LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

LWN Weekly Edition

Front page
Security
Kernel development
Distributions
Development
Announcements
->One big page

 

This page

Previous week
Following week

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Security

A hole in telnetd

By Jake Edge
January 4, 2012

An unexpected FreeBSD security team "holiday message" had an underlying cause that was, perhaps, even more surprising: a long-standing remote code execution flaw in telnetd. As the message notes, FreeBSD tries hard to avoid releasing security updates at inconvenient times, and the end of the year is pretty inconvenient for most. But, attacks were being seen in the wild and, since telnetd is typically run as root, the consequences were severe.

Some, perhaps many, readers can be forgiven for wondering what all the fuss is about, as it has been well over a decade since telnet was being actively discouraged for use on Linux (and other operating systems). It is still present in many distribution repositories, however, which led to a pile of Linux updates in addition to the FreeBSD update. It turns out that telnetd is actually being used much more than one might think, especially on embedded devices.

The reason that telnet has long been deprecated—at least over unencrypted networks—is that it is a cleartext protocol. Logging into a remote system using telnet means that your username and password were being sent in the clear, such that any man-in-the-middle could sniff your credentials. But, it turns out that the telnet protocol does have an encrypted mode (though it's not considered cryptographically strong), and it is that mode that is being exploited by the recent attacks.

The bug itself is a fairly mundane buffer overflow that is triggered when an overlong encryption key is sent to the server. That key is sent before any authentication has occurred, which allows random attackers to target any vulnerable telnetd server. Even readers without much knowledge of C (or buffer overflows) will likely understand the basics of the patch that fixes the problem. There is also a fairly comprehensive exploit available for study. It can target multiple Linux and BSD installations, and contains shell code (i.e. code that will create a root shell when executed by telnetd because of the exploit) for i386 and SPARC architectures.

While the bug itself has been around for quite some time, it is interesting—nearly amusing—to see that sites still have telnetd servers running. The updates imply that these hosts are both accessible by untrusted users (or no update would be needed) and are regularly accessed via telnet. There are few, if any, Linux distributions that enable telnetd by default, so administrators or device makers are knowingly enabling it. While sshd most certainly has had its share of bugs, and will likely have more down the road, one would guess that security researchers pay a lot more attention to sshd than they do to telnetd. Not so for attackers evidently.

Part of the reason that telnetd may still be hanging around is that Windows doesn't ship an SSH client, but does ship telnet. That may encourage device makers to enable telnet so that Windows users can access the device without installing any software. In addition, there were several reports that Cisco and Juniper routers are often accessed via telnet in the comment thread on our posting of the FreeBSD message. Given that those devices often sit in strategic internet locations, and may well be running a telnetd descended from the vulnerable code, it could lead to some fairly serious consequences. One hopes that Cisco, Juniper, and others are paying attention.

Comments (12 posted)

Brief items

Security quote of the week

There is a problem with proprietary, closed software, which makes me a bit uneasy. We get a serious democratic deficit when the citizens are not able to inspect if the computers running the country's administrations are actually doing what they claim to be doing, doing all that and something else invisibly on top, doing the wrong thing in the wrong way at the wrong time, or doing nothing at all. (Judging from most governmental IT projects, they all fall into one of these four categories.)

But this problem is peanuts compared to what has just appeared. In the debate around the American Stop Online Piracy Act, American legislators have demonstrated a clear capability and willingness to interfere with the technical operations of American products, when doing so furthers American political interests regardless of the policy situation in the customer's country. Actually, it's even worse: American legislators have demonstrated a willingness to do this just because of the different laws in the customer's country, outside of the United States.

-- Pirate Party founder Rick Falkvinge

Comments (2 posted)

28C3: New attacks on GSM mobiles and security measures shown (The H)

The H reports from the Chaos Communication Congress; the open-source Osmocom package appears to be serving its intended purpose and finding vulnerabilities in the cellphone network. "The researchers explained and then demonstrated how, using the above technique and easily procurable tools, attackers are able to emulate a mobile phone to make phone calls and send text messages. They noted that some users have already received bills totalling thousands of euros for calls and texts to Caribbean premium rate services. In many cases, an attacker can, by simulating a GSM mobile, also query that subscriber's mailbox providing they know the subscriber's location and the key has not been changed."

Comments (35 posted)

Merry Christmas from FreeBSD

The FreeBSD security team has sent out a holiday card of sorts to its users. "No, the Grinch didn't steal the FreeBSD security officer GPG key, and your eyes aren't deceiving you: We really did just send out 5 security advisories." The motivating factor appears to be this vulnerability in telnetd; anybody who exposes a telnet port to the net on FreeBSD is currently open to a remote root exploit. The number of LWN readers doing so must be tiny (if, indeed, it's nonzero), but it seems worthwhile to get the word out there anyway.

Comments (32 posted)

The Linux kernel's memory allocators from an exploitation perspective

"Argp" has posted a lengthy look at the kernel's memory allocators and how they can be exploited to attack the system. "The attack vector of corrupting adjacent objects on the same slab is fully applicable to SLUB and largely works like in the case of the SLAB allocator. However, in the case of SLUB there is an added attack vector: exploiting the allocator’s metadata (the ones responsible for finding the next free object on the slab). As twiz and sgrakkyu have demonstrated in their book on kernel exploitation, the slab can be misaligned by corrupting the least significant byte of the metadata of a free object that hold the pointer to the next free object. This misalignment of the slab allows us to create an in-slab fake object and by doing so to a) satisfy safeguard checks as the one I explained in the previous paragraph when they are used, and b) to hijack the kernel’s execution flow to our own code."

Comments (none posted)

New vulnerabilities

cacti: multiple vulnerabilities

Package(s):cacti CVE #(s):
Created:December 23, 2011 Updated:January 4, 2012
Description: Cacti to 0.8.7i fixes multiple security vulnerabilities. See the release notes for details.
Alerts:
Fedora FEDORA-2011-17015 2011-12-12
Fedora FEDORA-2011-17049 2011-12-12

Comments (none posted)

ffmpeg: multiple code-execution vulnerabilities

Package(s):ffmpeg CVE #(s):CVE-2011-4351 CVE-2011-4353 CVE-2011-4364 CVE-2011-4579
Created:January 4, 2012 Updated:August 30, 2012
Description: Multiple vulnerabilities have been found in the ffmpeg audio application.

  • CVE-2011-4351: a buffer overflow in the QDM2 decoder.

  • CVE-2011-4353: out-of-bounds reads in vp5_parse_coeff() and vp6_parse_coeff().

  • CVE-2011-4364: obscure vulnerability in vmd_decode() disclosed in this paper [PDF]

  • CVE-2011-4579: A thoroughly mysterious vulnerability as of this writing.
Alerts:
Debian DSA-2378-1 2012-01-03
Ubuntu USN-1320-1 2012-01-05
Ubuntu USN-1333-1 2012-01-17
Mandriva MDVSA-2012:074 2012-05-14
Mandriva MDVSA-2012:075 2012-05-15
Mandriva MDVSA-2012:076 2012-05-15
Mandriva MDVSA-2012:074-1 2012-08-30
Mandriva MDVSA-2012:148 2012-08-30

Comments (none posted)

ghostscript: code execution

Package(s):ghostscript CVE #(s):CVE-2009-3743
Created:January 4, 2012 Updated:February 6, 2012
Description: From the CVE entry: Off-by-one error in the Ins_MINDEX function in the TrueType bytecode interpreter in Ghostscript before 8.71 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via a malformed TrueType font in a document that trigger an integer overflow and a heap-based buffer overflow.
Alerts:
Ubuntu USN-1317-1 2012-01-04
Red Hat RHSA-2012:0095-01 2012-02-02
CentOS CESA-2012:0095 2012-02-03
CentOS CESA-2012:0095 2012-02-03
Scientific Linux SL-ghos-20120203 2012-02-03
Oracle ELSA-2012-0095 2012-02-03
Oracle ELSA-2012-0095 2012-02-03

Comments (none posted)

ghostscript: denial of service

Package(s):ghostscript CVE #(s):CVE-2010-4054
Created:January 4, 2012 Updated:February 6, 2012
Description: Specially crafted font data in a compressed data stream can force the ghostscript interpreter to crash; see this patch for details.
Alerts:
Ubuntu USN-1317-1 2012-01-04
Red Hat RHSA-2012:0095-01 2012-02-02
Red Hat RHSA-2012:0096-01 2012-02-02
CentOS CESA-2012:0095 2012-02-03
CentOS CESA-2012:0095 2012-02-03
CentOS CESA-2012:0096 2012-02-03
Scientific Linux SL-ghos-20120203 2012-02-03
Scientific Linux SL-ghos-20120203 2012-02-03
Oracle ELSA-2012-0095 2012-02-03
Oracle ELSA-2012-0095 2012-02-03
Oracle ELSA-2012-0096 2012-02-03

Comments (none posted)

kernel: restriction bypass

Package(s):kernel CVE #(s):CVE-2011-4127
Created:December 23, 2011 Updated:March 6, 2012
Description: From the Red Hat advisory:

* Using the SG_IO IOCTL to issue SCSI requests to partitions or LVM volumes resulted in the requests being passed to the underlying block device. If a privileged user only had access to a single partition or LVM volume, they could use this flaw to bypass those restrictions and gain read and write access (and be able to issue other SCSI commands) to the entire block device.

In KVM (Kernel-based Virtual Machine) environments using raw format virtio disks backed by a partition or LVM volume, a privileged guest user could bypass intended restrictions and issue read and write requests (and other SCSI commands) on the host, and possibly access the data of other guests that reside on the same underlying block device. Partition-based and LVM-based storage pools are not used by default. Refer to Red Hat Bugzilla bug 752375 for further details and a mitigation script for users who cannot apply this update immediately. (CVE-2011-4127, Important)

Alerts:
Oracle ELSA-2011-1849 2011-12-27
Oracle ELSA-2011-2038 2011-12-27
Scientific Linux SL-kern-20111222 2011-12-22
Oracle ELSA-2011-2038 2011-12-27
CentOS CESA-2011:1849 2011-12-23
Red Hat RHSA-2011:1849-01 2011-12-22
Fedora FEDORA-2011-17372 2011-12-23
Fedora FEDORA-2011-17388 2011-12-23
Oracle ELSA-2012-0007 2012-01-12
Debian DSA-2389-1 2012-01-15
Fedora FEDORA-2012-0876 2012-01-24
Oracle ELSA-2012-0050 2012-01-23
Fedora FEDORA-2012-0861 2012-01-24
Scientific Linux SL-qemu-20120125 2012-01-25
SUSE SUSE-SU-2012:0153-1 2012-02-06
SUSE SUSE-SU-2012:0153-2 2012-02-06
Red Hat RHSA-2012:0107-01 2012-02-09
CentOS CESA-2012:0107 2012-02-09
Scientific Linux SL-kern-20120213 2012-02-13
Oracle ELSA-2012-0107 2012-02-10
Red Hat RHSA-2012:0333-01 2012-02-23
Ubuntu USN-1384-1 2012-03-06
Ubuntu USN-1388-1 2012-03-06
Red Hat RHSA-2012:0358-01 2012-03-06
Ubuntu USN-1389-1 2012-03-06
Oracle ELSA-2012-0150 2012-03-07
Ubuntu USN-1405-1 2012-03-27
SUSE SUSE-SU-2012:0554-1 2012-04-23
SUSE SUSE-SU-2012:0554-2 2012-04-26
Oracle ELSA-2012-2022 2012-07-02
Oracle ELSA-2012-2022 2012-07-02
Oracle ELSA-2012-0862 2012-07-02

Comments (none posted)

kernel: denial of service

Package(s):kernel CVE #(s):
Created:December 26, 2011 Updated:January 4, 2012
Description: Linux kernel 3.1.6 restores the route cache garbage collector. Recent kernels could fill and exhaust their neighbor cache.
Alerts:
Fedora FEDORA-2011-17381 2011-12-23

Comments (none posted)

moodle: lots of vulnerabilities

Package(s):moodle CVE #(s):CVE-2011-4581 CVE-2011-4582 CVE-2011-4583 CVE-2011-4584 CVE-2011-4585 CVE-2011-4586 CVE-2011-4587 CVE-2011-4588 CVE-2011-4589 CVE-2011-4590 CVE-2011-4591 CVE-2011-4592 CVE-2011-4593
Created:December 22, 2011 Updated:January 4, 2012
Description: The moodle 2.1.3, 2.0.6, and 1.9.15 releases fix a large number of information leak, code injection, and other vulnerabilities; see the 2.1.3 release notes for details.
Alerts:
Fedora FEDORA-2011-16833 2011-12-10
Fedora FEDORA-2011-16903 2011-12-10
Debian DSA-2421-1 2012-02-29

Comments (none posted)

mozilla: multiple vulnerabilities

Package(s):mozilla, firefox, thunderbird, seamonkey CVE #(s):CVE-2011-3658 CVE-2011-3660 CVE-2011-3661 CVE-2011-3663 CVE-2011-3665
Created:December 26, 2011 Updated:March 23, 2012
Description: From the Mandriva advisory:

The SVG implementation in Mozilla Firefox 8.0, Thunderbird 8.0, and SeaMonkey 2.5 does not properly interact with DOMAttrModified event handlers, which allows remote attackers to cause a denial of service (out-of-bounds memory access) or possibly have unspecified other impact via vectors involving removal of SVG elements (CVE-2011-3658).

Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox 4.x through 8.0, Thunderbird 5.0 through 8.0, and SeaMonkey before 2.6 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors that trigger a compartment mismatch associated with the nsDOMMessageEvent::GetData function, and unknown other vectors (CVE-2011-3660).

YARR, as used in Mozilla Firefox 4.x through 8.0, Thunderbird 5.0 through 8.0, and SeaMonkey before 2.6, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via crafted JavaScript (CVE-2011-3661).

Mozilla Firefox 4.x through 8.0, Thunderbird 5.0 through 8.0, and SeaMonkey before 2.6 allow remote attackers to capture keystrokes entered on a web page by using SVG animation accessKey events within that web page (CVE-2011-3663).

Mozilla Firefox 4.x through 8.0, Thunderbird 5.0 through 8.0, and SeaMonkey before 2.6 allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via an Ogg VIDEO element that is not properly handled after scaling (CVE-2011-3665).

Alerts:
Mandriva MDVSA-2011:192 2011-12-23
openSUSE openSUSE-SU-2012:0007-1 2012-01-05
Ubuntu USN-1306-1 2012-01-06
Ubuntu USN-1306-2 2012-01-06
Ubuntu USN-1343-1 2012-01-24
openSUSE openSUSE-SU-2012:0039-2 2012-02-09
Mandriva MDVSA-2012:031 2012-03-17
Ubuntu USN-1401-1 2012-03-19
Ubuntu USN-1401-2 2012-03-23
openSUSE openSUSE-SU-2012:0417-1 2012-03-27
openSUSE openSUSE-SU-2012:0567-1 2012-04-27
Gentoo 201301-01 2013-01-07

Comments (none posted)

openstack-nova: directory traversal

Package(s):openstack-nova CVE #(s):CVE-2011-4596
Created:December 23, 2011 Updated:January 20, 2012
Description: From the Red Hat bugzilla:

Prevent potential directory traversal with malicious EC2 image tarballs, by making sure the tarfile is safe before unpacking it.

Prevent potential directory traversal with malicious file names in EC2 image manifests.

Alerts:
Fedora FEDORA-2011-17111 2011-12-14
Fedora FEDORA-2012-0682 2012-01-19

Comments (none posted)

php: denial of service

Package(s):php CVE #(s):CVE-2011-4885
Created:December 30, 2011 Updated:April 13, 2012
Description: From the Mandriva advisory:

PHP before 5.3.9 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.

Alerts:
Mandriva MDVSA-2011:197 2011-12-30
Red Hat RHSA-2012:0019-01 2012-01-11
CentOS CESA-2012:0019 2012-01-11
CentOS CESA-2012:0019 2012-01-11
Oracle ELSA-2012-0019 2012-01-12
Scientific Linux SL-NotF-20120112 2012-01-12
Oracle ELSA-2012-0019 2012-01-13
Red Hat RHSA-2012:0033-01 2012-01-18
CentOS CESA-2012:0033 2012-01-18
Oracle ELSA-2012-0033 2012-01-18
Scientific Linux SL-php-20120119 2012-01-19
Fedora FEDORA-2012-0504 2012-01-19
Fedora FEDORA-2012-0504 2012-01-19
Fedora FEDORA-2012-0504 2012-01-19
Fedora FEDORA-2012-0420 2012-01-26
Fedora FEDORA-2012-0420 2012-01-26
Fedora FEDORA-2012-0420 2012-01-26
Red Hat RHSA-2012:0071-01 2012-01-30
CentOS CESA-2012:0071 2012-01-30
Debian DSA-2399-1 2012-01-31
Oracle ELSA-2012-0071 2012-01-31
Scientific Linux SL-php-20120130 2012-01-30
Oracle ELSA-2012-0093 2012-02-03
Oracle ELSA-2012-0093 2012-02-03
Oracle ELSA-2012-0093 2012-02-03
Ubuntu USN-1358-1 2012-02-09
SUSE SUSE-SU-2012:0411-1 2012-03-24
openSUSE openSUSE-SU-2012:0426-1 2012-03-29
SUSE SUSE-SU-2012:0496-1 2012-04-12
Mandriva MDVSA-2012:071 2012-05-10
Oracle ELSA-2012-1046 2012-06-30
Gentoo 201209-03 2012-09-23

Comments (none posted)

phpmyadmin: cross-site scripting

Package(s):phpMyAdmin CVE #(s):CVE-2011-4780 CVE-2011-4782
Created:January 2, 2012 Updated:January 4, 2012
Description: From the Red Hat bugzilla:

Multiple cross-site scripting (XSS) vulnerabilities in libraries/display_export.lib.php in phpMyAdmin 3.4.x before 3.4.9 allow remote attackers to inject arbitrary web script or HTML via crafted URL parameters, related to the export panels in the (1) server, (2) database, and (3) table sections. (CVE-2011-4780)

From the Red Hat bugzilla:

Cross-site scripting (XSS) vulnerability in libraries/config/ConfigFile.class.php in the setup interface in phpMyAdmin 3.4.x before 3.4.9 allows remote attackers to inject arbitrary web script or HTML via the host parameter. (CVE-2011-4782)

Alerts:
Fedora FEDORA-2011-17369 2011-12-23
Fedora FEDORA-2011-17370 2011-12-23
Mandriva MDVSA-2011:198 2011-12-31
Gentoo 201201-01 2012-01-04

Comments (none posted)

t1lib: code execution

Package(s):t1lib CVE #(s):CVE-2011-0764
Created:December 22, 2011 Updated:January 30, 2012
Description: The t1lib package has a code execution vulnerability exploitable via a malicious font file.
Alerts:
Ubuntu USN-1316-1 2011-12-21
Mandriva MDVSA-2012:002 2012-01-02
Debian DSA-2388-1 2012-01-14
Oracle ELSA-2012-0062 2012-01-25
Red Hat RHSA-2012:0062-01 2012-01-24
Scientific Linux SL-t1li-20120125 2012-01-25
Fedora FEDORA-2012-0289 2012-01-28
Fedora FEDORA-2012-0266 2012-01-28
CentOS CESA-2012:0062 2012-01-30
Red Hat RHSA-2012:0137-01 2012-02-15
Scientific Linux SL-texl-20120215 2012-02-15
CentOS CESA-2012:0137 2012-02-16
Oracle ELSA-2012-0137 2012-02-15
openSUSE openSUSE-SU-2012:0559-1 2012-04-25
Slackware SSA:2012-228-01 2012-08-15
Red Hat RHSA-2012:1201-01 2012-08-23
CentOS CESA-2012:1201 2012-08-23
Oracle ELSA-2012-1201 2012-08-23
Scientific Linux SL-tete-20120823 2012-08-23
Mandriva MDVSA-2012:144 2012-08-28

Comments (none posted)

telnetd: code execution with root privileges

Package(s):telnetd krb5 krb5-appl heimdal CVE #(s):CVE-2011-4862
Created:December 26, 2011 Updated:February 23, 2012
Description: From the Debian advisory:

It was discovered that the Kerberos support for telnetd contains a pre-authentication buffer overflow, which may enable remote attackers who can connect to the Telnet to execute arbitrary code with root privileges.

Alerts:
CentOS CESA-2011:1852 2011-12-27
CentOS CESA-2011:1851 2011-12-27
Oracle ELSA-2011-1851 2011-12-27
Mandriva MDVSA-2011:195 2011-12-28
Red Hat RHSA-2011:1854-01 2011-12-28
Debian DSA-2375-1 2011-12-26
Debian DSA-2372-1 2011-12-25
CentOS CESA-2011:1851 2011-12-27
Oracle ELSA-2011-1852 2011-12-27
Oracle ELSA-2011-1851 2011-12-27
Scientific Linux SL-krb5-20111227 2011-12-27
Scientific Linux SL-krb5-20111227 2011-12-27
Red Hat RHSA-2011:1851-01 2011-12-27
Red Hat RHSA-2011:1852-02 2011-12-27
Debian DSA-2373-1 2011-12-25
Red Hat RHSA-2011:1853-01 2011-12-28
openSUSE openSUSE-SU-2012:0019-1 2012-01-05
SUSE SUSE-SU-2012:0010-1 2012-01-05
SUSE SUSE-SU-2012:0018-1 2012-01-05
SUSE SUSE-SU-2012:0042-1 2012-01-05
SUSE SUSE-SU-2012:0024-1 2012-01-05
Fedora FEDORA-2011-17493 2011-12-27
Fedora FEDORA-2011-17492 2011-12-27
Gentoo 201201-14 2012-01-23
Gentoo 201202-05 2012-02-22
Oracle ELSA-2012-0306 2012-03-07

Comments (none posted)

unbound: denial of service

Package(s):unbound CVE #(s):CVE-2011-4528 CVE-2011-4869
Created:December 23, 2011 Updated:January 4, 2012
Description: From the Debian advisory:

It was discovered that Unbound, a recursive DNS resolver, would crash when processing certain malformed DNS responses from authoritative DNS servers, leading to denial of service.

CVE-2011-4528: Unbound attempts to free unallocated memory during processing of duplicate CNAME records in a signed zone. CVE-2011-4869: Unbound does not properly process malformed responses which lack expected NSEC3 records.

Alerts:
Debian DSA-2370-1 2011-12-22
Fedora FEDORA-2011-17282 2011-12-22
Fedora FEDORA-2011-17337 2011-12-22

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds