[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
MITKRB5-SA-2011-008 buffer overflow in telnetd [CVE-2011-4862]
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: MITKRB5-SA-2011-008 buffer overflow in telnetd [CVE-2011-4862]
- From: Tom Yu <tlyu@xxxxxxx>
- Date: Mon, 26 Dec 2011 16:14:16 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
MITKRB5-SA-2011-008
MIT krb5 Security Advisory 2011-008
Original release: 2011-12-26
Last update: 2011-12-26
Topic: buffer overflow in telnetd
CVE-2011-4862
CVSSv2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C
CVSSv2 Base Score: 10
Access Vector: Network
Access Complexity: Low
Authentication: None
Confidentiality Impact: Complete
Integrity Impact: Complete
Availability Impact: Complete
CVSSv2 Temporal Score: 8.3
Exploitability: Functional
Remediation Level: Official Fix
Report Confidence: Confirmed
SUMMARY
=======
The telnet daemon (telnetd) in MIT krb5 (and in krb5-appl after the
applications were moved to a separate distribution for krb5-1.8) is
vulnerable to a buffer overflow. The flaw does not require
authentication to exploit. Exploit code is reported to be actively
used in the wild.
IMPACT
======
An unauthenticated remote attacker can cause a buffer overflow and
probably execute arbitrary code with the privileges of the telnet
daemon (normally root).
AFFECTED SOFTWARE
=================
* The telnet daemon in all releases of MIT krb5 prior to krb5-1.8 is
vulnerable. Later releases moved the telnet code to the krb5-appl
distribution.
* The telnet daemon in all releases of krb5-appl is vulnerable.
FIXES
=====
* Workaround: Disable telnet and use a more secure remote login
solution, such as SSH.
* A future release of krb5-appl will fix this vulnerability.
* Apply the following patch:
diff --git a/telnet/libtelnet/encrypt.c b/telnet/libtelnet/encrypt.c
index f75317d..b8d6cdd 100644
- --- a/telnet/libtelnet/encrypt.c
+++ b/telnet/libtelnet/encrypt.c
@@ -757,6 +757,9 @@ static void encrypt_keyid(kp, keyid, len)
int dir = kp->dir;
register int ret = 0;
+ if (len > MAXKEYLEN)
+ len = MAXKEYLEN;
+
if (!(ep = (*kp->getcrypt)(*kp->modep))) {
if (len == 0)
return;
This patch is also available at
http://web.mit.edu/kerberos/advisories/2011-008-patch.txt
A PGP-signed patch is available at
http://web.mit.edu/kerberos/advisories/2011-008-patch.txt.asc
REFERENCES
==========
This announcement is posted at:
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-008.txt
This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:
http://web.mit.edu/kerberos/advisories/index.html
The main MIT Kerberos web page is at:
http://web.mit.edu/kerberos/index.html
CVSSv2:
http://www.first.org/cvss/cvss-guide.html
http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2
CVE: CVE-2011-4862
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4862
http://lists.freebsd.org/pipermail/freebsd-security/2011-December/006117.html
ACKNOWLEDGMENTS
===============
We became aware of this vulnerability through a FreeBSD security
advisory.
CONTACT
=======
The MIT Kerberos Team security contact address is
<krbcore-security@xxxxxxx>. When sending sensitive information,
please PGP-encrypt it using the following key:
pub 2048R/56CD8F76 2010-12-29 [expires: 2012-02-01]
uid MIT Kerberos Team Security Contact <krbcore-security@xxxxxxx>
DETAILS
=======
If the telnetd receives an ENCRYPT suboption that includes a key ID,
encrypt_keyid() in libtelnet/encrypt.c copies the suboption contents
into a fixed-size static buffer without first constraining the length,
leading to a buffer overflow.
REVISION HISTORY
================
2011-12-26 original release
Copyright (C) 2011 Massachusetts Institute of Technology
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (SunOS)
iEYEARECAAYFAk744dsACgkQSO8fWy4vZo6oOACdFW96Ei5AHXbXHBsHaax6tiEE
8AIAoJjMKx/2cbcLiTlHYiN3ypy8XF4S
=acqN
-----END PGP SIGNATURE-----