HighRealSecure Desktop, RealSecure Server Sensor, BlackICE Agent for Server, RealSecure Desktop Protector, RealSecure Network, BlackICE PC Protection, RealSecure Guard, RealSecure Sentry, Proventia Server IPS for Microsoft Windows technology, BlackICE Server Protection, Proventia Network MFS, Proventia-G 1.1 and earlier, Proventia Network IDS, Proventia Server IPS for Linux technology, RealSecure Desktop Protector 3.6, Proventia Network IPS, Proventia Desktop:
This signature detects a large number of AYT messages.
This signature replaces TelnetExcessiveAYTs.
High
RealSecure Desktop: baseline, RealSecure Server Sensor: 7.0, BlackICE Agent for Server: 3.6, RealSecure Desktop Protector: 3.6, RealSecure Network: 7.0, BlackICE PC Protection: 3.6.cbd, RealSecure Guard: 3.6, RealSecure Sentry: 3.6, Proventia Server IPS for Microsoft Windows technology: 1.0.914.0, BlackICE Server Protection: 3.6.cbd, Proventia Network MFS: 1.0, Proventia-G 1.1 and earlier: G Series, Proventia Network IDS: A Series, Proventia Server IPS for Linux technology: 1.0, RealSecure Desktop Protector 3.6: baseline, Proventia Network IPS: 2.0, Proventia Desktop: 8.0.614.1
Sun Solaris, FreeBSD FreeBSD: 3.0, SGI IRIX: 6.5, SCO Caldera OpenLinux, Cray UNICOS, RedHat Linux: 5.2, FreeBSD FreeBSD: 3.1, FreeBSD FreeBSD: 3.2, WindRiver BSDOS: 4.0.1, SuSE SuSE Linux: 6.2, WindRiver BSDOS: 4.0, IBM AIX: 4.3, FreeBSD FreeBSD: 3.3, IBM AIX: 4.3.2, RedHat Linux: 6.2, FreeBSD FreeBSD: 3.4, FreeBSD FreeBSD: 4.0, SuSE SuSE Linux: 6.3, SuSE SuSE Linux: 6.4, Debian Debian Linux: 2.2, SuSE SuSE Linux: 6.1, MandrakeSoft Mandrake Linux: 7.1, FreeBSD FreeBSD: 3.5, Conectiva Linux, RedHat Linux: 7, FreeBSD FreeBSD: 4.1, MandrakeSoft Mandrake Linux: 7.2, NetBSD NetBSD: 1.5, SuSE SuSE Linux: 7.0, MandrakeSoft Mandrake Linux Corporate Server: 1.0.1, FreeBSD FreeBSD: 4.2, SuSE SuSE Linux: 7.1, Cisco Catalyst 5000, IBM AIX: 5.1, RedHat Linux: 7.1, MandrakeSoft Mandrake Linux: 8.0, MandrakeSoft Mandrake Single Network Firewall: 7.2, SuSE SuSE Linux: 7.2, FreeBSD FreeBSD: 4.3, WindRiver BSDOS: 4.1, WindRiver BSDOS: 4.2, IBM AIX: 4.3.3, MandrakeSoft Mandrake Linux: 8.1, RedHat Linux: 7.2, Cisco Catalyst 4000, Cisco Catalyst 6000, Cisco Catalyst 2948G, Cisco Catalyst 2900, RedHat Linux: 7.3, Debian Debian Linux: 3.0, SCO Caldera OpenServer: 5, Gentoo Linux, IBM AIX: 4.3.1, MIT Kerberos, Various vendors telnetd
Unauthorized Access Attempt
Multiple BSD-derived telnet daemons are vulnerable to a buffer overflow in the telrcv function that processes Telnet options. The telrcv function fails to perform proper bounds checking for remote clients. By sending a specially-crafted option string to the telnet daemon, a remote attacker can overflow a buffer and execute arbitrary code on the system. An attacker can use this vulnerability to gain root privileges.
For vulnerability detection:
Enable the following checks in the ISS Protection Platform:
TelnetdOptionTelrcvBo
telnetd-option-telrcv-bo
Enable the following checks in the ISS Protection Platform:
Telnet_Too_Many_AYTs
Block or restrict the following in the ISS Protection Platform as appropriate to the environment:
Port 23
For Manual Protection:
For FreeBSD 3.x, versions prior to 4.3, and 4.3-STABLE:
Upgrade to the latest version of FreeBSD (4.3-STABLE dated 2001-07-23 or later), as listed in FreeBSD Security Advisory FreeBSD-SA-01:49. See References.
— OR —
Apply the patch for this vulnerability, as listed in FreeBSD Security Advisory FreeBSD-SA-01:49. See References.
For Caldera OpenLinux 2.3, eServer 2.3.1, eBuilder, eDesktop 2.4, Server 3.1, and Workstation 3.1:
Upgrade to the latest version of netkit-telnet (0.17-12a or later), as listed in Caldera International, Inc. Security Advisory CSSA-2001-030.0. See References.
For Mandrake Linux 7.1 and Corporate Server 1.0.1:
Upgrade to the latest version of telnet (0.16-4 or later), as listed in MandrakeSoft Security Advisory MDKSA-2001:068 : telnet. See References.
For Mandrake Linux 7.2, 8.0, and Single Network Firewall 7.2:
Upgrade to the latest version of telnet (0.17-7 or later), as listed in MandrakeSoft Security Advisory MDKSA-2001:068 : telnet. See References.
For Mandrake Linux 8.1:
Upgrade to the latest version of krb5 (1.2.2-15.1mdk or later), as listed in MandrakeSoft Security Advisory MDKSA-2001:093 : krb5. See References.
For Debian GNU/Linux 2.2 (potato):
Upgrade to the latest version of netkit-telnet (0.16-4potato.2 or later), as listed in DSA-070-1. See References.
For Debian GNU/Linux 2.2 (potato):
Upgrade to the latest version of netkit-telnet-ssl (0.16.3-1.1 or later), as listed in DSA-075-1. See References.
For Red Hat Linux 5.2 and 6.2:
Upgrade to the latest version of telnet (0.17.6x-18 or later), as listed in RHSA-2001:099-06. See References.
For Red Hat Linux 7.0 and 7.1
Upgrade to the latest version of telnet (0.17-18 or later), as listed in RHSA-2001:099-06. See References.
For MIT Kerberos 5:
Apply the telnetd_122_patch for your system, as listed in Kerberos Security Advisory 2001-07-31. See References.
For Red Hat Linux 6.2 using the Kerberos 5 package telnet server:
Upgrade to the latest version of krb5 (1.1.1-28 or later), as listed in RHSA-2001:100-02. See References.
For Red Hat Linux 7.0 and 7.1 using the Kerberos 5 package telnet server:
Upgrade to the latest version of krb5 (1.2.2-12 or later), as listed in RHSA-2001:100-02. See References.
For Conectiva Linux 4.0 and 4.0es:
Upgrade to the latest version of telnet (0.17-1U40 or later), as listed in Conectiva Linux Security Announcement CLA-2001:413. See References.
For Conectiva Linux 4.1:
Upgrade to the latest version of telnet (0.17-1U41 or later), as listed in Conectiva Linux Security Announcement CLA-2001:413. See References.
For Conectiva Linux 4.2:
Upgrade to the latest version of telnet (0.17-1U42 or later), as listed in Conectiva Linux Security Announcement CLA-2001:413. See References.
For Conectiva Linux 5.0, ecommerce, and prg graficos:
Upgrade to the latest version of telnet (0.17-1U50 or later), as listed in Conectiva Linux Security Announcement CLA-2001:413. See References.
For Conectiva Linux 5.1:
Upgrade to the latest version of telnet (0.17-1U51 or later), as listed in Conectiva Linux Security Announcement CLA-2001:413. See References.
For Conectiva Linux 6.0:
Upgrade to the latest version of telnet (0.17-2U60 or later), as listed in Conectiva Linux Security Announcement CLA-2001:413. See References.
For Conectiva Linux 7.0:
Upgrade to the latest version of telnet (0.17-2U70 or later), as listed in Conectiva Linux Security Announcement CLA-2001:413. See References.
For SuSE Linux 7.0 (i386 Intel, Sparc, AXP Alpha, and PPC Power PC):
Upgrade to the latest version of nkitb or nkitserv (2001.8.16-0 or later), as listed in SuSE Security Announcement SuSE-SA:2001:029. See References.
For SuSE Linux 7.1 (i386 Intel, Sparc, AXP Alpha, and PPC Power PC):
Upgrade to the latest version of nkitb or nkitserv (2001.8.14-0 or later), as listed in SuSE Security Announcement SuSE-SA:2001:029. See References.
For SuSE Linux 7.2 (i386 Intel):
Upgrade to the latest version of telnet or telnet-server (1.0-69 or later), as listed in SuSE Security Announcement SuSE-SA:2001:029. See References.
For Cisco Catalyst 6000 series, Catalyst 5000 series, Catalyst 4000 series, Catalyst 2948G, and
Catalyst 2900 switches:
Upgrade to the latest version of CatOS for your device, as listed in the Cisco Security Advisory dated January 29, 2002. See References.
For Cisco VPN 3000 Concentrators:
Upgrade to the latest software version for your device (3.6.1 or later), (3.5.5 or later), (3.1.2 or later for 3.1.x releases), or (3.0.3(B) or later for 3.0.x releases), as listed in Cisco Security Advisory: Cisco VPN 3000 Concentrator Multiple Vulnerabilities. See References.
For Gentoo Linux: Upgrade to the latest version of NetKit (0.17-r4 or later), as listed in GLSA 200410-03. See References.
For other distributions:
Contact your vendor for patch or upgrade information.
RHSA-2001:100-02
Updated Kerberos 5 packages now available
http://rhn.redhat.com/errata/RHSA-2001-100.html
BugTraq Mailing List, Tue Jul 24 2001 - 16:51:24 CDT
Re: multiple vendor telnet daemon vulnerability
http://archives.neohapsis.com/archives/bugtraq/2001-07/0559.html
BugTraq Mailing List, Wed Jul 18 2001 - 15:15:10 CDT
multiple vendor telnet daemon vulnerability
http://archives.neohapsis.com/archives/bugtraq/2001-07/0351.html
FreeBSD Security Advisory FreeBSD-SA-01:49
telnetd contains remote buffer overflow
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:49.telnetd.asc
CERT Advisory CA-2001-21
Buffer Overflow in telnetd
http://www.cert.org/advisories/CA-2001-21.html
IBM Managed Security Services Outside Advisory Redistribution MSS-OAR-E01-2001:298.1
Buffer overflow vulnerability in telnet daemon
http://archives.neohapsis.com/archives/bugtraq/2001-07/0776.html
BugTraq Mailing List, Tue Jul 24 2001 - 18:11:36 CDT
Re: multiple vendor telnet daemon vulnerability
http://archives.neohapsis.com/archives/bugtraq/2001-07/0562.html
RHSA-2001:099-06
telnet
http://rhn.redhat.com/errata/RHSA-2001-099.html
SGI Security Advisory 20010801-01-P
IRIX Telnet protocol options
ftp://patches.sgi.com/support/free/security/advisories/20010801-01-P
Kerberos Security Advisory 2001-07-31
KRB5 TELNETD BUFFER OVERFLOWS
http://web.mit.edu/kerberos/www/advisories/telnetd.txt
BugTraq Mailing List, Wed Jul 25 2001 - 02:44:46 CDT
SCO - Telnetd AYT overflow ?
http://archives.neohapsis.com/archives/bugtraq/2001-07/0599.html
BugTraq Mailing List, Thu Jul 26 2001 - 17:29:02 CDT
RE: Vulnerability in Windows 2000 TELNET service
http://archives.neohapsis.com/archives/bugtraq/2001-07/0644.html
Caldera International, Inc. Security Advisory CSSA-2001-030.0
Linux - Telnet AYT remote exploit
ftp://ftp.sco.com/pub/security/OpenLinux/CSSA-2001-030.0.txt
MandrakeSoft Security Advisory MDKSA-2001:068
telnet
http://wwwnew.mandriva.com/security/advisories?name=MDKSA-2001:068
DSA-070-1
netkit-telnet
http://www.debian.org/security/2001/dsa-070
DSA-075-1
netkit-telnet-ssl -- remote exploit
http://www.debian.org/security/2001/dsa-075
Conectiva Linux Announcement CLSA-2001:413
telnet
http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000413
CIAC Information Bulletin L-131
IBM AIX telnetd Buffer Overflow
http://www.ciac.org/ciac/bulletins/l-131.shtml
CIAC Information Bulletin L-128
MIT Kerberos 5 telnetd Buffer Overflows
http://www.ciac.org/ciac/bulletins/l-128.shtml
CIAC Information Bulletin M-006
HP-UX telnetd Security Vulnerability
http://www.ciac.org/ciac/bulletins/m-006.shtml
Hewlett-Packard Company Security Bulletin HPSBUX0110-172
Sec. Vulnerability in telnetd
http://online.securityfocus.com/advisories/3610
CIAC Information Bulletin L-124
Remote Buffer Overflow in telnetd
http://www.ciac.org/ciac/bulletins/l-124.shtml
SuSE Security Announcement SuSE-SA:2001:029
nkitb/nkitserv/telnetd
http://www.suse.de/de/security/2001_029_nkitb_txt.txt
Cray Service Bulletin, September/October 2001, Volume 3, Number 5
Security Issues Reported, CERT Advisory CA-2001-21
http://www.kfa-juelich.de/zam/docs/CRSB/crsb_01_05.pdf
FedCIRC Advisory FA-2001-21
Buffer Overflow in telnetd
http://www2.fedcirc.gov/advisories/FA-2001-21.html
Compaq Services Software Patches SSRT0745U
potential telnetd option handling vulnerability
http://ftp.support.compaq.com/patches/.new/html/SSRT0745U.shtml
Apple Computer, Inc. Product Security Incident Response
Mac OS X v10.1 telnetd
http://www.apple.com/support/security/security_updates.html
Cisco Systems Inc. Security Advisory, 2002 January 29 1500 UTC
Cisco CatOS Telnet Buffer Vulnerability
http://www.cisco.com/warp/public/707/catos-telrcv-vuln-pub.shtml
MandrakeSoft Security Advisory MDKSA-2001:093
kerberos
http://wwwnew.mandriva.com/security/advisories?name=MDKSA-2001:093
Caldera International, Inc. Security Advisory CSSA-2001-SCO.10
telnetd buffer overflow
ftp://stage.caldera.com/pub/security/openserver/CSSA-2001-SCO.10/CSSA-2001-SCO.10.txt
CERT Vulnerability Note VU#745371
Multiple vendor telnet daemons vulnerable to buffer overflow via crafted protocol options
http://www.kb.cert.org/vuls/id/745371
CIAC Information Bulletin M-043
Hewlett-Packard Buffer Overflow in Telnet Server Vulnerability
http://www.ciac.org/ciac/bulletins/m-043.shtml
CIAC Information Bulletin M-119
Cisco VPN Concentrators and VPN 3002 Client Multiple Vulnerabilities
http://www.ciac.org/ciac/bulletins/m-119.shtml
vpn3k-multiple-vuln-pub
Cisco Security Advisory: Cisco VPN 3000 Concentrator Multiple Vulnerabilities
http://www.cisco.com/warp/public/707/vpn3k-multiple-vuln-pub.shtml
BugTraq Mailing List, Wed Jul 25 2001 - 17:51:28 CDT
Vulnerability in Windows 2000 TELNET service
http://archives.neohapsis.com/archives/bugtraq/2001-07/0611.html
GLSA 200410-03
NetKit-telnetd: buffer overflows in telnet and telnetd
http://www.gentoo.org/security/en/glsa/glsa-200410-03.xml
ISS X-Force
BSD-derived telnetd options telrcv buffer overflow
http://www.iss.net/security_center/static/6875.php
CVE
CVE-2001-0554
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0554