exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

MIT krb5 Security Advisory 2011-008

MIT krb5 Security Advisory 2011-008
Posted Dec 28, 2011
Site web.mit.edu

MIT krb5 Security Advisory 2011-008 - The telnet daemon (telnetd) in MIT krb5 (and in krb5-appl after the applications were moved to a separate distribution for krb5-1.8) is vulnerable to a buffer overflow. The flaw does not require authentication to exploit. Exploit code is reported to be actively used in the wild.

tags | advisory, overflow
advisories | CVE-2011-4862
SHA-256 | 94f4852b4ef0d480fd44f6fff8a1a449daff42441b00c788d6970db82695afc2

MIT krb5 Security Advisory 2011-008

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

MITKRB5-SA-2011-008

MIT krb5 Security Advisory 2011-008
Original release: 2011-12-26
Last update: 2011-12-26

Topic: buffer overflow in telnetd

CVE-2011-4862

CVSSv2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C

CVSSv2 Base Score: 10

Access Vector: Network
Access Complexity: Low
Authentication: None
Confidentiality Impact: Complete
Integrity Impact: Complete
Availability Impact: Complete

CVSSv2 Temporal Score: 8.3

Exploitability: Functional
Remediation Level: Official Fix
Report Confidence: Confirmed

SUMMARY
=======

The telnet daemon (telnetd) in MIT krb5 (and in krb5-appl after the
applications were moved to a separate distribution for krb5-1.8) is
vulnerable to a buffer overflow. The flaw does not require
authentication to exploit. Exploit code is reported to be actively
used in the wild.

IMPACT
======

An unauthenticated remote attacker can cause a buffer overflow and
probably execute arbitrary code with the privileges of the telnet
daemon (normally root).

AFFECTED SOFTWARE
=================

* The telnet daemon in all releases of MIT krb5 prior to krb5-1.8 is
vulnerable. Later releases moved the telnet code to the krb5-appl
distribution.

* The telnet daemon in all releases of krb5-appl is vulnerable.

FIXES
=====

* Workaround: Disable telnet and use a more secure remote login
solution, such as SSH.

* A future release of krb5-appl will fix this vulnerability.

* Apply the following patch:

diff --git a/telnet/libtelnet/encrypt.c b/telnet/libtelnet/encrypt.c
index f75317d..b8d6cdd 100644
- --- a/telnet/libtelnet/encrypt.c
+++ b/telnet/libtelnet/encrypt.c
@@ -757,6 +757,9 @@ static void encrypt_keyid(kp, keyid, len)
int dir = kp->dir;
register int ret = 0;

+ if (len > MAXKEYLEN)
+ len = MAXKEYLEN;
+
if (!(ep = (*kp->getcrypt)(*kp->modep))) {
if (len == 0)
return;


This patch is also available at

http://web.mit.edu/kerberos/advisories/2011-008-patch.txt

A PGP-signed patch is available at

http://web.mit.edu/kerberos/advisories/2011-008-patch.txt.asc

REFERENCES
==========

This announcement is posted at:

http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-008.txt

This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:

http://web.mit.edu/kerberos/advisories/index.html

The main MIT Kerberos web page is at:

http://web.mit.edu/kerberos/index.html

CVSSv2:

http://www.first.org/cvss/cvss-guide.html
http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2

CVE: CVE-2011-4862
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4862

http://lists.freebsd.org/pipermail/freebsd-security/2011-December/006117.html

ACKNOWLEDGMENTS
===============

We became aware of this vulnerability through a FreeBSD security
advisory.

CONTACT
=======

The MIT Kerberos Team security contact address is
<krbcore-security@mit.edu>. When sending sensitive information,
please PGP-encrypt it using the following key:

pub 2048R/56CD8F76 2010-12-29 [expires: 2012-02-01]
uid MIT Kerberos Team Security Contact <krbcore-security@mit.edu>

DETAILS
=======

If the telnetd receives an ENCRYPT suboption that includes a key ID,
encrypt_keyid() in libtelnet/encrypt.c copies the suboption contents
into a fixed-size static buffer without first constraining the length,
leading to a buffer overflow.

REVISION HISTORY
================

2011-12-26 original release

Copyright (C) 2011 Massachusetts Institute of Technology
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (SunOS)

iEYEARECAAYFAk744dsACgkQSO8fWy4vZo6oOACdFW96Ei5AHXbXHBsHaax6tiEE
8AIAoJjMKx/2cbcLiTlHYiN3ypy8XF4S
=acqN
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close