Multiple products telnetd buffer overflow (Telnet_Encryption_Key_Overflow)

About this signature or vulnerability

IBM Security Host Protection for Servers (Unix), Proventia Network IPS, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware, IBM Security Network Protection, Proventia Network IDS, Proventia-G 1.1 and earlier, Proventia Network MFS, IBM Security Host Protection for Desktops, RealSecure Server Sensor, IBM Security Host Protection for Servers (Windows):

This signature detects a request for an unusually long encryption / decryption key. Telnet software that uses a static 64-byte buffer to store the key are vulnerable to code-execution attacks.


Default risk level

High risk vulnerability  High

Sensors that have this signature

IBM Security Host Protection for Servers (Unix): 2.2.2, Proventia Network IPS: XPU 31.122, Proventia Server IPS for Linux technology: 31.122, Virtual Server Protection for Vmware: XPU 31.122, IBM Security Network Protection: 5.1, Proventia Network IDS: XPU 31.122, Proventia-G 1.1 and earlier: XPU 31.122, Proventia Network MFS: XPU 31.122, IBM Security Host Protection for Desktops: 2715, RealSecure Server Sensor: XPU 31.122, IBM Security Host Protection for Servers (Windows): 2.1.14.2715

Systems affected

MIT Kerberos: 5-1.3, RedHat Enterprise Linux: 4 AS, RedHat Enterprise Linux: 4 Desktop, RedHat Enterprise Linux: 4 ES, RedHat Enterprise Linux: 4 WS, RedHat Enterprise Linux: 5, RedHat Enterprise Linux: 5 Client Workstation, RedHat Enterprise Linux: 5 Client, MIT Kerberos: 5-1.5, MIT Kerberos: 5, MIT Kerberos: 5-1.4, MIT Kerberos: 5-1.6, FreeBSD FreeBSD: 7.1, MIT Kerberos: 5 1.0, MIT Kerberos: 5 1.0.6, MIT Kerberos: 5 1.1, MIT Kerberos: 5 1.1.1, MIT Kerberos: 5 1.2 Beta1, MIT Kerberos: 5 1.2 Beta2, MIT Kerberos: 5 1.3.3, FreeBSD FreeBSD: 8.0, VMware ESX Server: 4.0, MIT Kerberos: 5-1.7, FreeBSD FreeBSD: 8.1, FreeBSD FreeBSD: 7.3, RedHat Enterprise Linux: 6 Server, RedHat Enterprise Linux: 6 Workstation, Heimdal Developers Heimdal: 1.5.1, GNU Inetutils: 1.8, RedHat Enterprise Linux Desktop : 6, RedHat Enterprise Linux HPC Node : 6, RedHat Enterprise Linux Server EUS: 6.1.z, RedHat Enterprise Linux Server EUS: 6.0.z, RedHat Enterprise Linux EUS : 5.6.z, RedHat Enterprise Linux Long Life : 5.6, RedHat Enterprise Linux Long Life : 5.3, Cisco Ironport Email Security Appliances: 7.x, Cisco Ironport Email Security Management Appliance: 7.x

Type

Unauthorized Access Attempt

Vulnerability description

Multiple products are vulnerable to a buffer overflow, caused by improper bounds checking by the encrypt_keyid() function of telnetd. By sending specially-crafted commands to the server, a remote attacker could overflow a buffer and execute arbitrary code on the system with root privileges or cause the application to crash.

How to remove this vulnerability

For FreeBSD:
Refer to FreeBSD-SA-11:08.telnetd for patch, upgrade or suggested workaround information. See References.

For Kerberos:
Refer to MITKRB5-SA-2011-008 for patch, upgrade or suggested workaround information. See References.

For GNU inetutils:
Apply the patch for this vulnerability, available from the GIT Repository. See References.

For other distributions:
Apply the appropriate update for your system. See References.

References

MITKRB5-SA-2011-008
Topic: buffer overflow in telnetd
http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2011-008.txt

FreeBSD GIT repository
libtelnet/encrypt.c (encrypt_keyid): Make sure that LEN never is greater than MAXKEYLEN.
http://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=665f1e73cdd9b38e2d2e11b8db9958a315935592

EDB-ID: 18280
Telnetd encrypt_keyid: Remote Root function pointer overwrite
http://www.exploit-db.com/exploits/18280/

FreeBSD-SA-11:08.telnetd
telnetd code execution vulnerability
http://security.freebsd.org/advisories/FreeBSD-SA-11:08.telnetd.asc

Heimdal Web site
Heimdal
http://www.h5l.org/

GIT Repository
inetutils.git
http://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=665f1e73cdd9b38e2d2e11b8db9958a315935592

IBM Security Protection Alert
Multiple products telnetd buffer overflow
http://www.iss.net/threats/441.html

Offensive Security Exploit Database [01-14-2012]
Linux BSD-derived Telnet Service Encryption Key ID Buffer Overflow
http://www.exploit-db.com/exploits/18368/

Offensive Security Exploit Database [01-14-2012]
FreeBSD Telnet Service Encryption Key ID Buffer Overflow
http://www.exploit-db.com/exploits/18369/

cisco-sa-20120126-ironport
Cisco IronPort Appliances Telnet Remote Code Execution Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120126-ironport

VMSA-2012-0006
VMware ESXi and ESX address several security issues
http://www.vmware.com/security/advisories/VMSA-2012-0006.html

Offensive Security Exploit Database [07-01-2012]
BSD telnetd Remote Root Exploit
http://www.exploit-db.com/exploits/19520/

ISS X-Force
Multiple products telnetd buffer overflow
http://www.iss.net/security_center/static/71970.php

CVE
CVE-2011-4862
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4862