ID CVE-2005-0488
Summary Certain BSD-based Telnet clients, including those used on Solaris and SuSE Linux, allow remote malicious Telnet servers to read sensitive environment variables via the NEW-ENVIRON option with a SEND ENV_USERVAR command.
References
Vulnerable Configurations
  • Microsoft telnet_client 5.1.2600.2180
    cpe:2.3:a:microsoft:telnet_client:5.1.2600.2180
  • MIT Kerberos 5 1.3.4
    cpe:2.3:a:mit:kerberos:5-1.3.4
  • Sun SunOS (Solaris 9) 5.9
    cpe:2.3:o:sun:sunos:5.9
CVSS
Base: 5.0 (as of 16-06-2005 - 10:35)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE NONE
nessus via4
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2005-562.NASL
    description Updated krb5 packages which fix multiple security issues are now available for Red Hat Enterprise Linux 2.1 and 3. This update has been rated as having critical security impact by the Red Hat Security Response Team. [Updated 26 Sep 2005] krb5-server packages have been added to this advisory for Red Hat Enterprise Linux 3 WS and Red Hat Enterprise Linux 3 Desktop. Kerberos is a networked authentication system which uses a trusted third party (a KDC) to authenticate clients and servers to each other. A double-free flaw was found in the krb5_recvauth() routine which may be triggered by a remote unauthenticated attacker. Although no exploit is currently known to exist, this issue could potentially be exploited to allow arbitrary code execution on a Key Distribution Center (KDC). The Common Vulnerabilities and Exposures project assigned the name CVE-2005-1689 to this issue. Daniel Wachdorf discovered a single byte heap overflow in the krb5_unparse_name() function, part of krb5-libs. Sucessful exploitation of this flaw would lead to a denial of service (crash). To trigger this flaw an attacker would need to have control of a kerberos realm that shares a cross-realm key with the target, making exploitation of this flaw unlikely. (CVE-2005-1175). Gael Delalleau discovered an information disclosure issue in the way some telnet clients handle messages from a server. An attacker could construct a malicious telnet server that collects information from the environment of any victim who connects to it using the Kerberos-aware telnet client (CVE-2005-0488). The rcp protocol allows a server to instruct a client to write to arbitrary files outside of the current directory. This could potentially cause a security issue if a user uses the Kerberos-aware rcp to copy files from a malicious server (CVE-2004-0175). All users of krb5 should update to these erratum packages which contain backported patches to correct these issues. Red Hat would like to thank the MIT Kerberos Development Team for their responsible disclosure of these issues.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 18687
    published 2005-07-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=18687
    title RHEL 2.1 / 3 : krb5 (RHSA-2005:562)
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_SECUPD2006-004.NASL
    description The remote host is running Apple Mac OS X, but lacks Security Update 2006-004. This security update contains fixes for the following applications : AFP Server Bluetooth Bom DHCP dyld fetchmail gnuzip ImageIO LaunchServices OpenSSH telnet WebKit
    last seen 2019-02-21
    modified 2018-07-14
    plugin id 22125
    published 2006-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22125
    title Mac OS X Multiple Vulnerabilities (Security Update 2006-004)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2005-119.NASL
    description A number of vulnerabilities have been corrected in this Kerberos update : The rcp protocol would allow a server to instruct a client to write to arbitrary files outside of the current directory. The Kerberos-aware rcp could be abused to copy files from a malicious server (CVE-2004-0175). Gael Delalleau discovered an information disclosure vulnerability in the way some telnet clients handled messages from a server. This could be abused by a malicious telnet server to collect information from the environment of any victim connecting to the server using the Kerberos- aware telnet client (CVE-2005-0488). Daniel Wachdorf disovered that in error conditions that could occur in response to correctly-formatted client requests, the Kerberos 5 KDC may attempt to free uninitialized memory, which could cause the KDC to crash resulting in a Denial of Service (CVE-2005-1174). Daniel Wachdorf also discovered a single-byte heap overflow in the krb5_unparse_name() function that could, if successfully exploited, lead to a crash, resulting in a DoS. To trigger this flaw, an attacker would need to have control of a Kerberos realm that shares a cross- realm key with the target (CVE-2005-1175). Finally, a double-free flaw was discovered in the krb5_recvauth() routine which could be triggered by a remote unauthenticated attacker. This issue could potentially be exploited to allow for the execution of arbitrary code on a KDC. No exploit is currently known to exist (CVE-2005-1689). The updated packages have been patched to address this issue and Mandriva urges all users to upgrade to these packages as quickly as possible.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 19201
    published 2005-07-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=19201
    title Mandrake Linux Security Advisory : krb5 (MDKSA-2005:119)
  • NASL family Windows : Microsoft Bulletins
    NASL id SMB_NT_MS05-033.NASL
    description The remote version of Windows contains a flaw the Telnet client that could allow an attacker to read the session variables of users connecting to a rogue telnet server.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 18486
    published 2005-06-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=18486
    title MS05-033: Vulnerability in Telnet Client Could Allow Information Disclosure (896428)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2005-562.NASL
    description Updated krb5 packages which fix multiple security issues are now available for Red Hat Enterprise Linux 2.1 and 3. This update has been rated as having critical security impact by the Red Hat Security Response Team. [Updated 26 Sep 2005] krb5-server packages have been added to this advisory for Red Hat Enterprise Linux 3 WS and Red Hat Enterprise Linux 3 Desktop. Kerberos is a networked authentication system which uses a trusted third party (a KDC) to authenticate clients and servers to each other. A double-free flaw was found in the krb5_recvauth() routine which may be triggered by a remote unauthenticated attacker. Although no exploit is currently known to exist, this issue could potentially be exploited to allow arbitrary code execution on a Key Distribution Center (KDC). The Common Vulnerabilities and Exposures project assigned the name CVE-2005-1689 to this issue. Daniel Wachdorf discovered a single byte heap overflow in the krb5_unparse_name() function, part of krb5-libs. Sucessful exploitation of this flaw would lead to a denial of service (crash). To trigger this flaw an attacker would need to have control of a kerberos realm that shares a cross-realm key with the target, making exploitation of this flaw unlikely. (CVE-2005-1175). Gael Delalleau discovered an information disclosure issue in the way some telnet clients handle messages from a server. An attacker could construct a malicious telnet server that collects information from the environment of any victim who connects to it using the Kerberos-aware telnet client (CVE-2005-0488). The rcp protocol allows a server to instruct a client to write to arbitrary files outside of the current directory. This could potentially cause a security issue if a user uses the Kerberos-aware rcp to copy files from a malicious server (CVE-2004-0175). All users of krb5 should update to these erratum packages which contain backported patches to correct these issues. Red Hat would like to thank the MIT Kerberos Development Team for their responsible disclosure of these issues.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 21840
    published 2006-07-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21840
    title CentOS 3 : krb5 (CESA-2005:562)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2005-504.NASL
    description Updated telnet packages that fix an information disclosure issue are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The telnet package provides a command line telnet client. Gael Delalleau discovered an information disclosure issue in the way the telnet client handles messages from a server. An attacker could construct a malicious telnet server that collects information from the environment of any victim who connects to it. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0488 to this issue. Users of telnet should upgrade to this updated package, which contains a backported patch to correct this issue.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 21834
    published 2006-07-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21834
    title CentOS 3 / 4 : telnet (CESA-2005:504)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2005-504.NASL
    description Updated telnet packages that fix an information disclosure issue are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The telnet package provides a command line telnet client. Gael Delalleau discovered an information disclosure issue in the way the telnet client handles messages from a server. An attacker could construct a malicious telnet server that collects information from the environment of any victim who connects to it. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0488 to this issue. Users of telnet should upgrade to this updated package, which contains a backported patch to correct this issue.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 18501
    published 2005-06-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=18501
    title RHEL 2.1 / 3 / 4 : telnet (RHSA-2005:504)
oval via4
  • accepted 2013-04-29T04:13:35.713-04:00
    class vulnerability
    contributors
    • name Aharon Chernin
      organization SCAP.com, LLC
    • name Dragos Prisaca
      organization G2, Inc.
    definition_extensions
    • comment The operating system installed on the system is Red Hat Enterprise Linux 3
      oval oval:org.mitre.oval:def:11782
    • comment CentOS Linux 3.x
      oval oval:org.mitre.oval:def:16651
    • comment The operating system installed on the system is Red Hat Enterprise Linux 4
      oval oval:org.mitre.oval:def:11831
    • comment CentOS Linux 4.x
      oval oval:org.mitre.oval:def:16636
    • comment Oracle Linux 4.x
      oval oval:org.mitre.oval:def:15990
    description Certain BSD-based Telnet clients, including those used on Solaris and SuSE Linux, allow remote malicious Telnet servers to read sensitive environment variables via the NEW-ENVIRON option with a SEND ENV_USERVAR command.
    family unix
    id oval:org.mitre.oval:def:11373
    status accepted
    submitted 2010-07-09T03:56:16-04:00
    title Certain BSD-based Telnet clients, including those used on Solaris and SuSE Linux, allow remote malicious Telnet servers to read sensitive environment variables via the NEW-ENVIRON option with a SEND ENV_USERVAR command.
    version 24
  • accepted 2005-09-21T01:33:00.000-04:00
    class vulnerability
    contributors
    name Jay Beale
    organization Bastille Linux
    description Certain BSD-based Telnet clients, including those used on Solaris and SuSE Linux, allow remote malicious Telnet servers to read sensitive environment variables via the NEW-ENVIRON option with a SEND ENV_USERVAR command.
    family unix
    id oval:org.mitre.oval:def:1139
    status accepted
    submitted 2005-07-11T12:00:00.000-04:00
    title Telnet Client Information Disclosure Vulnerability
    version 4
redhat via4
advisories
  • rhsa
    id RHSA-2005:504
  • rhsa
    id RHSA-2005:562
refmap via4
apple APPLE-SA-2006-08-01
bid
  • 13940
  • 19289
cert TA06-214A
cert-vn VU#800829
idefense 20050614 Multiple Vendor Telnet Client Information Disclosure Vulnerability
sectrack 1014203
secunia
  • 17135
  • 21253
sunalert
  • 101665
  • 101671
  • 57755
  • 57761
suse SUSE-SR:2005:016
vupen ADV-2006-3101
statements via4
contributor Mark J Cox
lastmodified 2007-03-14
organization Red Hat
statement Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.
Last major update 07-03-2011 - 21:20
Published 14-06-2005 - 00:00
Last modified 30-10-2018 - 12:25
Back to Top