ID CVE-2007-0956
Summary The telnet daemon (telnetd) in MIT krb5 before 1.6.1 allows remote attackers to bypass authentication and gain system access via a username beginning with a '-' character, a similar issue to CVE-2007-0882.
References
Vulnerable Configurations
  • Debian Debian Linux 3.1
    cpe:2.3:o:debian:debian_linux:3.1
  • Debian GNU/Linux 4.0
    cpe:2.3:o:debian:debian_linux:4.0
  • cpe:2.3:o:rpath:linux:1
    cpe:2.3:o:rpath:linux:1
  • MIT Kerberos 5 1.6
    cpe:2.3:a:mit:kerberos:5-1.6
CVSS
Base: 7.6 (as of 09-04-2007 - 12:43)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK HIGH NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
nessus via4
  • NASL family SuSE Local Security Checks
    NASL id SUSE_KRB5-APPS-SERVERS-3022.NASL
    description When using the krb5 telnet daemon it was possible for remote attackers to override authentication mechanisms and gain root access to the machine by supplying a special username. This is tracked by the Mitre CVE ID CVE-2007-0956.
    last seen 2019-02-21
    modified 2013-03-30
    plugin id 29497
    published 2007-12-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=29497
    title SuSE 10 Security Update : krb5-apps-servers (ZYPP Patch Number 3022)
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS9_X86_119796.NASL
    description SEAM 1.0.2_x86: patch for Solaris 9_x86. Date this patch was last updated by Sun : Apr/03/07
    last seen 2016-09-26
    modified 2013-03-30
    plugin id 23614
    published 2006-11-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=23614
    title Solaris 5.9 (x86) : 119796-04
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS9_116462.NASL
    description SEAM 1.0.2: patch for Solaris 9. Date this patch was last updated by Sun : Apr/03/07
    last seen 2018-09-01
    modified 2014-08-30
    plugin id 23517
    published 2006-11-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=23517
    title Solaris 9 (sparc) : 116462-06
  • NASL family SuSE Local Security Checks
    NASL id SUSE_KRB5-APPS-SERVERS-3021.NASL
    description When using the krb5 telnet daemon it was possible for remote attackers to override authentication mechanisms and gain root access to the machine by supplying a special username. This is tracked by the Mitre CVE ID CVE-2007-0956.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 27313
    published 2007-10-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27313
    title openSUSE 10 Security Update : krb5-apps-servers (krb5-apps-servers-3021)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200704-02.NASL
    description The remote host is affected by the vulnerability described in GLSA-200704-02 (MIT Kerberos 5: Arbitrary remote code execution) The Kerberos telnet daemon fails to properly handle usernames allowing unauthorized access to any account (CVE-2007-0956). The Kerberos administration daemon, the KDC and possibly other applications using the MIT Kerberos libraries are vulnerable to the following issues. The krb5_klog_syslog function from the kadm5 library fails to properly validate input leading to a stack overflow (CVE-2007-0957). The GSS-API library is vulnerable to a double-free attack (CVE-2007-1216). Impact : By exploiting the telnet vulnerability a remote attacker may obtain access with root privileges. The remaining vulnerabilities may allow an authenticated remote attacker to execute arbitrary code with root privileges. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-08-10
    plugin id 24935
    published 2007-04-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24935
    title GLSA-200704-02 : MIT Kerberos 5: Arbitrary remote code execution
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2007-0095.NASL
    description From Red Hat Security Advisory 2007:0095 : Updated krb5 packages that fix a number of issues are now available. This update has been rated as having critical security impact by the Red Hat Security Response Team. Kerberos is a network authentication system which allows clients and servers to authenticate to each other through use of symmetric encryption and a trusted third party, the KDC. A flaw was found in the username handling of the MIT krb5 telnet daemon (telnetd). A remote attacker who can access the telnet port of a target machine could log in as root without requiring a password. (CVE-2007-0956) Note that the krb5 telnet daemon is not enabled by default in any version of Red Hat Enterprise Linux. In addition, the default firewall rules block remote access to the telnet port. This flaw does not affect the telnet daemon distributed in the telnet-server package. For users who have enabled the krb5 telnet daemon and have it accessible remotely, this update should be applied immediately. Whilst we are not aware at this time that the flaw is being actively exploited, we have confirmed that the flaw is very easily exploitable. This update also fixes two additional security issues : Buffer overflows were found which affect the Kerberos KDC and the kadmin server daemon. A remote attacker who can access the KDC could exploit this bug to run arbitrary code with the privileges of the KDC or kadmin server processes. (CVE-2007-0957) A double-free flaw was found in the GSSAPI library used by the kadmin server daemon. Red Hat Enterprise Linux 4 and 5 contain checks within glibc that detect double-free flaws. Therefore, on Red Hat Enterprise Linux 4 and 5 successful exploitation of this issue can only lead to a denial of service. Applications which use this library in earlier releases of Red Hat Enterprise Linux may also be affected. (CVE-2007-1216) All users are advised to update to these erratum packages which contain a backported fix to correct these issues. Red Hat would like to thank MIT and iDefense for reporting these vulnerabilities.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 67458
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67458
    title Oracle Linux 3 / 4 / 5 : krb5 (ELSA-2007-0095)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2007-0095.NASL
    description Updated krb5 packages that fix a number of issues are now available. This update has been rated as having critical security impact by the Red Hat Security Response Team. Kerberos is a network authentication system which allows clients and servers to authenticate to each other through use of symmetric encryption and a trusted third party, the KDC. A flaw was found in the username handling of the MIT krb5 telnet daemon (telnetd). A remote attacker who can access the telnet port of a target machine could log in as root without requiring a password. (CVE-2007-0956) Note that the krb5 telnet daemon is not enabled by default in any version of Red Hat Enterprise Linux. In addition, the default firewall rules block remote access to the telnet port. This flaw does not affect the telnet daemon distributed in the telnet-server package. For users who have enabled the krb5 telnet daemon and have it accessible remotely, this update should be applied immediately. Whilst we are not aware at this time that the flaw is being actively exploited, we have confirmed that the flaw is very easily exploitable. This update also fixes two additional security issues : Buffer overflows were found which affect the Kerberos KDC and the kadmin server daemon. A remote attacker who can access the KDC could exploit this bug to run arbitrary code with the privileges of the KDC or kadmin server processes. (CVE-2007-0957) A double-free flaw was found in the GSSAPI library used by the kadmin server daemon. Red Hat Enterprise Linux 4 and 5 contain checks within glibc that detect double-free flaws. Therefore, on Red Hat Enterprise Linux 4 and 5 successful exploitation of this issue can only lead to a denial of service. Applications which use this library in earlier releases of Red Hat Enterprise Linux may also be affected. (CVE-2007-1216) All users are advised to update to these erratum packages which contain a backported fix to correct these issues. Red Hat would like to thank MIT and iDefense for reporting these vulnerabilities.
    last seen 2019-02-21
    modified 2018-11-16
    plugin id 24948
    published 2007-04-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24948
    title RHEL 2.1 / 3 / 4 / 5 : krb5 (RHSA-2007:0095)
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS9_119796.NASL
    description SEAM 1.0.2_x86: patch for Solaris 9_x86. Date this patch was last updated by Sun : Apr/03/07
    last seen 2016-09-26
    modified 2013-03-30
    plugin id 36967
    published 2009-04-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=36967
    title Solaris 5.9 (sparc) : 119796-04
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1276.NASL
    description Several remote vulnerabilities have been discovered in the MIT reference implementation of the Kerberos network authentication protocol suite, which may lead to the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2007-0956 It was discovered that the krb5 telnet daemon performs insufficient validation of usernames, which might allow unauthorized logins or privilege escalation. - CVE-2007-0957 iDefense discovered that a buffer overflow in the logging code of the KDC and the administration daemon might lead to arbitrary code execution. - CVE-2007-1216 It was discovered that a double free in the RPCSEC_GSS part of the GSS library code might lead to arbitrary code execution.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 25010
    published 2007-04-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25010
    title Debian DSA-1276-1 : krb5 - several vulnerabilities
  • NASL family Gain a shell remotely
    NASL id KRB_TELNET_ENV.NASL
    description An authentication bypass vulnerability exists in the MIT krb5 telnet daemon due to a failure to sanitize malformed usernames. This allows usernames beginning with '-e' to be interpreted as a command-line flag by the login.krb5 program. A remote attacker can exploit this, via a crafted username, to cause login.krb5 to execute part of the BSD rlogin protocol, which in turn allows the attacker to login with an arbitrary username without a password or any further authentication.
    last seen 2019-02-21
    modified 2018-07-13
    plugin id 24998
    published 2007-04-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24998
    title Kerberos telnet Crafted Username Remote Authentication Bypass
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-449-1.NASL
    description The krb5 telnet service did not appropriately verify user names. A remote attacker could log in as the root user by requesting a specially crafted user name. (CVE-2007-0956) The krb5 syslog library did not correctly verify the size of log messages. A remote attacker could send a specially crafted message and execute arbitrary code with root privileges. (CVE-2007-0957) The krb5 administration service was vulnerable to a double-free in the GSS RPC library. A remote attacker could send a specially crafted request and execute arbitrary code with root privileges. (CVE-2007-1216). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 28046
    published 2007-11-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=28046
    title Ubuntu 5.10 / 6.06 LTS / 6.10 : krb5 vulnerabilities (USN-449-1)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2007-077.NASL
    description A vulnerability was found in the username handling of the MIT krb5 telnet daemon. A remote attacker that could access the telnet port of a target machine could login as root without requiring a password (CVE-2007-0956). Buffer overflows in the kadmin server daemon were discovered that could be exploited by a remote attacker able to access the KDC. Successful exploitation could allow for the execution of arbitrary code with the privileges of the KDC or kadmin server processes (CVE-2007-0957). Finally, a double-free flaw was discovered in the GSSAPI library used by the kadmin server daemon, which could lead to a denial of service condition or the execution of arbitrary code with the privileges of the KDC or kadmin server processes (CVE-2007-1216). Updated packages have been patched to address this issue. Update : Packages for Mandriva Linux 2007.1 are now available.
    last seen 2019-02-21
    modified 2018-12-05
    plugin id 24943
    published 2007-04-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24943
    title Mandrake Linux Security Advisory : krb5 (MDKSA-2007:077-1)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2007-0095.NASL
    description Updated krb5 packages that fix a number of issues are now available. This update has been rated as having critical security impact by the Red Hat Security Response Team. Kerberos is a network authentication system which allows clients and servers to authenticate to each other through use of symmetric encryption and a trusted third party, the KDC. A flaw was found in the username handling of the MIT krb5 telnet daemon (telnetd). A remote attacker who can access the telnet port of a target machine could log in as root without requiring a password. (CVE-2007-0956) Note that the krb5 telnet daemon is not enabled by default in any version of Red Hat Enterprise Linux. In addition, the default firewall rules block remote access to the telnet port. This flaw does not affect the telnet daemon distributed in the telnet-server package. For users who have enabled the krb5 telnet daemon and have it accessible remotely, this update should be applied immediately. Whilst we are not aware at this time that the flaw is being actively exploited, we have confirmed that the flaw is very easily exploitable. This update also fixes two additional security issues : Buffer overflows were found which affect the Kerberos KDC and the kadmin server daemon. A remote attacker who can access the KDC could exploit this bug to run arbitrary code with the privileges of the KDC or kadmin server processes. (CVE-2007-0957) A double-free flaw was found in the GSSAPI library used by the kadmin server daemon. Red Hat Enterprise Linux 4 and 5 contain checks within glibc that detect double-free flaws. Therefore, on Red Hat Enterprise Linux 4 and 5 successful exploitation of this issue can only lead to a denial of service. Applications which use this library in earlier releases of Red Hat Enterprise Linux may also be affected. (CVE-2007-1216) All users are advised to update to these erratum packages which contain a backported fix to correct these issues. Red Hat would like to thank MIT and iDefense for reporting these vulnerabilities.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 24919
    published 2007-04-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24919
    title CentOS 3 / 4 : krb5 (CESA-2007:0095)
oval via4
accepted 2013-04-29T04:00:51.513-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 3
    oval oval:org.mitre.oval:def:11782
  • comment CentOS Linux 3.x
    oval oval:org.mitre.oval:def:16651
  • comment The operating system installed on the system is Red Hat Enterprise Linux 4
    oval oval:org.mitre.oval:def:11831
  • comment CentOS Linux 4.x
    oval oval:org.mitre.oval:def:16636
  • comment Oracle Linux 4.x
    oval oval:org.mitre.oval:def:15990
  • comment The operating system installed on the system is Red Hat Enterprise Linux 5
    oval oval:org.mitre.oval:def:11414
  • comment The operating system installed on the system is CentOS Linux 5.x
    oval oval:org.mitre.oval:def:15802
  • comment Oracle Linux 5.x
    oval oval:org.mitre.oval:def:15459
description T krb5 before 1.6.1 allows remote attackers to bypass authentication and gain system access via a username beginning with a '-' character, a similar issue to CVE-2007-0882.
family unix
id oval:org.mitre.oval:def:10046
status accepted
submitted 2010-07-09T03:56:16-04:00
title The telnet daemon (telnetd) in MIT krb5 before 1.6.1 allows remote attackers to bypass authentication and gain system access via a username beginning with a '-' character, a similar issue to CVE-2007-0882.
version 24
redhat via4
advisories
rhsa
id RHSA-2007:0095
rpms
  • krb5-devel-0:1.2.7-61
  • krb5-libs-0:1.2.7-61
  • krb5-server-0:1.2.7-61
  • krb5-workstation-0:1.2.7-61
  • krb5-devel-0:1.3.4-46
  • krb5-libs-0:1.3.4-46
  • krb5-server-0:1.3.4-46
  • krb5-workstation-0:1.3.4-46
  • krb5-devel-0:1.5-23
  • krb5-libs-0:1.5-23
  • krb5-server-0:1.5-23
  • krb5-workstation-0:1.5-23
refmap via4
bid 23281
bugtraq
  • 20070403 MITKRB5-SA-2007-001: telnetd allows login as arbitrary user [CVE-2007-0956]
  • 20070404 rPSA-2007-0063-1 krb5 krb5-server krb5-services krb5-test krb5-workstation
  • 20070405 FLEA-2007-0008-1: krb5
cert TA07-093B
cert-vn VU#220816
confirm http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2007-001-telnetd.txt
debian DSA-1276
gentoo GLSA-200704-02
mandriva MDKSA-2007:077
sectrack 1017848
secunia
  • 24706
  • 24735
  • 24736
  • 24740
  • 24750
  • 24755
  • 24757
  • 24785
  • 24786
  • 24817
sgi 20070401-01-P
sunalert 102867
suse SUSE-SA:2007:025
ubuntu USN-449-1
vupen
  • ADV-2007-1218
  • ADV-2007-1249
xf kerberos-telnet-security-bypass(33414)
Last major update 07-03-2011 - 21:51
Published 05-04-2007 - 21:19
Last modified 16-10-2018 - 12:35
Back to Top