Date: 03 January 2012
References: ESB-2012.0002 ESB-2012.0003 ESB-2012.0005 ESB-2012.0006 ESB-2012.0009 ESB-2012.0333.2
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2012.0001
Buffer overflow in telnetd
3 January 2012
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: krb5
Publisher: MIT
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Root Compromise -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2011-4862
Original Bulletin:
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-008.txt
Comment: Please note that the exploit code is being actively used in the wild
and does not require authentication.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
MITKRB5-SA-2011-008
MIT krb5 Security Advisory 2011-008
Original release: 2011-12-26
Last update: 2011-12-26
Topic: buffer overflow in telnetd
CVE-2011-4862
CVSSv2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C
CVSSv2 Base Score: 10
Access Vector: Network
Access Complexity: Low
Authentication: None
Confidentiality Impact: Complete
Integrity Impact: Complete
Availability Impact: Complete
CVSSv2 Temporal Score: 8.3
Exploitability: Functional
Remediation Level: Official Fix
Report Confidence: Confirmed
SUMMARY
=======
The telnet daemon (telnetd) in MIT krb5 (and in krb5-appl after the
applications were moved to a separate distribution for krb5-1.8) is
vulnerable to a buffer overflow. The flaw does not require
authentication to exploit. Exploit code is reported to be actively
used in the wild.
IMPACT
======
An unauthenticated remote attacker can cause a buffer overflow and
probably execute arbitrary code with the privileges of the telnet
daemon (normally root).
AFFECTED SOFTWARE
=================
* The telnet daemon in all releases of MIT krb5 prior to krb5-1.8 is
vulnerable. Later releases moved the telnet code to the krb5-appl
distribution.
* The telnet daemon in all releases of krb5-appl is vulnerable.
FIXES
=====
* Workaround: Disable telnet and use a more secure remote login
solution, such as SSH.
* A future release of krb5-appl will fix this vulnerability.
* Apply the following patch:
diff --git a/telnet/libtelnet/encrypt.c b/telnet/libtelnet/encrypt.c
index f75317d..b8d6cdd 100644
- - --- a/telnet/libtelnet/encrypt.c
+++ b/telnet/libtelnet/encrypt.c
@@ -757,6 +757,9 @@ static void encrypt_keyid(kp, keyid, len)
int dir = kp->dir;
register int ret = 0;
+ if (len > MAXKEYLEN)
+ len = MAXKEYLEN;
+
if (!(ep = (*kp->getcrypt)(*kp->modep))) {
if (len == 0)
return;
This patch is also available at
http://web.mit.edu/kerberos/advisories/2011-008-patch.txt
A PGP-signed patch is available at
http://web.mit.edu/kerberos/advisories/2011-008-patch.txt.asc
REFERENCES
==========
This announcement is posted at:
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-008.txt
This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:
http://web.mit.edu/kerberos/advisories/index.html
The main MIT Kerberos web page is at:
http://web.mit.edu/kerberos/index.html
CVSSv2:
http://www.first.org/cvss/cvss-guide.html
http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2
CVE: CVE-2011-4862
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4862
http://lists.freebsd.org/pipermail/freebsd-security/2011-December/006117.html
ACKNOWLEDGMENTS
===============
We became aware of this vulnerability through a FreeBSD security
advisory.
CONTACT
=======
The MIT Kerberos Team security contact address is
<krbcore-security@mit.edu>. When sending sensitive information,
please PGP-encrypt it using the following key:
pub 2048R/56CD8F76 2010-12-29 [expires: 2012-02-01]
uid MIT Kerberos Team Security Contact <krbcore-security@mit.edu>
DETAILS
=======
If the telnetd receives an ENCRYPT suboption that includes a key ID,
encrypt_keyid() in libtelnet/encrypt.c copies the suboption contents
into a fixed-size static buffer without first constraining the length,
leading to a buffer overflow.
REVISION HISTORY
================
2011-12-26 original release
Copyright (C) 2011 Massachusetts Institute of Technology
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (SunOS)
iEYEARECAAYFAk744dsACgkQSO8fWy4vZo6oOACdFW96Ei5AHXbXHBsHaax6tiEE
8AIAoJjMKx/2cbcLiTlHYiN3ypy8XF4S
=acqN
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBTwJT9+4yVqjM2NGpAQJARg//bf+LhGKo79uihoFFRkXT5Go1I2aFxTta
kF5turobbGr2iWdNXLB5bPmX0jkhkB7CNtOt8hJ709sArMSNGNNzDFUQtf9uxiZB
7U/QnFq26pwGYp2g2qN9B4zz2BlJBFB1x9/SlkIG40qWEq2MGILMc5afAfUWJCtP
L6Cy80pTB2OU7+i2xaI0OaIc27XXBiL3LJMNr/xiM0jo9uuQuMHmmvrcqTpiMFSb
pG+5GpTcTnLeXKJyQ0EPRgh1YAJIxd/EP1o1JLrA3xcAAvBg6qZZEfBT2rdKeOZo
R3jgAc3OQ9fR2bb2MSitqUlRdNtXyM19+cg9wVoJFUh3W7lpsFVzXZXMfplBzrI5
CpRsLkwJa0+dXhpHK/zcaCttGiR4aMylVx6SPQn8JmRDe0qF3MTuA/1+5AdiEq8g
KZ+s9ShQKqtFES8KK9np9eWfl+S8L2coqJC/hsp6/azbH8MbZqzmM1JmxBMdzD/U
o8y4lpyo1VguiTUM07XVdC67u7/upeVDcMkeTc3iAjJSa7RC0WbESFRF7b9ugIDD
RoBklg+dro4vSJwBZETyjjQLqmrR6gOfHiFL5NmtuQ9uLKolE//PTF0LjE/dAwoz
E+NvQeKHlYih5DVKYRFhLkOFOjTvTS76LUKqL2Sh4kZpXU2nE6Tszx3REVn7mQxH
5FEXxq47cVo=
=cyaL
-----END PGP SIGNATURE-----
|