The telnet daemon (telnetd) contains a vulnerability that can allow a remote attacker to trigger a buffer overflow and create a denial of service (DoS) condition or possibly execute arbitrary code. The telnet daemon allows users to remotely log in to a machine.
The vulnerability is due to the manner in which telnetd handles command options when an attacker supplies a combination of options. If the attacker can append code to the end of the request, this may cause a buffer overflow, the code may execute with root privileges. The amount of data needed to overflow the buffer is dependent upon the implementation of the vulnerable system.
Windows 2000 does not appear
to be vulnerable to this buffer overflow, but the telnet service crashes when scanned using AYT.
Patches are available.
Indicators of Compromise
Systems running a BSD-derived telnetd on Linux- or Unix-based operating systems are vulnerable.
Most of the telnet daemons on Linux and many Unix systems are derived from the BSD telnet daemon. This means that all are vulnerable to various exploits. Depending on the system, this could range from gaining root-level access to causing a core dump. This exploit variation results from the changes some operating systems have made to the BSD telnet daemon. In many cases, the buffer size is 1,024 bytes.
BSD telnet options are processed by the function telrcv. This function parses the options based on the telnet protocol and internal state. The results sent back to the client are stored in the buffer netobuf, which does not contain bounds checking.
An attacker can exploit the unchecked buffer
and exceed the buffer's capacity by as much as [((buffer size/2) * 9) - buffer size] bytes. The standard buffer sizes of 1,024 or 4,096 would result in buffer overflows of 3,584 bytes and 14,336 bytes, respectively. The attacker must accurately determine the buffer size and place the malicious code within the executable overflow space. This vulnerability is also limited by the characters the attacker can write outside the buffer. Working exploits have been created and tested on BSDi, NetBSD and FreeBSD systems.
Exploitation requires the attacker to know how much data is necessary to overflow the buffer. The arbitrary code must be executed with the limited set of characters available.
To compromise the system, attackers usually attempt to brute-force an administrator's remote password. Reports suggest that many of the defacements involving FreeBSD operating systems are due to an exploit of this vulnerability. Increased scans on telnet port 23 could indicate attempts to exploit this vulnerability.
Administrators of secure systems are strongly advised to remove telnet from the server. If a telnetd service is required, administrators should use SSH as a secure alternative.
For users of Unix and Linux desktop systems,
the telnetd service is seldom required. Administrators are recommended to remove telnetd from all systems. This vulnerability is only one of many possible exploits of the telnetd service. This is particularly important for administrators who are considering using telnetd to manage systems remotely. Administrators or any users with high-level privileges should use SSH.
Because of the security risks involved, telnet should not be installed on the system. The telnet package is installed by default on most Unix-derived systems.
When telnet must be used, restrict access to the telnet service (typically port 23/tcp) using a firewall or packet-filtering technology. While this limits exposure to attacks, blocking this port at a network perimeter allows attackers within the perimeter of the network to exploit the vulnerability. Understanding the networks configurations and service requirements are important before making any changes.
Secure Shell downloads and additional information are available at the following links:
Debian has released an advisory the following link: DSA-070-1
Gentoo has released a security advisory at the following link: GLSA 200410-03
Kerberos has released a security advisory at the following link: Kerberos
Red Hat has released a security advisory at the following link: RHSA-2001:099-06
Security Point has released an advisory on a Windows 2000 denial of service (DoS) attack. The DoS occurs when a system running Windows 2000 is scanned using the telnet AYT overflow scanner. The advisory is available at the following link: Advisory #003
Sun has released an alert notification
at the following link: 28063
CERT has released a security advisory at the following link: CA-2001-21
The NIPC has released an advisory concerning the X.C worm and this vulnerability at the following link: NIPC
Cisco customers with active contracts can obtain updates through the Software Center at the following link: Cisco. Cisco customers without contracts can obtain upgrades by contacting the Cisco Technical Assistance Center at 1-800-553-2447 or 1-408-526-7209, or via e-mail at email@example.com.
Debian has released updated packages at the following link: Debian
FreeBSD has released a binary package for users with a valid FreeBSD PGP key at the following link: FreeBSD
Gentoo has provided the following update for net-misc/netkit-telnetd:
Note that these are temporary patches and users should be cautious when downloading patches that are not fully tested. Also note that a fix will not be provided for versions prior to 4.3 because IBM no longer supports older versions. Users are advised to upgrade to a newer version of AIX.
Kerberos has released a patch that can be
obtained from the following link: krb5-1.2.2 Patch
Red Hat has released updated packages at the following link: Red Hat
Sun has released the patches at the following links:
Gentoo has released a security advisory and update to address the telnet daemon buffer overflow vulnerability.
2004-October-06 17:51 GMT
Cisco has released an additional security advisory for its VPN 3000 series concentrator, which includes workarounds and information on obtaining fixed software.
2002-September-04 13:39 GMT
Sun has released an Alert Notification containing patches that correct the buffer overflow vulnerability in the telnet daemon.
2002-June-10 22:18 GMT
Red Hat has released updated patches to correct the vulnerability in the Telnet daemon.
2002-February-08 13:11 GMT
Cisco has released patches to correct the vulnerability in the Telnet daemon that exists in the Catalyst family of products. All major
security organizations are emphasizing the need to correct this vulnerability prior to the possible release of additional exploits.
2002-January-29 21:15 GMT
Hewlett-Packard has released patches to correct the vulnerability in the Telnet daemon. All major security organizations are emphasizing the need to correct this vulnerability prior to the possible release of additional exploits. Several key factors that contribute to mass defacements, compromises and rapidly propagating worms are present.
2001-October-18 19:40 GMT
Increased concerns over the potential for exploitation of this vulnerability are being reported. All major Security organizations are emphasizing the need to correct
this vulnerability prior to the possible release of additional exploits. Several key factors contributing to mass defacements, compromises, and rapidly propagating worms are present.
2001-August-31 18:45 GMT
Version 7, August 30, 2001, 7:06 PM: Reports suggest the existence of a worm exploiting this vulnerability in the Telnet daemon to infiltrate systems. Although this worm has been disabled, other variants are likely to be created. Users are recommended to contact vendors and install any available upgrades that prevent an exploit of this vulnerability.
Version 6, August 10, 2001, 5:58 PM: Originally, it was believed that netkit-Telnet 0.14 and previous versions for Linux were vulnerable to this exploit. It
has been determined that versions prior to 0.17 are vulnerable. Red Hat and Debian have released updated packages. Users who have already updated should correct vulnerable netkit-Telnet versions after 0.14. Users who are not running a Linux distribution should contact their vendor for upgrade information.
Version 5, August 1, 2001, 9:47 AM: IBM has released preliminary patches for AIX 4.3.x and 5.1 that help to minimize the vulnerability. These are temporary fixes that have not been fully regression tested. IBM has also released a temporary workaround for users who do not wish to download the temporary patches. Kerberos has also released patches for the Telnet daemon included in their MIT
krb5. These patches can be obtained in the Patches and Software section of this Alert.
Version 4, July 30, 2001, 11:08 AM: An unofficial report suggests that Mac OS X is also vulnerable to this issue. The problem was tested on Version 10.0.4 from a local machine and a remote Solaris host. Also, Telnet AYT overflow scanner, a new software tool developed by Security Point, scans machines to determine if they are vulnerable. Security Point also released an advisory stating that Microsoft Windows 2000 crashed when scanned by this tool.
Version 3, July 26, 2001, 5:54 PM: Reports have been released indicating that this vulnerability is being used to infiltrate web
servers and deface web sites. The main targets are web servers on FreeBSD operating systems with the Telnet service open.
Version 2, July 25, 2001, 9:46 AM: CERT has released an advisory with vendor information and patches that correct this vulnerability. In addition safeguards have been provided to help mitigate this problem.
Version 1, July 19, 2001, 7:06 PM: The BSD derived Telnet daemon used in many Linux and Unix operating systems contains a buffer overflow vulnerability that may allow a remote attacker to overwrite data in memory and possibly execute arbitrary code as root. Patches or upgrades to correct this vulnerability are currently unavailable.
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A
PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM
THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
FIXED SOFTWARE INFORMATION AND LINKS PROVIDED BY SUPPLIERS AND VENDORS ARE FOR REFERENCE ONLY. USERS SHOULD CONTACT THEIR SUPPLIER OR VENDOR FOR UPDATED SOFTWARE.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products
Cisco Multivendor Vulnerability Alerts respond to vulnerabilities identified in third-party vendors' products. These alerts contain information compiled from diverse sources and provide comprehensive technical descriptions, objective analytical assessments, workarounds and practical safeguards, and links to vendor advisories and patches.