ID CVE-2011-4862
Summary Buffer overflow in libtelnet/encrypt.c in telnetd in FreeBSD 7.3 through 9.0, MIT Kerberos Version 5 Applications (aka krb5-appl) 1.0.2 and earlier, Heimdal 1.5.1 and earlier, GNU inetutils, and possibly other products allows remote attackers to execute arbitrary code via a long encryption key, as exploited in the wild in December 2011.
References
Vulnerable Configurations
  • FreeBSD 7.3
    cpe:2.3:o:freebsd:freebsd:7.3
  • FreeBSD 8.1
    cpe:2.3:o:freebsd:freebsd:8.1
  • FreeBSD 8.2
    cpe:2.3:o:freebsd:freebsd:8.2
  • FreeBSD 9.0
    cpe:2.3:o:freebsd:freebsd:9.0
  • FreeBSD 8.0
    cpe:2.3:o:freebsd:freebsd:8.0
  • cpe:2.3:a:h5l:heimdal:1.5.1
    cpe:2.3:a:h5l:heimdal:1.5.1
  • cpe:2.3:a:mit:krb5-appl:1.02
    cpe:2.3:a:mit:krb5-appl:1.02
CVSS
Base: 10.0 (as of 26-12-2011 - 16:08)
Impact:
Exploitability:
CWE CWE-119
CAPEC
  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
  • Overflow Binary Resource File
    An attack of this type exploits a buffer overflow vulnerability in the handling of binary resources. Binary resources may include music files like MP3, image files like JPEG files, and any other binary file. These attacks may pass unnoticed to the client machine through normal usage of files, such as a browser loading a seemingly innocent JPEG file. This can allow the attacker access to the execution stack and execute arbitrary code in the target process. This attack pattern is a variant of standard buffer overflow attacks using an unexpected vector (binary files) to wrap its attack and open up a new attack vector. The attacker is required to either directly serve the binary content to the victim, or place it in a locale like a MP3 sharing application, for the victim to download. The attacker then is notified upon the download or otherwise locates the vulnerability opened up by the buffer overflow.
  • Buffer Overflow via Symbolic Links
    This type of attack leverages the use of symbolic links to cause buffer overflows. An attacker can try to create or manipulate a symbolic link file such that its contents result in out of bounds data. When the target software processes the symbolic link file, it could potentially overflow internal buffers with insufficient bounds checking.
  • Overflow Variables and Tags
    This type of attack leverages the use of tags or variables from a formatted configuration data to cause buffer overflow. The attacker crafts a malicious HTML page or configuration file that includes oversized strings, thus causing an overflow.
  • Buffer Overflow via Parameter Expansion
    In this attack, the target software is given input that the attacker knows will be modified and expanded in size during processing. This attack relies on the target software failing to anticipate that the expanded data may exceed some internal limit, thereby creating a buffer overflow.
  • Buffer Overflow in an API Call
    This attack targets libraries or shared code modules which are vulnerable to buffer overflow attacks. An attacker who has access to an API may try to embed malicious code in the API function call and exploit a buffer overflow vulnerability in the function's implementation. All clients that make use of the code library thus become vulnerable by association. This has a very broad effect on security across a system, usually affecting more than one software process.
  • Buffer Overflow in Local Command-Line Utilities
    This attack targets command-line utilities available in a number of shells. An attacker can leverage a vulnerability found in a command-line utility to escalate privilege to root.
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
exploit-db via4
  • description Telnetd encrypt_keyid - Remote Root Function Pointer Overwrite. CVE-2011-4862. Remote exploit for linux platform
    file exploits/linux/remote/18280.c
    id EDB-ID:18280
    last seen 2016-02-02
    modified 2011-12-26
    platform linux
    port
    published 2011-12-26
    reporter NighterMan and BatchDrake
    source https://www.exploit-db.com/download/18280/
    title Telnetd encrypt_keyid - Remote Root Function Pointer Overwrite
    type remote
  • description Linux BSD-derived Telnet Service Encryption Key ID Buffer Overflow. CVE-2011-4862. Remote exploit for linux platform
    id EDB-ID:18368
    last seen 2016-02-02
    modified 2012-01-14
    published 2012-01-14
    reporter metasploit
    source https://www.exploit-db.com/download/18368/
    title Linux BSD-derived Telnet Service Encryption Key ID Buffer Overflow
  • description FreeBSD Telnet Service Encryption Key ID Buffer Overflow. CVE-2011-4862. Remote exploit for bsd platform
    id EDB-ID:18369
    last seen 2016-02-02
    modified 2012-01-14
    published 2012-01-14
    reporter metasploit
    source https://www.exploit-db.com/download/18369/
    title FreeBSD Telnet Service Encryption Key ID Buffer Overflow
metasploit via4
nessus via4
  • NASL family SuSE Local Security Checks
    NASL id SUSE_KRB5-7899.NASL
    description This update of krb5 fixes two security issues. - A remote code execution in the kerberized telnet daemon was fixed. (This only affects the ktelnetd from the krb5-appl RPM, not the regular telnetd supplied by SUSE.). (CVE-2011-4862) - / MITKRB5-SA-2011-005: Fixed krb5 ftpd unauthorized file access problems. (CVE-2011-1526)
    last seen 2019-02-21
    modified 2018-11-05
    plugin id 57431
    published 2012-01-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=57431
    title SuSE 10 Security Update : Kerberos 5 (ZYPP Patch Number 7899)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201201-14.NASL
    description The remote host is affected by the vulnerability described in GLSA-201201-14 (MIT Kerberos 5 Applications: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in MIT Kerberos 5 Applications: An error in the FTP daemon prevents it from dropping its initial effective group identifier (CVE-2011-1526). A boundary error in the telnet daemon and client could cause a buffer overflow (CVE-2011-4862). Impact : An unauthenticated remote attacker may be able to execute arbitrary code with the privileges of the user running the telnet daemon or client. Furthermore, an authenticated remote attacker may be able to read or write files owned by the same group as the effective group of the FTP daemon. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-11-05
    plugin id 57656
    published 2012-01-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=57656
    title GLSA-201201-14 : MIT Kerberos 5 Applications: Multiple vulnerabilities
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_KRB5-111229.NASL
    description This update of krb5 fixes two security issues. - A remote code execution in the kerberized telnet daemon was fixed. (This only affects the ktelnetd from the krb5-appl RPM, not the regular telnetd supplied by SUSE.). (CVE-2011-4862) - / MITKRB5-SA-2011-005: Fixed krb5 ftpd unauthorized file access problems. (CVE-2011-1526)
    last seen 2019-02-21
    modified 2018-11-05
    plugin id 57430
    published 2012-01-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=57430
    title SuSE 11.1 Security Update : Kerberos 5 (SAT Patch Number 5594)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_3_KRB5-APPL-111229.NASL
    description This update of krb5 applications fixes two security issues. CVE-2011-4862: A remote code execution in the kerberized telnet daemon was fixed. (This only affects the ktelnetd from the krb5-appl RPM, not the regular telnetd supplied by SUSE.) CVE-2011-1526 / MITKRB5-SA-2011-005: Fixed krb5 ftpd unauthorized file access problems.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 75564
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=75564
    title openSUSE Security Update : krb5-appl (openSUSE-SU-2012:0019-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_4_KRB5-APPL-111229.NASL
    description This update of krb5 applications fixes two security issues. CVE-2011-4862: A remote code execution in the kerberized telnet daemon was fixed. (This only affects the ktelnetd from the krb5-appl RPM, not the regular telnetd supplied by SUSE.) CVE-2011-1526 / MITKRB5-SA-2011-005: Fixed krb5 ftpd unauthorized file access problems.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 75886
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=75886
    title openSUSE Security Update : krb5-appl (openSUSE-SU-2012:0019-1)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2011-17493.NASL
    description This update incorporates the upstream patch to fix a buffer overflow in the Kerberos-aware telnet server. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-05
    plugin id 57443
    published 2012-01-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=57443
    title Fedora 16 : krb5-appl-1.0.2-2.fc16 (2011-17493)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2011-1852.NASL
    description Updated krb5-appl packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having Critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The krb5-appl packages provide Kerberos-aware telnet, ftp, rcp, rsh, and rlogin clients and servers. Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third-party, the Key Distribution Center (KDC). A buffer overflow flaw was found in the MIT krb5 telnet daemon (telnetd). A remote attacker who can access the telnet port of a target machine could use this flaw to execute arbitrary code as root. (CVE-2011-4862) Note that the krb5 telnet daemon is not enabled by default in any version of Red Hat Enterprise Linux. In addition, the default firewall rules block remote access to the telnet port. This flaw does not affect the telnet daemon distributed in the telnet-server package. For users who have installed the krb5-appl-servers package, have enabled the krb5 telnet daemon, and have it accessible remotely, this update should be applied immediately. All krb5-appl-server users should upgrade to these updated packages, which contain a backported patch to correct this issue.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 57406
    published 2011-12-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=57406
    title CentOS 6 : krb5-appl (CESA-2011:1852)
  • NASL family CISCO
    NASL id CISCO-SA-20120126-ESA.NASL
    description According to its self-reported version, the version of AsyncOS running on the remote Cisco Email Security Appliance (ESA) is affected by a remote code execution vulnerability due to a buffer overflow condition in the telnet component.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 79271
    published 2014-11-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79271
    title Cisco Email Security Appliance Telnet Remote Code Execution (cisco-sa-20120126-ironport)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2011-1851.NASL
    description From Red Hat Security Advisory 2011:1851 : Updated krb5 packages that fix one security issue are now available for Red Hat Enterprise Linux 4 and 5. The Red Hat Security Response Team has rated this update as having Critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third- party, the Key Distribution Center (KDC). A buffer overflow flaw was found in the MIT krb5 telnet daemon (telnetd). A remote attacker who can access the telnet port of a target machine could use this flaw to execute arbitrary code as root. (CVE-2011-4862) Note that the krb5 telnet daemon is not enabled by default in any version of Red Hat Enterprise Linux. In addition, the default firewall rules block remote access to the telnet port. This flaw does not affect the telnet daemon distributed in the telnet-server package. For users who have installed the krb5-workstation package, have enabled the telnet daemon, and have it accessible remotely, this update should be applied immediately. All krb5-workstation users should upgrade to these updated packages, which contain a backported patch to correct this issue.
    last seen 2019-02-21
    modified 2018-11-05
    plugin id 68412
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=68412
    title Oracle Linux 4 / 5 : krb5 (ELSA-2011-1851)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-2375.NASL
    description It was discovered that the encryption support for BSD telnetd contains a pre-authentication buffer overflow, which may enable remote attackers who can connect to the Telnet port to execute arbitrary code with root privileges.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 57515
    published 2012-01-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=57515
    title Debian DSA-2375-1 : krb5, krb5-appl - buffer overflow
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2011-0015.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - Fix for (CVE-2011-4862) - incorporate a fix to teach the file labeling bits about when replay caches are expunged (#712453) - rebuild - ftp: handle larger command inputs (#665833) - don't bail halfway through an unlock operation when the result will be discarded and the end-result not cleaned up (Martin Osvald, #586032) - add a versioned dependency between krb5-server-ldap and krb5-libs (internal tooling) - don't discard the error code from an error message received in response to a change-password request (#658871, RT#6893) - ftpd: add patch from Jatin Nansi to correctly match restrict lines in /etc/ftpusers (#644215, RT#6889) - ftp: add modified patch from Rogan Kyuseok Lee to report the number of bytes transferred correctly when transferring large files on 32-bit systems (#648404) - backport fix for RT#6514: memory leak freeing rcache type none (#678205) - add upstream patch to fix hang or crash in the KDC when using the LDAP kdb backend (CVE-2011-0281, CVE-2011-0282, #671097) - incorporate upstream patch for checksum acceptance issues from MITKRB5-SA-2010-007 (CVE-2010-1323, #652308) - backport a fix to the previous change (#539423) - backport the k5login_directory and k5login_authoritative settings (#539423) - krshd: don't limit user names to 16 chars when utmp can handle names at least a bit longer than that (#611713) - fix a logic bug in computing key expiration times (RT#6762, #627038) - correct the post-rotate scriptlet in the kadmind logrotate config (more of #462658) - ftpd: backport changes to modify behavior to match telnetd,rshd,rlogind and accept GSSAPI auth to any service for which we have a matching key (#538075) - pull in fix for RT#5551 to treat the referral realm when seen in a ticket as though it were the local realm (#498554, also very likely #450122) - add aes256-cts:normal and aes128-cts:normal to the list of keysalts in the default kdc.conf (part of #565941) - add a note to kdc.conf(5) pointing to the admin guide for the list of recognized key and salt types (the rest of #565941) - add logrotate configuration files for krb5kdc and kadmind (#462658) - libgssapi: backport patch from svn to stop returning context-expired errors when the ticket which was used to set up the context expires (#605367, upstream #6739) - enable building the -server-ldap subpackage (#514362) - stop caring about the endianness of stash files (#514741), which will be replaced by proper keytab files in later releases - don't crash in krb5_get_init_creds_password if the passed-in options struct is NULL and the clients keys have expired (#555875) - ksu: perform PAM account and session management before dropping privileges to those of the target user (#540769 and #596887, respectively) - add candidate patch to correct libgssapi null pointer dereference which could be triggered by malformed client requests (CVE-2010-1321, #583704) - fix a null pointer dereference and crash introduced in our PAM patch that would happen if ftpd was given the name of a user who wasnt known to the local system, limited to being triggerable by gssapi-authenticated clients by the default xinetd config (Olivier Fourdan, #569472) - add upstream patch to fix a few use-after-free bugs, including one in kadmind (CVE-2010-0629, #578186) - merge patch to correct KDC integer overflows which could be triggered by malformed RC4 and AES ciphertexts (CVE-2009-4212, #546348) - pull changes to libkrb5 to properly handle and chase off-path referrals back from 1.7 (#546538) - add an auth stack to ksus PAM configuration so that it can successfully pam_setcred - also set PAM_RUSER in ksu for completeness (#479071+#477033) - fix various typos, except for bits pertaining to licensing (#499190) - kdb5_util: when renaming a database, if the new names associated lock files don't exist, go ahead and create them (#442879) - ksu: perform PAM account and session management for the target user authentication is still performed as before (#477033) - fix typo in ksus reporting of errors getting credentials (#462890) - kadmind.init: stop setting up a keytab, as kadminds been able to use the database directly for a while now (#473151) - pull up patch to set PAM_RHOST (James Leddy, #479071)
    last seen 2019-02-21
    modified 2018-11-05
    plugin id 79475
    published 2014-11-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79475
    title OracleVM 2.2 : krb5 (OVMSA-2011-0015)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2011-1852.NASL
    description From Red Hat Security Advisory 2011:1852 : Updated krb5-appl packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having Critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The krb5-appl packages provide Kerberos-aware telnet, ftp, rcp, rsh, and rlogin clients and servers. Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third-party, the Key Distribution Center (KDC). A buffer overflow flaw was found in the MIT krb5 telnet daemon (telnetd). A remote attacker who can access the telnet port of a target machine could use this flaw to execute arbitrary code as root. (CVE-2011-4862) Note that the krb5 telnet daemon is not enabled by default in any version of Red Hat Enterprise Linux. In addition, the default firewall rules block remote access to the telnet port. This flaw does not affect the telnet daemon distributed in the telnet-server package. For users who have installed the krb5-appl-servers package, have enabled the krb5 telnet daemon, and have it accessible remotely, this update should be applied immediately. All krb5-appl-server users should upgrade to these updated packages, which contain a backported patch to correct this issue.
    last seen 2019-02-21
    modified 2018-11-05
    plugin id 68413
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=68413
    title Oracle Linux 6 : krb5-appl (ELSA-2011-1852)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_4DDC78DC300A11E1A2AA0016CE01E285.NASL
    description The MIT Kerberos Team reports : When an encryption key is supplied via the TELNET protocol, its length is not validated before the key is copied into a fixed-size buffer. Also see MITKRB5-SA-2011-008.
    last seen 2019-02-21
    modified 2018-12-19
    plugin id 57403
    published 2011-12-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=57403
    title FreeBSD : krb5-appl -- telnetd code execution vulnerability (4ddc78dc-300a-11e1-a2aa-0016ce01e285)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-2373.NASL
    description It was discovered that the Kerberos support for telnetd contains a pre-authentication buffer overflow, which may enable remote attackers who can connect to TELNET to execute arbitrary code with root privileges.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 57513
    published 2012-01-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=57513
    title Debian DSA-2373-1 : inetutils - buffer overflow
  • NASL family Misc.
    NASL id VMWARE_VMSA-2012-0006_REMOTE.NASL
    description The remote VMware ESX / ESXi host is missing a security-related patch. It is, therefore, affected by multiple vulnerabilities, including remote code execution vulnerabilities, in the following components : - Kernel - krb5 telnet daemon
    last seen 2019-02-21
    modified 2018-11-05
    plugin id 89107
    published 2016-03-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=89107
    title VMware ESX / ESXi Multiple Vulnerabilities (VMSA-2012-0006) (remote check)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2011-1854.NASL
    description Updated krb5-appl packages that fix one security issue are now available for Red Hat Enterprise Linux 6.0 and 6.1 Extended Update Support. The Red Hat Security Response Team has rated this update as having critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The krb5-appl packages provide Kerberos-aware telnet, ftp, rcp, rsh, and rlogin clients and servers. Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third-party, the Key Distribution Center (KDC). A buffer overflow flaw was found in the MIT krb5 telnet daemon (telnetd). A remote attacker who can access the telnet port of a target machine could use this flaw to execute arbitrary code as root. (CVE-2011-4862) Note that the krb5 telnet daemon is not enabled by default in any version of Red Hat Enterprise Linux. In addition, the default firewall rules block remote access to the telnet port. This flaw does not affect the telnet daemon distributed in the telnet-server package. For users who have installed the krb5-appl-servers package, have enabled the krb5 telnet daemon, and have it accessible remotely, this update should be applied immediately. All krb5-appl-server users should upgrade to these updated packages, which contain a backported patch to correct this issue.
    last seen 2019-02-21
    modified 2018-11-05
    plugin id 64018
    published 2013-01-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=64018
    title RHEL 6 : krb5-appl (RHSA-2011:1854)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2011-1851.NASL
    description Updated krb5 packages that fix one security issue are now available for Red Hat Enterprise Linux 4 and 5. The Red Hat Security Response Team has rated this update as having Critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third- party, the Key Distribution Center (KDC). A buffer overflow flaw was found in the MIT krb5 telnet daemon (telnetd). A remote attacker who can access the telnet port of a target machine could use this flaw to execute arbitrary code as root. (CVE-2011-4862) Note that the krb5 telnet daemon is not enabled by default in any version of Red Hat Enterprise Linux. In addition, the default firewall rules block remote access to the telnet port. This flaw does not affect the telnet daemon distributed in the telnet-server package. For users who have installed the krb5-workstation package, have enabled the telnet daemon, and have it accessible remotely, this update should be applied immediately. All krb5-workstation users should upgrade to these updated packages, which contain a backported patch to correct this issue.
    last seen 2019-02-21
    modified 2018-11-26
    plugin id 57408
    published 2011-12-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=57408
    title RHEL 4 / 5 : krb5 (RHSA-2011:1851)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201202-05.NASL
    description The remote host is affected by the vulnerability described in GLSA-201202-05 (Heimdal: Arbitrary code execution) A boundary error in the 'encrypt_keyid()' function in appl/telnet/libtelnet/encrypt.c of the telnet daemon and client could cause a buffer overflow. Impact : An unauthenticated remote attacker may be able to execute arbitrary code with the privileges of the user running the telnet daemon or client, or cause Denial of Service. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-11-05
    plugin id 58101
    published 2012-02-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=58101
    title GLSA-201202-05 : Heimdal: Arbitrary code execution
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-2372.NASL
    description It was discovered that the Kerberos support for telnetd contains a pre-authentication buffer overflow, which may enable remote attackers who can connect to TELNET to execute arbitrary code with root privileges.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 57512
    published 2012-01-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=57512
    title Debian DSA-2372-1 : heimdal - buffer overflow
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2011-1851.NASL
    description Updated krb5 packages that fix one security issue are now available for Red Hat Enterprise Linux 4 and 5. The Red Hat Security Response Team has rated this update as having Critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third- party, the Key Distribution Center (KDC). A buffer overflow flaw was found in the MIT krb5 telnet daemon (telnetd). A remote attacker who can access the telnet port of a target machine could use this flaw to execute arbitrary code as root. (CVE-2011-4862) Note that the krb5 telnet daemon is not enabled by default in any version of Red Hat Enterprise Linux. In addition, the default firewall rules block remote access to the telnet port. This flaw does not affect the telnet daemon distributed in the telnet-server package. For users who have installed the krb5-workstation package, have enabled the telnet daemon, and have it accessible remotely, this update should be applied immediately. All krb5-workstation users should upgrade to these updated packages, which contain a backported patch to correct this issue.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 57405
    published 2011-12-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=57405
    title CentOS 4 / 5 : krb5 (CESA-2011:1851)
  • NASL family VMware ESX Local Security Checks
    NASL id VMWARE_VMSA-2012-0006.NASL
    description a. VMware ROM Overwrite Privilege Escalation A flaw in the way port-based I/O is handled allows for modifying Read-Only Memory that belongs to the Virtual DOS Machine. Exploitation of this issue may lead to privilege escalation on Guest Operating Systems that run Windows 2000, Windows XP 32-bit, Windows Server 2003 32-bit or Windows Server 2003 R2 32-bit. VMware would like to thank Derek Soeder of Ridgeway Internet Security, L.L.C. for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-1515 to this issue. b. ESX third-party update for Service Console kernel The ESX Service Console Operating System (COS) kernel is updated to kernel-400.2.6.18-238.4.11.591731 to fix multiple security issues in the COS kernel. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2011-2482, CVE-2011-3191 and CVE-2011-4348 to these issues. c. ESX third-party update for Service Console krb5 RPM This patch updates the krb5-libs and krb5-workstation RPMs to version 1.6.1-63.el5_7 to resolve a security issue. By default, the affected krb5-telnet and ekrb5-telnet services do not run. The krb5 telnet daemon is an xinetd service. You can run the following commands to check if krb5 telnetd is enabled : /sbin/chkconfig --list krb5-telnet /sbin/chkconfig --list ekrb5-telnet The output of these commands displays if krb5 telnet is enabled. You can run the following commands to disable krb5 telnet daemon : /sbin/chkconfig krb5-telnet off /sbin/chkconfig ekrb5-telnet off The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2011-4862 to this issue.
    last seen 2019-02-21
    modified 2018-11-05
    plugin id 58535
    published 2012-03-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=58535
    title VMSA-2012-0006 : VMware Workstation, ESXi, and ESX address several security issues
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2011-1853.NASL
    description Updated krb5 packages that fix one security issue are now available for Red Hat Enterprise Linux 3 Extended Life Cycle Support, 5.3 Long Life and 5.6 Extended Update Support The Red Hat Security Response Team has rated this update as having critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third-party, the Key Distribution Center (KDC). A buffer overflow flaw was found in the MIT krb5 telnet daemon (telnetd). A remote attacker who can access the telnet port of a target machine could use this flaw to execute arbitrary code as root. (CVE-2011-4862) Note that the krb5 telnet daemon is not enabled by default in any version of Red Hat Enterprise Linux. In addition, the default firewall rules block remote access to the telnet port. This flaw does not affect the telnet daemon distributed in the telnet-server package. For users who have installed the krb5-workstation package, have enabled the telnet daemon, and have it accessible remotely, this update should be applied immediately. All krb5-workstation users should upgrade to these updated packages, which contain a backported patch to correct this issue.
    last seen 2019-02-21
    modified 2018-11-05
    plugin id 64017
    published 2013-01-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=64017
    title RHEL 5 : krb5 (RHSA-2011:1853)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2012-17.NASL
    description - Fixed a remote code execution in ktelnetd (CVE-2011-4862 / bnc#738632)
    last seen 2019-02-21
    modified 2018-11-05
    plugin id 74578
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=74578
    title openSUSE Security Update : krb5-appl (openSUSE-2012-17)
  • NASL family CISCO
    NASL id CISCO-SA-20120126-WSA.NASL
    description According to its self-reported version, the version of AsyncOS running on the remote Cisco Web Security Appliance (WSA) is affected by a remote code execution vulnerability due to a buffer overflow condition in the telnet component.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 79273
    published 2014-11-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79273
    title Cisco Web Security Appliance Telnet Remote Code Execution (cisco-sa-20120126-ironport)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2011-195.NASL
    description A vulnerability has been discovered and corrected in krb5-appl, heimdal and netkit-telnet : An unauthenticated remote attacker can cause a buffer overflow and probably execute arbitrary code with the privileges of the telnet daemon (CVE-2011-4862). In Mandriva the telnetd daemon from the netkit-telnet-server package does not have an initscript to start and stop the service, however one could rather easily craft an initscript or start the service by other means rendering the system vulnerable to this issue. The updated packages have been patched to correct this issue.
    last seen 2019-02-21
    modified 2018-11-05
    plugin id 57412
    published 2011-12-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=57412
    title Mandriva Linux Security Advisory : krb5-appl (MDVSA-2011:195)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2011-17492.NASL
    description This update incorporates the upstream patch to fix a buffer overflow in the Kerberos-aware telnet server. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-05
    plugin id 57442
    published 2012-01-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=57442
    title Fedora 15 : krb5-appl-1.0.1-8.fc15 (2011-17492)
  • NASL family CISCO
    NASL id CISCO-SA-20120126-SMA.NASL
    description According to its self-reported version, the version of AsyncOS running on the remote Cisco Content Security Management Appliance (SMA) is affected by a remote code execution vulnerability due to a buffer overflow condition in the telnet component.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 79272
    published 2014-11-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79272
    title Cisco Content Security Management Appliance Telnet Remote Code Execution (cisco-sa-20120126-ironport)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2011-1852.NASL
    description Updated krb5-appl packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having Critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The krb5-appl packages provide Kerberos-aware telnet, ftp, rcp, rsh, and rlogin clients and servers. Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third-party, the Key Distribution Center (KDC). A buffer overflow flaw was found in the MIT krb5 telnet daemon (telnetd). A remote attacker who can access the telnet port of a target machine could use this flaw to execute arbitrary code as root. (CVE-2011-4862) Note that the krb5 telnet daemon is not enabled by default in any version of Red Hat Enterprise Linux. In addition, the default firewall rules block remote access to the telnet port. This flaw does not affect the telnet daemon distributed in the telnet-server package. For users who have installed the krb5-appl-servers package, have enabled the krb5 telnet daemon, and have it accessible remotely, this update should be applied immediately. All krb5-appl-server users should upgrade to these updated packages, which contain a backported patch to correct this issue.
    last seen 2019-02-21
    modified 2018-11-26
    plugin id 57409
    published 2011-12-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=57409
    title RHEL 6 : krb5-appl (RHSA-2011:1852)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20111227_KRB5_APPL_ON_SL6_X.NASL
    description The krb5-appl packages provide Kerberos-aware telnet, ftp, rcp, rsh, and rlogin clients and servers. Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third party, the Key Distribution Center (KDC). A buffer overflow flaw was found in the MIT krb5 telnet daemon (telnetd). A remote attacker who can access the telnet port of a target machine could use this flaw to execute arbitrary code as root. (CVE-2011-4862) Note that the krb5 telnet daemon is not enabled by default in any version of Scientific Linux. In addition, the default firewall rules block remote access to the telnet port. This flaw does not affect the telnet daemon distributed in the telnet-server package. For users who have installed the krb5-appl-servers package, have enabled the krb5 telnet daemon, and have it accessible remotely, this update should be applied immediately. All krb5-appl-server users should upgrade to these updated packages, which contain a backported patch to correct this issue.
    last seen 2019-02-21
    modified 2018-12-31
    plugin id 61213
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=61213
    title Scientific Linux Security Update : krb5-appl on SL6.x i386/x86_64
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS11_TELNET_20120404.NASL
    description The remote Solaris system is missing necessary patches to address security updates : - Buffer overflow in libtelnet/encrypt.c in telnetd in FreeBSD 7.3 through 9.0, MIT Kerberos Version 5 Applications (aka krb5-appl) 1.0.2 and earlier, Heimdal 1.5.1 and earlier, GNU inetutils, and possibly other products allows remote attackers to execute arbitrary code via a long encryption key, as exploited in the wild in December 2011. (CVE-2011-4862)
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 80781
    published 2015-01-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80781
    title Oracle Solaris Third-Party Patch Update : telnet (cve_2011_4862_buffer_overflow)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20111227_KRB5_ON_SL4_X.NASL
    description Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third- party, the Key Distribution Center (KDC). A buffer overflow flaw was found in the MIT krb5 telnet daemon (telnetd). A remote attacker who can access the telnet port of a target machine could use this flaw to execute arbitrary code as root. (CVE-2011-4862) Note that the krb5 telnet daemon is not enabled by default in any version of Scientific Linux. In addition, the default firewall rules block remote access to the telnet port. This flaw does not affect the telnet daemon distributed in the telnet-server package. For users who have installed the krb5-workstation package, have enabled the telnet daemon, and have it accessible remotely, this update should be applied immediately. All krb5-workstation users should upgrade to these updated packages, which contain a backported patch to correct this issue.
    last seen 2019-02-21
    modified 2018-12-31
    plugin id 61214
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=61214
    title Scientific Linux Security Update : krb5 on SL4.x, SL5.x i386/x86_64
packetstorm via4
redhat via4
advisories
  • bugzilla
    id 770325
    title CVE-2011-4862 krb5: telnet client and server encrypt_keyid heap-based buffer overflow
    oval
    OR
    • AND
      • comment Red Hat Enterprise Linux 4 is installed
        oval oval:com.redhat.rhba:tst:20070304001
      • OR
        • AND
          • comment krb5-devel is earlier than 0:1.3.4-65.el4
            oval oval:com.redhat.rhsa:tst:20111851004
          • comment krb5-devel is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20070095007
        • AND
          • comment krb5-libs is earlier than 0:1.3.4-65.el4
            oval oval:com.redhat.rhsa:tst:20111851002
          • comment krb5-libs is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20070095003
        • AND
          • comment krb5-server is earlier than 0:1.3.4-65.el4
            oval oval:com.redhat.rhsa:tst:20111851008
          • comment krb5-server is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20070095009
        • AND
          • comment krb5-workstation is earlier than 0:1.3.4-65.el4
            oval oval:com.redhat.rhsa:tst:20111851006
          • comment krb5-workstation is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20070095005
    • AND
      • comment Red Hat Enterprise Linux 5 is installed
        oval oval:com.redhat.rhba:tst:20070331001
      • OR
        • AND
          • comment krb5-devel is earlier than 0:1.6.1-63.el5_7
            oval oval:com.redhat.rhsa:tst:20111851019
          • comment krb5-devel is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20070095021
        • AND
          • comment krb5-libs is earlier than 0:1.6.1-63.el5_7
            oval oval:com.redhat.rhsa:tst:20111851013
          • comment krb5-libs is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20070095019
        • AND
          • comment krb5-server is earlier than 0:1.6.1-63.el5_7
            oval oval:com.redhat.rhsa:tst:20111851015
          • comment krb5-server is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20070095023
        • AND
          • comment krb5-server-ldap is earlier than 0:1.6.1-63.el5_7
            oval oval:com.redhat.rhsa:tst:20111851017
          • comment krb5-server-ldap is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20110199011
        • AND
          • comment krb5-workstation is earlier than 0:1.6.1-63.el5_7
            oval oval:com.redhat.rhsa:tst:20111851011
          • comment krb5-workstation is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20070095017
    rhsa
    id RHSA-2011:1851
    released 2011-12-27
    severity Critical
    title RHSA-2011:1851: krb5 security update (Critical)
  • bugzilla
    id 770325
    title CVE-2011-4862 krb5: telnet client and server encrypt_keyid heap-based buffer overflow
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 6 Client is installed
        oval oval:com.redhat.rhba:tst:20111656001
      • comment Red Hat Enterprise Linux 6 Server is installed
        oval oval:com.redhat.rhba:tst:20111656002
      • comment Red Hat Enterprise Linux 6 Workstation is installed
        oval oval:com.redhat.rhba:tst:20111656003
      • comment Red Hat Enterprise Linux 6 ComputeNode is installed
        oval oval:com.redhat.rhba:tst:20111656004
    • OR
      • AND
        • comment krb5-appl-clients is earlier than 0:1.0.1-7.el6_2
          oval oval:com.redhat.rhsa:tst:20111852005
        • comment krb5-appl-clients is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110920008
      • AND
        • comment krb5-appl-servers is earlier than 0:1.0.1-7.el6_2
          oval oval:com.redhat.rhsa:tst:20111852007
        • comment krb5-appl-servers is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110920006
    rhsa
    id RHSA-2011:1852
    released 2011-12-27
    severity Critical
    title RHSA-2011:1852: krb5-appl security update (Critical)
  • rhsa
    id RHSA-2011:1853
  • rhsa
    id RHSA-2011:1854
rpms
  • krb5-devel-0:1.3.4-65.el4
  • krb5-libs-0:1.3.4-65.el4
  • krb5-server-0:1.3.4-65.el4
  • krb5-workstation-0:1.3.4-65.el4
  • krb5-devel-0:1.6.1-63.el5_7
  • krb5-libs-0:1.6.1-63.el5_7
  • krb5-server-0:1.6.1-63.el5_7
  • krb5-server-ldap-0:1.6.1-63.el5_7
  • krb5-workstation-0:1.6.1-63.el5_7
  • krb5-appl-clients-0:1.0.1-7.el6_2
  • krb5-appl-servers-0:1.0.1-7.el6_2
refmap via4
bugtraq 20111226 MITKRB5-SA-2011-008 buffer overflow in telnetd [CVE-2011-4862]
confirm
debian
  • DSA-2372
  • DSA-2373
  • DSA-2375
exploit-db 18280
fedora
  • FEDORA-2011-17492
  • FEDORA-2011-17493
freebsd FreeBSD-SA-11:08
mandriva MDVSA-2011:195
mlist [freebsd-security] 20111223 Merry Christmas from the FreeBSD Security Team
osvdb 78020
sectrack
  • 1026460
  • 1026463
secunia
  • 46239
  • 47341
  • 47348
  • 47357
  • 47359
  • 47373
  • 47374
  • 47397
  • 47399
  • 47441
suse
  • SUSE-SU-2012:0010
  • SUSE-SU-2012:0018
  • SUSE-SU-2012:0024
  • SUSE-SU-2012:0042
  • SUSE-SU-2012:0050
  • SUSE-SU-2012:0056
  • openSUSE-SU-2012:0019
  • openSUSE-SU-2012:0051
xf multiple-telnetd-bo(71970)
saint via4
bid 51182
description Telnetd Encryption Key ID Code Execution
id shell_telnet_freebsd
osvdb 78020
title telnet_server_encrypt_keyid
type remote
Last major update 17-07-2013 - 12:31
Published 24-12-2011 - 20:55
Last modified 28-08-2017 - 21:30
Back to Top