FreeBSD Security Advisory FreeBSD-SA-09:05.telnetd

Tom Judge tom at tomjudge.com
Tue Feb 17 11:08:34 PST 2009 

Hi,

It seems that you got the patch levels wrong in this announcement, should it not be:

2009-02-16 21:56:17 UTC (RELENG_7, 7.1-STABLE)
2009-02-16 21:56:17 UTC (RELENG_7_1, 7.1-RELEASE-p3)
2009-02-16 21:56:17 UTC (RELENG_7_0, 7.0-RELEASE-p10)

Rather than:

2009-02-16 21:56:17 UTC (RELENG_7, 7.1-STABLE)
2009-02-16 21:56:17 UTC (RELENG_7_1, 7.1-RELEASE-p10)
2009-02-16 21:56:17 UTC (RELENG_7_0, 7.0-RELEASE-p3)


Regards

Tom Judge



FreeBSD Security Advisories wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> =============================================================================
> FreeBSD-SA-09:05.telnetd                                    Security Advisory
>                                                           The FreeBSD Project
>
> Topic:          telnetd code execution vulnerability
>
> Category:       core
> Module:         contrib
> Announced:      2009-02-16
> Affects:        FreeBSD 7.x
> Corrected:      2009-02-16 21:56:17 UTC (RELENG_7, 7.1-STABLE)
>                 2009-02-16 21:56:17 UTC (RELENG_7_1, 7.1-RELEASE-p10)
>                 2009-02-16 21:56:17 UTC (RELENG_7_0, 7.0-RELEASE-p3)
>
> For general information regarding FreeBSD Security Advisories,
> including descriptions of the fields above, security branches, and the
> following sections, please visit <URL:http://security.FreeBSD.org/>.
>
> I.   Background
>
> The FreeBSD telnet daemon, telnetd(8), implements the server side of the
> TELNET virtual terminal protocol.  It has been disabled by default in
> FreeBSD since August 2001, and due to the lack of cryptographic security
> in the TELNET protocol, it is strongly recommended that the SSH protocol
> be used instead.  The FreeBSD telnet daemon can be enabled via the
> /etc/inetd.conf configuration file and the inetd(8) daemon.
>
> The TELNET protocol allows a connecting client to specify environment
> variables which should be set in any created login session; this is used,
> for example, to specify terminal settings.
>
> II.  Problem Description
>
> In order to prevent environment variable based attacks, telnetd(8) "scrubs"
> its environment; however, recent changes in FreeBSD's environment-handling
> code rendered telnetd's scrubbing inoperative, thereby allowing potentially
> harmful environment variables to be set.
>
> III. Impact
>
> An attacker who can place a specially-constructed file onto a target system
> (either by legitimately logging into the system or by exploiting some other
> service on the system) can execute arbitrary code with the privileges of
> the user running the telnet daemon (usually root).
>
> IV.  Workaround
>
> No workaround is available, but systems which are not running the telnet
> daemon are not vulnerable.
>
> V.   Solution
>
> Perform one of the following:
>
> 1) Upgrade your vulnerable system to 7-STABLE, or to the RELENG_7_1 or
> RELENG_7_0 security branch dated after the correction date.
>
> 2) To patch your present system:
>
> The following patches have been verified to apply to FreeBSD 7.0 and 7.1
> systems.
>
> a) Download the relevant patch from the location below, and verify the
> detached PGP signature using your PGP utility.
>
> # fetch http://security.FreeBSD.org/patches/SA-09:05/telnetd.patch
> # fetch http://security.FreeBSD.org/patches/SA-09:05/telnetd.patch.asc
>
> b) Execute the following commands as root:
>
> # cd /usr/src
> # patch < /path/to/patch
> # cd /usr/src/lib/libtelnet
> # make obj && make depend && make
> # cd /usr/src/libexec/telnetd
> # make obj && make depend && make && make install
>
> VI.  Correction details
>
> The following list contains the revision numbers of each file that was
> corrected in FreeBSD.
>
> CVS:
>
> Branch                                                           Revision
>   Path
> - -------------------------------------------------------------------------
> RELENG_7
>   src/contrib/telnet/telnetd/sys_term.c                         1.18.22.1
> RELENG_7_1
>   src/UPDATING                                             1.507.2.13.2.6
>   src/sys/conf/newvers.sh                                    1.72.2.9.2.7
>   src/contrib/telnet/telnetd/sys_term.c                         1.18.30.2
> RELENG_7_0
>   src/UPDATING                                             1.507.2.3.2.14
>   src/sys/conf/newvers.sh                                   1.72.2.5.2.14
>   src/contrib/telnet/telnetd/sys_term.c                         1.18.26.1
> - -------------------------------------------------------------------------
>
> Subversion:
>
> Branch/path                                                      Revision
> - -------------------------------------------------------------------------
> stable/7/                                                         r188699
> releng/7.1/                                                       r188699
> releng/7.0/                                                       r188699
> - -------------------------------------------------------------------------
>
> VII. References
>
> http://lists.grok.org.uk/pipermail/full-disclosure/2009-February/067954.html
>
> The latest revision of this advisory is available at
> http://security.FreeBSD.org/advisories/FreeBSD-SA-09:05.telnetd.asc
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (FreeBSD)
>
> iEYEARECAAYFAkmZ4dwACgkQFdaIBMps37JI2gCfZsCqw/ev/qVKELwNiFxj8zra
> aooAn0GU4wBW7jBulFhrSyXtKVlgs18B
> =joA6
> -----END PGP SIGNATURE-----
> _______________________________________________
> freebsd-security-notifications at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications
> To unsubscribe, send any mail to "freebsd-security-notifications-unsubscribe at freebsd.org"
>

More information about the freebsd-security mailing list