Original release date: July 24, 2001<BR>
Last revised: April 16, 2002<BR>
Source: CERT/CC<BR>
<P>A complete revision history can be found at the end of this file.
<A NAME="affected">
<H3>Systems Affected</H3>
<ul>
<li>Systems running versions of telnetd derived from BSD source.</li>
</ul>
<A NAME="overview">
<H2>Overview</H2>
<P>
The telnetd program is a server for the <A HREF="http://www.ietf.org/rfc/rfc0854.txt">Telnet</a> remote virtual terminal
protocol. There is a remotely exploitable buffer overflow in Telnet
daemons derived from BSD source code. This vulnerability can crash the
server, or be leveraged to gain root access. </P>
<A NAME="description">
<H2>I. Description</H2>
<P> There is a remotely exploitable buffer overflow in Telnet daemons
derived from BSD source code. During the processing of the
Telnet protocol options, the results of the "telrcv" function are stored in a
fixed-size
buffer. It is assumed that the results are smaller than the buffer and
no bounds checking is performed.</P>
<p>The vulnerability was discovered by TESO. An exploit for this
vulnerability has been publicly released; internal testing at CERT/CC
confirms this exploit works against at least one target system. For
more information, see
<dl>
<dd>
<a
href="http://www.team-teso.net/advisories/teso-advisory-011.tar.gz">http://www.team-teso.net/advisories/teso-advisory-011.tar.gz</a>.</p>
</dd>
</dl>
<P>This vulnerability has been assigned the identifier CAN-2001-0554
by the Common Vulnerabilities and Exposures (CVE) group:
<dl>
<dd><A
HREF="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0554">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0554</a>
</dd>
</dl>
</p>
<A NAME="impact">
<H2>II. Impact</H2>
<p>An intruder can execute arbitrary code with the privileges of the
telnetd process, typically root.</p>
<A NAME="solution">
<H2>III. Solution</H2>
<p>
<H4>Apply a patch</H4>
<A HREF="#vendors">Appendix A</a> contains information from vendors who have
provided information for this advisory. We will update the appendix as
we receive more information. If you do not see your vendor's name, the
CERT/CC did not hear from that vendor. Please contact your vendor
directly.
</P>
<h4><b>Restrict access to the Telnet service (typically port 23/tcp) using a firewall or packet-filtering technology.</b></h4>
<p>Until a patch can be applied, you may wish to block access to the
Telnet service from outside your network perimeter. This will limit
your exposure to attacks. However, blocking port 23/tcp at a network
perimeter would still allow attackers within the perimeter of your
network to exploit the vulnerability. It is important to understand
your network's configuration and service requirements before deciding
what changes are appropriate.
</p>
<A NAME="vendors">
<H2>Appendix A. - Vendor Information</H2>
<P>This appendix contains information provided by vendors for this
advisory. When vendors report new information to the CERT/CC, we
update this section and note the changes in our revision history. If
a particular vendor is not listed below, we have not received their
comments.</P>
<!-- end vendor -->
<p>
<A NAME="apple">
<H4>Apple Computer</H4>
(Apple Computer has released security updates for Mac OS X v10.1 to address this vulnerability. They are located at:
<a href="http://www.apple.com/support/security/security_updates.html"> http://www.apple.com/support/security/security_updates.html</a>)
<!-- end vendor -->
<p>
<A NAME="bsdi">
<H4>Berkeley Software Design, Inc. (BSDI)</H4>
All current versions of BSD/OS are vulnerable. Patches are available via our web site at <a
href="http://www.bsdi.com/services/support/patches">http://www.bsdi.com/services/support/patches</a> and via ftp at <a
href="ftp://ftp.bsdi.com/bsdi/support/patches">ftp://ftp.bsdi.com/bsdi/support/patches</a> as soon as testing has been completed.
<!-- end vendor -->
<p>
<A NAME="caldera">
<H4>Caldera, Inc.</H4>
<p>Caldera has determined that OpenServer, UnixWare 7 and OpenUnix 8
are vulnerable, and we are working on fixes. All of Caldera's Linux
supported products are unaffected by this problem if all previously
released security updates have been applied. If you're running either
OpenLinux 2.3 or OpenLinux eServer 2.3, make sure you've updated your
systems to netkit-telnet-0.16. This patch was released in March 2000,
and are available from <a href="ftp://ftp.caldera.com">ftp://ftp.caldera.com</a>
<p>OpenLinux 2.3:</p>
<p>/pub/openlinux/updates/2.3/022/RPMS/netkit-telnet-0.16-1.i386.rpm</p>
<p>OpenLinux eServer 2.3.1:</p>
/pub/eServer/2.3/updates/2.3/007/RPMS/netkit-telnet-0.16-1.i386.rpm
<p>OpenLinux eDesktop 2.4, OpenLinux 3.1 Server, and OpenLinux 3.1
Workstation are not affected.</p>
(Caldera has recently released <a href="http://www.caldera.com/support/security/advisories/CSSA-2001-030.0.txt">CSSA-2001-030.0 -
http://www.caldera.com/support/security/advisories/CSSA-2001-030.0.txt</a> which updates the above information with other
systems that are vulnerable.)
<!-- end vendor -->
<A NAME="cisco">
<H4>Cisco Systems</H4>
<p>Cisco IOS does not appear to be vulnerable. Certain non-IOS products
are supplied on other operating system platforms which themselves may
be vulnerable as described elsewhere in this CERT Advisory. The Cisco
PSIRT is continuing to investigate the vulnerability to be certain
and, if necessary, will provide updates to the CERT and publish an
advisory. Cisco Security Advisories are on-line at <a
href="http://www.cisco.com/go/psirt/">http://www.cisco.com/go/psirt/</a>.
<p>Update: Cisco has released <a
href="http://www.cisco.com/warp/public/707/catos-telrcv-vuln-pub.shtml">Cisco
Security Advisory: Cisco CatOS Telnet Buffer Vulnerability</a> to address
an occurrence of this vulnerability.
</p>
<!-- end vendor -->
<A NAME="compaq">
<H4>Compaq Computer Corporation</H4>
<pre>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________
SOURCE: Compaq Computer Corporation
Compaq Services
Software Security Response Team USA
Compaq case id SSRT0745U
ref: potential telnetd option handling vulnerability
x-ref: TESO Security Advisory 06/2001
CERT CA2001-21 Advisory 07/2001
Compaq has evaluated this vulnerability to telnetd
distributed for Compaq Tru64/UNIX and OpenVMS Operating
Systems Software and has determined that telnetd is not
vulnerable to unauthorized command execution or
root compromise.
Compaq appreciates your cooperation and patience.
We regret any inconvenience applying this information
may cause.
As always, Compaq urges you to periodically review your system
management and security procedures. Compaq will continue to
review and enhance the security features of its products and work
with customers to maintain and improve the security and integrity
of their systems.
To subscribe to automatically receive future NEW Security
Advisories from the Compaq's Software Security Response Team
via electronic mail,
Use your browser select the URL
http://www.support.compaq.com/patches/mailing-list.shtml
Select "Security and Individual Notices" for immediate dispatch
notifications directly to your mailbox.
To report new Security Vulnerabilities, send mail to:
security-ssrt@compaq.com
(c) Copyright 2001 Compaq Computer Corporation. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.1
iQA/AwUBO2C5JjnTu2ckvbFuEQKmqwCg/m87d9k22+qV5GY2vJAR409KFD4AoIbR
vsQaZ9DOI4D4sj5Feg4bRZmS
=F5Nq
-----END PGP SIGNATURE-----
</pre>
<!-- end vendor -->
<A NAME="conectiva">
<H4>Conectiva</H4>
<p>
(Conectiva has released advisory CLSA-2001:413, located at <a
href="http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000413">
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000413</a>, to
address this issue.)
</p>
<!-- end vendor -->
<A NAME="cray">
<H4>Cray, Inc.</H4>
<p>
Cray, Inc. has found UNICOS and UNICOS/mk to be vulnerable. Please see Field Notice 5062 and spr 720789 for fix information. We are currently investigating the MTA for
vulnerability.
</p>
<!-- end vendor -->
<A NAME="freebsd">
<H4>FreeBSD, Inc.</H4>
All released versions of FreeBSD are vulnerable to this problem, which
was fixed in FreeBSD 4.3-STABLE and FreeBSD 3.5.1-STABLE on July 23,
2001. An advisory has been released, along with a patch to correct
the vulnerability and a binary upgrade package suitable for use on
FreeBSD 4.3-RELEASE systems. For more information, see the advisory
at the following location:
<dl>
<dd>
<A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:49.telnetd.asc">
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:49.telnetd.asc</a>
</dd>
</dl>
or use an FTP mirror site from the following URL:
<dl>
<dd>
<A HREF="http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/mirrors-ftp.html">
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/mirrors-ftp.html</A>
</dd>
</dl>
(FreeBSD has also released <a
href="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01%3A54.ports-telnetd.asc">ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01%3A54.ports-telnetd.asc</a>,
a follow up advisory releated to third party implementations found in FreeBSD ports collection.)
<!-- end vendor -->
<A NAME="hp">
<H4>Hewlett-Packard Company</H4>
<p>...HP-UX 11.X is not vulnerable, HP_UX 10.X is vulnerable. Patches are
in process, watch for the associated HP security Bulletin....</p>
(Hewlett-Packard has release <a href="http://itrc.hp.com">Security
Bulletin HPSBUX0110-172 Sec. Vulnerability in telnetd</a> to address this
issue.)
<!-- end vendor -->
<A NAME="ibm">
<H4>IBM Corporation</H4>
<p>IBM's AIX operating system, versions 5.1L and under, is vulnerable to this exploit. IBM has these APAR assignments for this vulnerability: For AIX
4.3.3, the APAR number is IY22029. For AIX 5.1, the APAR number is
IY22021.</p>
<p>An emergency fix (efix) is now available for downloading from the
ftp site <a
href="ftp://aix.software.ibm.com/aix/efixes/security">ftp://aix.software.ibm.com/aix/efixes/security</a>.
The efix package name to fix this vulnerability is
"telnetd_efix.tar.Z". An advisory is included in the tarfile that gives installation
instructions for the appropriate patched telnetd binary. Two patches are in the tarfile: one for AIX 4.3.3 (telnetd.433) and
for AIX 5.1 (telnetd.510).</p>
<p>IBM is investigating the severity of the exploitation of this vulnerability.</p>
<!-- end vendor -->
<A NAME="netbsd">
<H4>NetBSD</H4>
<p>All releases of NetBSD are affected. The issue was patched in
NetBSD-current on July 19th. A Security Advisory including patches
will be available shortly, at:</p>
<a href="ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2001-012.txt.asc">ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2001-012.txt.asc</a>
<p>NetBSD releases since July 2000 have shipped with telnetd disabled by
default. If it has been re-enabled on a system, it is highly
recommended to disable it at least until patches are installed.
Furthermore, NetBSD recommends the use of a Secure Shell instead of
telnet for most applications."</p>
<!-- end vendor -->
<A NAME="secure computing corporation">
<H4>Secure Computing Corporation</H4>
<p>The telnetd vulnerability referenced is not applicable to
Sidewinder as a result of disciplined security software design
practices in combination with Secure Computing's patented Type
Enforcement(tm) technology. Sidewinder's telnetd services are greatly
restricted due to both known and theoretical vulnerabilities. This
least privilege design renders the attack described in the
CERT-2001-21 Advisory useless. In addition, Sidewinder's operating
system, SecureOS(tm), built on Secure's Type Enforcement technology,
has further defenses against this attack that would trigger multiple
security violations.</p>
<p>Specifically, the attack first attempts to start a shell
process. Sidewinder's embedded Type Enforcement security rules prevent
telnetd from replicating itself and accessing the system shell
programs. Even without this embedded, tamper proof rule in place,
other Type Enforcement rules also defend against this attack. As an
example, the new shell would need administrative privileges and those
privileges are not available to the telnetd services.</p>
<!-- end vendor -->
<A NAME="sgi">
<H4>SGI</H4>
<p>SGI acknowledges the telnetd vulnerability reported by CERT and is
currently investigating. Until SGI has more definitive information to
provide, customers are encouraged to assume all security
vulnerabilities as exploitable and take appropriate steps according to
local site security policies and requirements.</p>
<p>As further information becomes available, additional advisories will
be issued via the normal SGI security information distribution methods
including the wiretap mailing list and <p>
<a href="http://www.sgi.com/support/security/">http://www.sgi.com/support/security/</a>
<!-- end vendor -->
<A NAME="sun">
<H4>Sun Microsystems, Inc.</H4>
<p> A buffer overflow has been discovered in in.telnetd which allows
a local or a remote attacker to kill the in.telnetd daemon on the
affected SunOS system. Sun does not believe that this issue can
be exploited on SunOS systems to gain elevated privileges. As
there was a buffer overflow, Sun has generated patches for this
issue. The patches are described in the following SunAlert:
<p><a href="http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert%2F28063">http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert%2F28063</a>
<p>and are available from:
<p><a href="http://sunsolve.sun.com/securitypatch">http://sunsolve.sun.com/securitypatch</a>
<!-- end vendor -->
<A NAME="suse">
<H4>SuSE</H4>
(SuSE has released a security announcement related to this vulnerability.
It is located at <a
href="http://www.suse.com/de/support/security/2001_029_nkitb_txt.txt">http://www.suse.com/de/support/security/2001_029_nkitb_txt.txt</a>.)
<!-- end vendor -->
</p>
<A NAME="references"><H2>Appendix B. - References</H2></A>
<ol>
<li><a HREF="http://www.ietf.org/rfc/rfc0854.txt">http://www.ietf.org/rfc/rfc0854.txt</a><BR>
<li> <a
href="http://www.team-teso.net/advisories/teso-advisory-011.tar.gz">http://www.team-teso.net/advisories/teso-advisory-011.tar.gz</a>
<li><a
href="http://www.kb.cert.org/vuls/id/745371">http://www.kb.cert.org/vuls/id/745371</a><BR>
<li> <a
href="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:49.telnetd.asc">ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:49.telnetd.asc</a>
</ol>
<HR>
<HR NOSHADE>
<P>The CERT Coordination Center thanks TESO, who published an <a href="http://teso.scene.at/advisories/teso-advisory-011.tar.gz">advisory</a> on this issue. We would
also like to thank Jeff Polk <polk@BSDI.COM> for technical assistance.</P>
<P></P>
<HR NOSHADE>
<P>Authors: <A
HREF="mailto:cert@cert.org?subject=CA-2001-21%20Feedback%20VU%23745371">Jason
A. Rafail, Ian Finlay, and Shawn Hernan.</A>
<P></P>
<!--#include virtual="/include/footer_nocopyright.html" -->
<P>Copyright 2001 Carnegie Mellon University.</P>
<P>Revision History
<PRE>
July 24, 2001: Initial release
July 25, 2001: Fixed HTML tags in vendor section
July 25, 2001: Added vendor statements
July 25, 2001: Added CVE number CAN-2001-0554
July 26, 2001: Added vendor statements
July 27, 2001: Fixed vendor section HTML tags
July 31, 2001: Revised IBM statement
July 31, 2001: Added Secure Computing Corporation statement
July 31, 2001: Updated HP statement
August 10, 2001: Revised IBM statement
August 20, 2001: Updated Caldera statement
August 21, 2001: Updated FreeBSD statement
August 27, 2001: Added link to Conectiva advisory
October 4, 2001: Added Apple Computer Statement
October 11, 2001: Added SuSE Statement
October 16, 2001: Updated Hewlett-Packard Statement
November 19, 2001: Included Compaq Statement
February 1, 2002: Updated Cisco Statement
April 16, 2002: Updated Sun Statement
</PRE>
|