FreeBSD Security Advisory FreeBSD-SA-09:05.telnetd
Tom Judge
tom at tomjudge.com
Tue Feb 17 11:08:34 PST 2009
Hi,
It seems that you got the patch levels wrong in this announcement, should it not be:
2009-02-16 21:56:17 UTC (RELENG_7, 7.1-STABLE)
2009-02-16 21:56:17 UTC (RELENG_7_1, 7.1-RELEASE-p3)
2009-02-16 21:56:17 UTC (RELENG_7_0, 7.0-RELEASE-p10)
Rather than:
2009-02-16 21:56:17 UTC (RELENG_7, 7.1-STABLE)
2009-02-16 21:56:17 UTC (RELENG_7_1, 7.1-RELEASE-p10)
2009-02-16 21:56:17 UTC (RELENG_7_0, 7.0-RELEASE-p3)
Regards
Tom Judge
FreeBSD Security Advisories wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> =============================================================================
> FreeBSD-SA-09:05.telnetd Security Advisory
> The FreeBSD Project
>
> Topic: telnetd code execution vulnerability
>
> Category: core
> Module: contrib
> Announced: 2009-02-16
> Affects: FreeBSD 7.x
> Corrected: 2009-02-16 21:56:17 UTC (RELENG_7, 7.1-STABLE)
> 2009-02-16 21:56:17 UTC (RELENG_7_1, 7.1-RELEASE-p10)
> 2009-02-16 21:56:17 UTC (RELENG_7_0, 7.0-RELEASE-p3)
>
> For general information regarding FreeBSD Security Advisories,
> including descriptions of the fields above, security branches, and the
> following sections, please visit <URL:http://security.FreeBSD.org/>.
>
> I. Background
>
> The FreeBSD telnet daemon, telnetd(8), implements the server side of the
> TELNET virtual terminal protocol. It has been disabled by default in
> FreeBSD since August 2001, and due to the lack of cryptographic security
> in the TELNET protocol, it is strongly recommended that the SSH protocol
> be used instead. The FreeBSD telnet daemon can be enabled via the
> /etc/inetd.conf configuration file and the inetd(8) daemon.
>
> The TELNET protocol allows a connecting client to specify environment
> variables which should be set in any created login session; this is used,
> for example, to specify terminal settings.
>
> II. Problem Description
>
> In order to prevent environment variable based attacks, telnetd(8) "scrubs"
> its environment; however, recent changes in FreeBSD's environment-handling
> code rendered telnetd's scrubbing inoperative, thereby allowing potentially
> harmful environment variables to be set.
>
> III. Impact
>
> An attacker who can place a specially-constructed file onto a target system
> (either by legitimately logging into the system or by exploiting some other
> service on the system) can execute arbitrary code with the privileges of
> the user running the telnet daemon (usually root).
>
> IV. Workaround
>
> No workaround is available, but systems which are not running the telnet
> daemon are not vulnerable.
>
> V. Solution
>
> Perform one of the following:
>
> 1) Upgrade your vulnerable system to 7-STABLE, or to the RELENG_7_1 or
> RELENG_7_0 security branch dated after the correction date.
>
> 2) To patch your present system:
>
> The following patches have been verified to apply to FreeBSD 7.0 and 7.1
> systems.
>
> a) Download the relevant patch from the location below, and verify the
> detached PGP signature using your PGP utility.
>
> # fetch http://security.FreeBSD.org/patches/SA-09:05/telnetd.patch
> # fetch http://security.FreeBSD.org/patches/SA-09:05/telnetd.patch.asc
>
> b) Execute the following commands as root:
>
> # cd /usr/src
> # patch < /path/to/patch
> # cd /usr/src/lib/libtelnet
> # make obj && make depend && make
> # cd /usr/src/libexec/telnetd
> # make obj && make depend && make && make install
>
> VI. Correction details
>
> The following list contains the revision numbers of each file that was
> corrected in FreeBSD.
>
> CVS:
>
> Branch Revision
> Path
> - -------------------------------------------------------------------------
> RELENG_7
> src/contrib/telnet/telnetd/sys_term.c 1.18.22.1
> RELENG_7_1
> src/UPDATING 1.507.2.13.2.6
> src/sys/conf/newvers.sh 1.72.2.9.2.7
> src/contrib/telnet/telnetd/sys_term.c 1.18.30.2
> RELENG_7_0
> src/UPDATING 1.507.2.3.2.14
> src/sys/conf/newvers.sh 1.72.2.5.2.14
> src/contrib/telnet/telnetd/sys_term.c 1.18.26.1
> - -------------------------------------------------------------------------
>
> Subversion:
>
> Branch/path Revision
> - -------------------------------------------------------------------------
> stable/7/ r188699
> releng/7.1/ r188699
> releng/7.0/ r188699
> - -------------------------------------------------------------------------
>
> VII. References
>
> http://lists.grok.org.uk/pipermail/full-disclosure/2009-February/067954.html
>
> The latest revision of this advisory is available at
> http://security.FreeBSD.org/advisories/FreeBSD-SA-09:05.telnetd.asc
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (FreeBSD)
>
> iEYEARECAAYFAkmZ4dwACgkQFdaIBMps37JI2gCfZsCqw/ev/qVKELwNiFxj8zra
> aooAn0GU4wBW7jBulFhrSyXtKVlgs18B
> =joA6
> -----END PGP SIGNATURE-----
> _______________________________________________
> freebsd-security-notifications at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications
> To unsubscribe, send any mail to "freebsd-security-notifications-unsubscribe at freebsd.org"
>
More information about the freebsd-security
mailing list