-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 MITKRB5-SA-2011-008 MIT krb5 Security Advisory 2011-008 Original release: 2011-12-26 Last update: 2012-01-03 Topic: buffer overflow in telnet daemon and client CVE-2011-4862 CVSSv2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C CVSSv2 Base Score: 10 Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete CVSSv2 Temporal Score: 8.3 Exploitability: Functional Remediation Level: Official Fix Report Confidence: Confirmed SUMMARY ======= The telnet daemon (telnetd) and telnet client in MIT krb5 (and in krb5-appl after the applications were moved to a separate distribution for krb5-1.8) are vulnerable to a buffer overflow. The flaw does not require authentication to exploit. Exploit code is reported to be actively used in the wild. IMPACT ====== An unauthenticated remote attacker can cause a buffer overflow and probably execute arbitrary code with the privileges of the telnet daemon (normally root). By operating a malicious telnet server, or by modifying network traffic, an unauthenticated remote attacker can cause a buffer overflow and probably execute arbitrary code with the privileges of a user running a telnet client. AFFECTED SOFTWARE ================= * The telnet daemon and client in all releases of MIT krb5 prior to krb5-1.8 are vulnerable. Later releases of krb5 moved the telnet code to the krb5-appl distribution. * The telnet daemon and client in releases of krb5-appl prior to krb5-1.0.3 are vulnerable. FIXES ===== * Workaround: Disable telnet and use a more secure remote login solution, such as SSH. This does not address the client vulnerability. * The krb5-appl-1.0.3 release contains a fix for this vulnerability. * If running an earlier release, apply the following patch: diff --git a/telnet/libtelnet/encrypt.c b/telnet/libtelnet/encrypt.c index f75317d..b8d6cdd 100644 - --- a/telnet/libtelnet/encrypt.c +++ b/telnet/libtelnet/encrypt.c @@ -757,6 +757,9 @@ static void encrypt_keyid(kp, keyid, len) int dir = kp->dir; register int ret = 0; + if (len > MAXKEYLEN) + len = MAXKEYLEN; + if (!(ep = (*kp->getcrypt)(*kp->modep))) { if (len == 0) return; This patch is also available at http://web.mit.edu/kerberos/advisories/2011-008-patch.txt A PGP-signed patch is available at http://web.mit.edu/kerberos/advisories/2011-008-patch.txt.asc REFERENCES ========== This announcement is posted at: http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-008.txt This announcement and related security advisories may be found on the MIT Kerberos security advisory page at: http://web.mit.edu/kerberos/advisories/index.html The main MIT Kerberos web page is at: http://web.mit.edu/kerberos/index.html CVSSv2: http://www.first.org/cvss/cvss-guide.html http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2 CVE: CVE-2011-4862 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4862 http://lists.freebsd.org/pipermail/freebsd-security/2011-December/006117.html http://krbdev.mit.edu/rt/Ticket/Display.html?id=7056&user=guest&pass=guest ACKNOWLEDGMENTS =============== We became aware of this vulnerability through a FreeBSD security advisory. Dan Rosenberg publicly remarked that the client is also vulnerable. CONTACT ======= The MIT Kerberos Team security contact address is . When sending sensitive information, please PGP-encrypt it using the following key: pub 2048R/56CD8F76 2010-12-29 [expires: 2012-02-01] uid MIT Kerberos Team Security Contact DETAILS ======= If the telnet daemon or client receives an ENCRYPT suboption that includes a key ID, encrypt_keyid() in libtelnet/encrypt.c copies the suboption contents into a fixed-size static buffer without first constraining the length, leading to a buffer overflow. REVISION HISTORY ================ 2012-01-03 Add description of client vulnerability 2011-12-26 original release Copyright (C) 2011-2012 Massachusetts Institute of Technology -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (SunOS) iEYEARECAAYFAk8DbIkACgkQSO8fWy4vZo5uTQCgizOI+1UOiYIuCLEWSGU3cfJV WIMAoMtnd72FHEimsRhQXpfFiA8C7KZo =ya8H -----END PGP SIGNATURE-----