Date: 03 January 2012
References: ESB-2012.0001 ESB-2012.0002 ESB-2012.0003 ESB-2012.0005 ESB-2012.0093
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2012.0006
telnetd code execution vulnerability
3 January 2012
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: telnetd
Publisher: FreeBSD
Operating System: FreeBSD
Impact/Access: Root Compromise -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2011-4862
Reference: ESB-2012.0005
ESB-2012.0003
ESB-2012.0002
ESB-2012.0001
Original Bulletin:
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-11:08.telnetd.asc
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=============================================================================
FreeBSD-SA-11:08.telnetd Security Advisory
The FreeBSD Project
Topic: telnetd code execution vulnerability
Category: core
Module: contrib
Announced: 2011-12-23
Affects: All supported versions of FreeBSD.
Corrected: 2011-12-23 15:00:37 UTC (RELENG_7, 7.4-STABLE)
2011-12-23 15:00:37 UTC (RELENG_7_4, 7.4-RELEASE-p5)
2011-12-23 15:00:37 UTC (RELENG_7_3, 7.3-RELEASE-p9)
2011-12-23 15:00:37 UTC (RELENG_8, 8.2-STABLE)
2011-12-23 15:00:37 UTC (RELENG_8_2, 8.2-RELEASE-p5)
2011-12-23 15:00:37 UTC (RELENG_8_1, 8.1-RELEASE-p7)
2011-12-23 15:00:37 UTC (RELENG_9, 9.0-STABLE)
2011-12-23 15:00:37 UTC (RELENG_9_0, 9.0-RELEASE)
CVE Name: CVE-2011-4862
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
The FreeBSD telnet daemon, telnetd(8), implements the server side of the
TELNET virtual terminal protocol. It has been disabled by default in
FreeBSD since August 2001, and due to the lack of cryptographic security
in the TELNET protocol, it is strongly recommended that the SSH protocol
be used instead. The FreeBSD telnet daemon can be enabled via the
/etc/inetd.conf configuration file and the inetd(8) daemon.
The TELNET protocol has a mechanism for encryption of the data stream
(but it is not cryptographically strong and should not be relied upon
in any security-critical applications).
II. Problem Description
When an encryption key is supplied via the TELNET protocol, its length
is not validated before the key is copied into a fixed-size buffer.
III. Impact
An attacker who can connect to the telnetd daemon can execute arbitrary
code with the privileges of the daemon (which is usually the "root"
superuser).
IV. Workaround
No workaround is available, but systems not running the telnet daemon
are not vulnerable.
Note that the telnet daemon is usually run via inetd, and consequently
will not show up in a process listing unless a connection is currently
active; to determine if it is enabled, run
$ ps ax | grep telnetd | grep -v grep
$ grep telnetd /etc/inetd.conf | grep -vE '^#'
If any output is produced, your system may be vulnerable.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, or to the
RELENG_8_2, RELENG_8_1, RELENG_7_4, or RELENG_7_3 security branch dated
after the correction date.
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to FreeBSD 7.4, 7.3,
8.2, and 8.1 systems.
a) Download the patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch http://security.FreeBSD.org/patches/SA-11:08/telnetd.patch
# fetch http://security.FreeBSD.org/patches/SA-11:08/telnetd.patch.asc
b) Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/lib/libtelnet
# make obj && make depend && make && make install
# cd /usr/src/libexec/telnetd
# make obj && make depend && make && make install
3) To update your vulnerable system via a binary patch:
Systems running 7.4-RELEASE, 7.3-RELEASE, 8.2-RELEASE, or 8.1-RELEASE on
the i386 or amd64 platforms can be updated via the freebsd-update(8)
utility:
# freebsd-update fetch
# freebsd-update install
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in FreeBSD.
CVS:
Branch Revision
Path
- - -------------------------------------------------------------------------
RELENG_7
src/crypto/heimdal/appl/telnet/libtelnet/encrypt.c 1.1.1.2.24.1
src/contrib/telnet/libtelnet/encrypt.c 1.9.24.1
RELENG_7_4
src/UPDATING 1.507.2.36.2.7
src/sys/conf/newvers.sh 1.72.2.18.2.10
src/crypto/heimdal/appl/telnet/libtelnet/encrypt.c 1.1.1.2.38.1
src/contrib/telnet/libtelnet/encrypt.c 1.9.40.2
RELENG_7_3
src/UPDATING 1.507.2.34.2.11
src/sys/conf/newvers.sh 1.72.2.16.2.13
src/crypto/heimdal/appl/telnet/libtelnet/encrypt.c 1.1.1.2.36.1
src/contrib/telnet/libtelnet/encrypt.c 1.9.38.2
RELENG_8
src/crypto/heimdal/appl/telnet/libtelnet/encrypt.c 1.1.1.3.2.1
src/contrib/telnet/libtelnet/encrypt.c 1.9.36.2
RELENG_8_2
src/UPDATING 1.632.2.19.2.7
src/sys/conf/newvers.sh 1.83.2.12.2.10
src/crypto/heimdal/appl/telnet/libtelnet/encrypt.c 1.1.1.3.8.1
src/contrib/telnet/libtelnet/encrypt.c 1.9.36.1.6.2
RELENG_8_1
src/UPDATING 1.632.2.14.2.10
src/sys/conf/newvers.sh 1.83.2.10.2.11
src/crypto/heimdal/appl/telnet/libtelnet/encrypt.c 1.1.1.3.6.1
src/contrib/telnet/libtelnet/encrypt.c 1.9.36.1.4.2
RELENG_9
src/crypto/heimdal/appl/telnet/libtelnet/encrypt.c 1.1.1.3.10.1
src/contrib/telnet/libtelnet/encrypt.c 1.9.42.2
RELENG_9_0
src/crypto/heimdal/appl/telnet/libtelnet/encrypt.c 1.1.1.3.12.1
src/contrib/telnet/libtelnet/encrypt.c 1.9.42.1.2.2
- - -------------------------------------------------------------------------
Subversion:
Branch/path Revision
- - -------------------------------------------------------------------------
stable/7/ r228843
releng/7.4/ r228843
releng/7.3/ r228843
stable/8/ r228843
releng/8.2/ r228843
releng/8.1/ r228843
stable/9/ r228843
releng/9.0/ r228843
- - -------------------------------------------------------------------------
VII. References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4862
The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-11:08.telnetd.asc
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (FreeBSD)
iEYEARECAAYFAk70nOoACgkQFdaIBMps37IYcwCfXn5aQTfQDe/AnS31JBg+BB1m
HJMAmgOE5pUKTlFqLw5UBouMNFfUmu2u
=dcyj
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBTwJgX+4yVqjM2NGpAQL15g//djU5LVA6JvC1JbbYgky0/03FQsmNUYTX
EtVnRaL8XX37uTRpgqTaZE1g2Fk2GqpM6T0YaUhj9ju9kornVfa0NN2g0mV9DmHm
8QaOeqcNXT1hpkzDMovguqzkQZcOUCW1rWFW5ob3fg7259uPGJtFpotTSjTOaC9J
n3BMUb6qflQiBnAEjzJyBxMAcwYYDuB+hcuR8vdcgOFTocX7FM5+SXI94dSFtb5q
MCqmhzzyMIeXQBrw6G2iwFfp3jjG8+wSpC54hg1w/nS+l9xHY+xKqHJ/Z0Y5w72R
HL/q38YTUFGxX33iLFCs6KQu7h9ByLVI8kTVAr8js0XqNANBE3aYw3MsCU+FWknQ
gQR6X0Nx8EQXzrw9WH4UtZZJpfkBNqp6ULIcGvfmgMjhitIId+xRfg5rq4sIDSpb
9Mjy6uxHPbPr6at/4WcR4VrTSM7rNKAMOTHOwXHYq/6aIkbt0flx86m25gOl8cxc
S8Hzor9SH3qE/fjXhwzsqNn6hpIeGdMay+R50UP53RRoptUacov9oQIJ3IM8CwNf
xU2WBq4N62E2KDJ9caIdyykpHt7m7UOwT6g3gmUPr/nUM9Dz6BD3BKHOhOVC0+/h
JeWdbBdb5T7/N3yixSC760FuSA4utGvJaQUYSjhpAb5IHS+6X9Hit61RCaWsRLzM
UT4eDQOazY0=
=xAIp
-----END PGP SIGNATURE-----
|