBSD Security Advisory FreeBSD-SA-11:08.telnetd

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
FreeBSD-SA-11:08.telnetd                                    Security Advisory
                                                          The FreeBSD Project

Topic:          telnetd code execution vulnerability

Category:       core
Module:         contrib
Announced:      2011-12-23
Affects:        All supported versions of FreeBSD.
Corrected:      2011-12-23 15:00:37 UTC (RELENG_7, 7.4-STABLE)
                2011-12-23 15:00:37 UTC (RELENG_7_4, 7.4-RELEASE-p5)
                2011-12-23 15:00:37 UTC (RELENG_7_3, 7.3-RELEASE-p9)
                2011-12-23 15:00:37 UTC (RELENG_8, 8.2-STABLE)
                2011-12-23 15:00:37 UTC (RELENG_8_2, 8.2-RELEASE-p5)
                2011-12-23 15:00:37 UTC (RELENG_8_1, 8.1-RELEASE-p7)
                2011-12-23 15:00:37 UTC (RELENG_9, 9.0-STABLE)
                2011-12-23 15:00:37 UTC (RELENG_9_0, 9.0-RELEASE)
CVE Name:       CVE-2011-4862

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.

I.   Background

The FreeBSD telnet daemon, telnetd(8), implements the server side of the
TELNET virtual terminal protocol.  It has been disabled by default in
FreeBSD since August 2001, and due to the lack of cryptographic security
in the TELNET protocol, it is strongly recommended that the SSH protocol
be used instead.  The FreeBSD telnet daemon can be enabled via the
/etc/inetd.conf configuration file and the inetd(8) daemon.

The TELNET protocol has a mechanism for encryption of the data stream
(but it is not cryptographically strong and should not be relied upon
in any security-critical applications).

II.  Problem Description

When an encryption key is supplied via the TELNET protocol, its length
is not validated before the key is copied into a fixed-size buffer.

III. Impact

An attacker who can connect to the telnetd daemon can execute arbitrary
code with the privileges of the daemon (which is usually the "root"
superuser).

IV.  Workaround

No workaround is available, but systems not running the telnet daemon
are not vulnerable.

Note that the telnet daemon is usually run via inetd, and consequently
will not show up in a process listing unless a connection is currently
active; to determine if it is enabled, run

$ ps ax | grep telnetd | grep -v grep
$ grep telnetd /etc/inetd.conf | grep -vE '^#'

If any output is produced, your system may be vulnerable.

V.   Solution

Perform one of the following:

1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, or to the
RELENG_8_2, RELENG_8_1, RELENG_7_4, or RELENG_7_3 security branch dated
after the correction date.

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to FreeBSD 7.4, 7.3,
8.2, and 8.1  systems.

a) Download the patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch http://security.FreeBSD.org/patches/SA-11:08/telnetd.patch
# fetch http://security.FreeBSD.org/patches/SA-11:08/telnetd.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/lib/libtelnet
# make obj && make depend && make && make install
# cd /usr/src/libexec/telnetd
# make obj && make depend && make && make install

3) To update your vulnerable system via a binary patch:

Systems running 7.4-RELEASE, 7.3-RELEASE, 8.2-RELEASE, or 8.1-RELEASE on
the i386 or amd64 platforms can be updated via the freebsd-update(8)
utility:

# freebsd-update fetch
# freebsd-update install

VI.  Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

CVS:

Branch                                                           Revision
  Path
- -------------------------------------------------------------------------
RELENG_7
  src/crypto/heimdal/appl/telnet/libtelnet/encrypt.c         1.1.1.2.24.1
  src/contrib/telnet/libtelnet/encrypt.c                         1.9.24.1
RELENG_7_4
  src/UPDATING                                             1.507.2.36.2.7
  src/sys/conf/newvers.sh                                  1.72.2.18.2.10
  src/crypto/heimdal/appl/telnet/libtelnet/encrypt.c         1.1.1.2.38.1
  src/contrib/telnet/libtelnet/encrypt.c                         1.9.40.2
RELENG_7_3
  src/UPDATING                                            1.507.2.34.2.11
  src/sys/conf/newvers.sh                                  1.72.2.16.2.13
  src/crypto/heimdal/appl/telnet/libtelnet/encrypt.c         1.1.1.2.36.1
  src/contrib/telnet/libtelnet/encrypt.c                         1.9.38.2
RELENG_8
  src/crypto/heimdal/appl/telnet/libtelnet/encrypt.c          1.1.1.3.2.1
  src/contrib/telnet/libtelnet/encrypt.c                         1.9.36.2
RELENG_8_2
  src/UPDATING                                             1.632.2.19.2.7
  src/sys/conf/newvers.sh                                  1.83.2.12.2.10
  src/crypto/heimdal/appl/telnet/libtelnet/encrypt.c          1.1.1.3.8.1
  src/contrib/telnet/libtelnet/encrypt.c                     1.9.36.1.6.2
RELENG_8_1
  src/UPDATING                                            1.632.2.14.2.10
  src/sys/conf/newvers.sh                                  1.83.2.10.2.11
  src/crypto/heimdal/appl/telnet/libtelnet/encrypt.c          1.1.1.3.6.1
  src/contrib/telnet/libtelnet/encrypt.c                     1.9.36.1.4.2
RELENG_9
  src/crypto/heimdal/appl/telnet/libtelnet/encrypt.c         1.1.1.3.10.1
  src/contrib/telnet/libtelnet/encrypt.c                         1.9.42.2
RELENG_9_0
  src/crypto/heimdal/appl/telnet/libtelnet/encrypt.c         1.1.1.3.12.1
  src/contrib/telnet/libtelnet/encrypt.c                     1.9.42.1.2.2
- -------------------------------------------------------------------------

Subversion:

Branch/path                                                      Revision
- -------------------------------------------------------------------------
stable/7/                                                         r228843
releng/7.4/                                                       r228843
releng/7.3/                                                       r228843
stable/8/                                                         r228843
releng/8.2/                                                       r228843
releng/8.1/                                                       r228843
stable/9/                                                         r228843
releng/9.0/                                                       r228843
- -------------------------------------------------------------------------

VII. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4862

The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-11:08.telnetd.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (FreeBSD)

iEYEARECAAYFAk70nOoACgkQFdaIBMps37IYcwCfXn5aQTfQDe/AnS31JBg+BB1m
HJMAmgOE5pUKTlFqLw5UBouMNFfUmu2u
=dcyj
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-security-notifications@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications
To unsubscribe, send any mail to "freebsd-security-notifications-unsubscribe@freebsd.org"
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC