Multiple products telnetd buffer overflow (Telnet_Encryption_Key_Overflow)

About this signature or vulnerability

IBM Security Host Protection for Servers (Unix), Proventia Network IPS, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware, Proventia Network IDS, Proventia-G 1.1 and earlier, Proventia Network MFS, IBM Security Host Protection for Desktops, RealSecure Server Sensor, IBM Security Host Protection for Servers (Windows):

This signature detects a request for an unusually long encryption / decryption key. Telnet software that uses a static 64-byte buffer to store the key are vulnerable to code-execution attacks.


Default risk level

High risk vulnerability  High

Sensors that have this signature

IBM Security Host Protection for Servers (Unix): 2.2.2, Proventia Network IPS: XPU 31.122, Proventia Server IPS for Linux technology: 31.122, Virtual Server Protection for Vmware: XPU 31.122, Proventia Network IDS: XPU 31.122, Proventia-G 1.1 and earlier: XPU 31.122, Proventia Network MFS: XPU 31.122, IBM Security Host Protection for Desktops: 2715, RealSecure Server Sensor: XPU 31.122, IBM Security Host Protection for Servers (Windows): 2.1.14.2715

Systems affected

MIT Kerberos: 5-1.3, RedHat Enterprise Linux: 4 AS, RedHat Enterprise Linux: 4 Desktop, RedHat Enterprise Linux: 4 ES, RedHat Enterprise Linux: 4 WS, RedHat Enterprise Linux: 5, RedHat Enterprise Linux: 5 Client Workstation, RedHat Enterprise Linux: 5 Client, MIT Kerberos: 5-1.5, MIT Kerberos: 5, MIT Kerberos: 5-1.4, MIT Kerberos: 5-1.6, FreeBSD FreeBSD: 7.1, MIT Kerberos: 5 1.0, MIT Kerberos: 5 1.0.6, MIT Kerberos: 5 1.1, MIT Kerberos: 5 1.1.1, MIT Kerberos: 5 1.2 Beta1, MIT Kerberos: 5 1.2 Beta2, MIT Kerberos: 5 1.3.3, FreeBSD FreeBSD: 8.0, VMware ESX Server: 4.0, MIT Kerberos: 5-1.7, FreeBSD FreeBSD: 8.1, FreeBSD FreeBSD: 7.3, RedHat Enterprise Linux: 6 Server, RedHat Enterprise Linux: 6 Workstation, Heimdal Developers Heimdal: 1.5.1, GNU Inetutils: 1.8, RedHat Enterprise Linux Desktop : 6, RedHat Enterprise Linux HPC Node : 6, RedHat Enterprise Linux Server EUS: 6.1.z, RedHat Enterprise Linux Server EUS: 6.0.z, RedHat Enterprise Linux EUS : 5.6.z, RedHat Enterprise Linux Long Life : 5.6, RedHat Enterprise Linux Long Life : 5.3, Cisco Ironport Email Security Appliances: 7.x, Cisco Ironport Email Security Management Appliance: 7.x

Type

Unauthorized Access Attempt

Vulnerability description

Multiple products are vulnerable to a buffer overflow, caused by improper bounds checking by the encrypt_keyid() function of telnetd. By sending specially-crafted commands to the server, a remote attacker could overflow a buffer and execute arbitrary code on the system with root privileges or cause the application to crash.

How to remove this vulnerability

For FreeBSD:
Refer to FreeBSD-SA-11:08.telnetd for patch, upgrade or suggested workaround information. See References.

For Kerberos:
Refer to MITKRB5-SA-2011-008 for patch, upgrade or suggested workaround information. See References.

For GNU inetutils:
Apply the patch for this vulnerability, available from the GIT Repository. See References.

For other distributions:
Apply the appropriate update for your system. See References.

References

MITKRB5-SA-2011-008
Topic: buffer overflow in telnetd
http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2011-008.txt

FreeBSD GIT repository
libtelnet/encrypt.c (encrypt_keyid): Make sure that LEN never is greater than MAXKEYLEN.
http://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=665f1e73cdd9b38e2d2e11b8db9958a315935592

EDB-ID: 18280
Telnetd encrypt_keyid: Remote Root function pointer overwrite
http://www.exploit-db.com/exploits/18280/

FreeBSD-SA-11:08.telnetd
telnetd code execution vulnerability
http://security.freebsd.org/advisories/FreeBSD-SA-11:08.telnetd.asc

Heimdal Web site
Heimdal
http://www.h5l.org/

GIT Repository
inetutils.git
http://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=665f1e73cdd9b38e2d2e11b8db9958a315935592

IBM Security Protection Alert
Multiple products telnetd buffer overflow
http://www.iss.net/threats/441.html

Offensive Security Exploit Database [01-14-2012]
Linux BSD-derived Telnet Service Encryption Key ID Buffer Overflow
http://www.exploit-db.com/exploits/18368/

Offensive Security Exploit Database [01-14-2012]
FreeBSD Telnet Service Encryption Key ID Buffer Overflow
http://www.exploit-db.com/exploits/18369/

cisco-sa-20120126-ironport
Cisco IronPort Appliances Telnet Remote Code Execution Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120126-ironport

VMSA-2012-0006
VMware ESXi and ESX address several security issues
http://www.vmware.com/security/advisories/VMSA-2012-0006.html

Offensive Security Exploit Database [07-01-2012]
BSD telnetd Remote Root Exploit
http://www.exploit-db.com/exploits/19520/

ISS X-Force
Multiple products telnetd buffer overflow
http://www.iss.net/security_center/static/71970.php

CVE
CVE-2011-4862
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4862