ID CESA-2005:562 Type centos Reporter CentOS Project Modified 2005-07-14T18:12:54
Description
CentOS Errata and Security Advisory CESA-2005:562
Kerberos is a networked authentication system which uses a trusted third
party (a KDC) to authenticate clients and servers to each other.
A double-free flaw was found in the krb5_recvauth() routine which may be
triggered by a remote unauthenticated attacker. Although no exploit is
currently known to exist, this issue could potentially be exploited to
allow arbitrary code execution on a Key Distribution Center (KDC). The
Common Vulnerabilities and Exposures project assigned the name
CAN-2005-1689 to this issue.
Daniel Wachdorf discovered a single byte heap overflow in the
krb5_unparse_name() function, part of krb5-libs. Sucessful exploitation of
this flaw would lead to a denial of service (crash). To trigger this flaw
an attacker would need to have control of a kerberos realm that shares a
cross-realm key with the target, making exploitation of this flaw unlikely.
(CAN-2005-1175).
Gaël Delalleau discovered an information disclosure issue in the way
some telnet clients handle messages from a server. An attacker could
construct a malicious telnet server that collects information from the
environment of any victim who connects to it using the Kerberos-aware
telnet client (CAN-2005-0488).
The rcp protocol allows a server to instruct a client to write to arbitrary
files outside of the current directory. This could potentially cause a
security issue if a user uses the Kerberos-aware rcp to copy files from a
malicious server (CAN-2004-0175).
All users of krb5 should update to these erratum packages which contain
backported patches to correct these issues. Red Hat would like to thank
the MIT Kerberos Development Team for their responsible disclosure of these
issues.
Merged security bulletin from advisories:
http://lists.centos.org/pipermail/centos-announce/2005-July/011925.html
http://lists.centos.org/pipermail/centos-announce/2005-July/011926.html
http://lists.centos.org/pipermail/centos-announce/2005-July/011931.html
{"id": "CESA-2005:562", "bulletinFamily": "unix", "title": "krb5 security update", "description": "**CentOS Errata and Security Advisory** CESA-2005:562\n\n\nKerberos is a networked authentication system which uses a trusted third\r\nparty (a KDC) to authenticate clients and servers to each other.\r\n\r\nA double-free flaw was found in the krb5_recvauth() routine which may be\r\ntriggered by a remote unauthenticated attacker. Although no exploit is\r\ncurrently known to exist, this issue could potentially be exploited to\r\nallow arbitrary code execution on a Key Distribution Center (KDC). The\r\nCommon Vulnerabilities and Exposures project assigned the name\r\nCAN-2005-1689 to this issue. \r\n\r\nDaniel Wachdorf discovered a single byte heap overflow in the\r\nkrb5_unparse_name() function, part of krb5-libs. Sucessful exploitation of\r\nthis flaw would lead to a denial of service (crash). To trigger this flaw\r\nan attacker would need to have control of a kerberos realm that shares a\r\ncross-realm key with the target, making exploitation of this flaw unlikely.\r\n(CAN-2005-1175). \r\n\r\nGa\u00ebl Delalleau discovered an information disclosure issue in the way\r\nsome telnet clients handle messages from a server. An attacker could\r\nconstruct a malicious telnet server that collects information from the\r\nenvironment of any victim who connects to it using the Kerberos-aware\r\ntelnet client (CAN-2005-0488).\r\n\r\nThe rcp protocol allows a server to instruct a client to write to arbitrary\r\nfiles outside of the current directory. This could potentially cause a\r\nsecurity issue if a user uses the Kerberos-aware rcp to copy files from a\r\nmalicious server (CAN-2004-0175). \r\n\r\nAll users of krb5 should update to these erratum packages which contain\r\nbackported patches to correct these issues. Red Hat would like to thank\r\nthe MIT Kerberos Development Team for their responsible disclosure of these\r\nissues.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2005-July/011925.html\nhttp://lists.centos.org/pipermail/centos-announce/2005-July/011926.html\nhttp://lists.centos.org/pipermail/centos-announce/2005-July/011931.html\n\n**Affected packages:**\nkrb5\nkrb5-devel\nkrb5-libs\nkrb5-server\nkrb5-workstation\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2005-562.html", "published": "2005-07-12T23:06:13", "modified": "2005-07-14T18:12:54", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2005-July/011925.html", "reporter": "CentOS Project", "references": ["http://iki.fi/upi/", "http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xBEFA581B", "https://rhn.redhat.com/errata/RHSA-2005-562.html"], "cvelist": ["CVE-2005-1689", "CVE-2005-0488", "CVE-2005-1175", "CVE-2004-0175"], "type": "centos", "lastseen": "2017-10-12T14:45:17", "history": [{"bulletin": {"affectedPackage": [{"OS": "CentOS", "OSVersion": "any", "arch": "x86_64", "operator": "lt", "packageFilename": "krb5-libs-1.2.7-47.x86_64.rpm", "packageName": "krb5-libs", "packageVersion": "1.2.7-47"}, {"OS": "CentOS", "OSVersion": "any", "arch": "s390x", "operator": "lt", "packageFilename": "krb5-devel-1.2.7-47.s390x.rpm", "packageName": "krb5-devel", "packageVersion": "1.2.7-47"}, {"OS": "CentOS", "OSVersion": "any", "arch": "any", "operator": "lt", "packageFilename": "krb5-1.2.7-47.src.rpm", "packageName": "krb5", "packageVersion": "1.2.7-47"}, {"OS": "CentOS", "OSVersion": "any", "arch": "any", "operator": "lt", "packageFilename": "krb5-1.2.7-47.src.rpm", "packageName": "krb5", "packageVersion": "1.2.7-47"}, {"OS": "CentOS", "OSVersion": "any", "arch": "s390x", "operator": "lt", "packageFilename": "krb5-libs-1.2.7-47.s390x.rpm", "packageName": "krb5-libs", "packageVersion": "1.2.7-47"}, {"OS": "CentOS", "OSVersion": "any", "arch": "x86_64", "operator": "lt", "packageFilename": "krb5-server-1.2.7-47.x86_64.rpm", "packageName": "krb5-server", "packageVersion": "1.2.7-47"}, {"OS": "CentOS", "OSVersion": "any", "arch": "x86_64", "operator": "lt", "packageFilename": "krb5-workstation-1.2.7-47.x86_64.rpm", "packageName": "krb5-workstation", "packageVersion": "1.2.7-47"}, {"OS": "CentOS", "OSVersion": "any", "arch": "i386", "operator": "lt", "packageFilename": "krb5-server-1.2.7-47.i386.rpm", "packageName": "krb5-server", "packageVersion": "1.2.7-47"}, {"OS": "CentOS", "OSVersion": "any", "arch": "i386", "operator": "lt", "packageFilename": "krb5-libs-1.2.7-47.i386.rpm", "packageName": "krb5-libs", "packageVersion": "1.2.7-47"}, {"OS": "CentOS", "OSVersion": "any", "arch": "i386", "operator": "lt", "packageFilename": "krb5-libs-1.2.7-47.i386.rpm", "packageName": "krb5-libs", "packageVersion": "1.2.7-47"}, {"OS": "CentOS", "OSVersion": "any", "arch": "i386", "operator": "lt", "packageFilename": "krb5-workstation-1.2.7-47.i386.rpm", "packageName": "krb5-workstation", "packageVersion": "1.2.7-47"}, {"OS": "CentOS", "OSVersion": "any", "arch": "i386", "operator": "lt", "packageFilename": "krb5-devel-1.2.7-47.i386.rpm", "packageName": "krb5-devel", "packageVersion": "1.2.7-47"}, {"OS": "CentOS", "OSVersion": "any", "arch": "s390x", "operator": "lt", "packageFilename": "krb5-workstation-1.2.7-47.s390x.rpm", "packageName": "krb5-workstation", "packageVersion": "1.2.7-47"}, {"OS": "CentOS", "OSVersion": "any", "arch": "s390", "operator": "lt", "packageFilename": "krb5-workstation-1.2.7-47.s390.rpm", "packageName": "krb5-workstation", "packageVersion": "1.2.7-47"}, {"OS": "CentOS", "OSVersion": "any", "arch": "s390", "operator": "lt", "packageFilename": "krb5-server-1.2.7-47.s390.rpm", "packageName": "krb5-server", "packageVersion": "1.2.7-47"}, {"OS": "CentOS", "OSVersion": "any", "arch": "x86_64", "operator": "lt", "packageFilename": "krb5-devel-1.2.7-47.x86_64.rpm", "packageName": "krb5-devel", "packageVersion": "1.2.7-47"}, {"OS": "CentOS", "OSVersion": "any", "arch": "s390", "operator": "lt", "packageFilename": "krb5-devel-1.2.7-47.s390.rpm", "packageName": "krb5-devel", "packageVersion": "1.2.7-47"}, {"OS": "CentOS", "OSVersion": "any", "arch": "s390", "operator": "lt", "packageFilename": "krb5-libs-1.2.7-47.s390.rpm", "packageName": "krb5-libs", "packageVersion": "1.2.7-47"}, {"OS": "CentOS", "OSVersion": "any", "arch": "s390x", "operator": "lt", "packageFilename": "krb5-server-1.2.7-47.s390x.rpm", "packageName": "krb5-server", "packageVersion": "1.2.7-47"}], "bulletinFamily": "unix", "cvelist": ["CVE-2005-1689", "CVE-2005-0488", "CVE-2005-1175", "CVE-2004-0175"], "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "**CentOS Errata and Security Advisory** CESA-2005:562\n\n\nKerberos is a networked authentication system which uses a trusted third\r\nparty (a KDC) to authenticate clients and servers to each other.\r\n\r\nA double-free flaw was found in the krb5_recvauth() routine which may be\r\ntriggered by a remote unauthenticated attacker. Although no exploit is\r\ncurrently known to exist, this issue could potentially be exploited to\r\nallow arbitrary code execution on a Key Distribution Center (KDC). The\r\nCommon Vulnerabilities and Exposures project assigned the name\r\nCAN-2005-1689 to this issue. \r\n\r\nDaniel Wachdorf discovered a single byte heap overflow in the\r\nkrb5_unparse_name() function, part of krb5-libs. Sucessful exploitation of\r\nthis flaw would lead to a denial of service (crash). To trigger this flaw\r\nan attacker would need to have control of a kerberos realm that shares a\r\ncross-realm key with the target, making exploitation of this flaw unlikely.\r\n(CAN-2005-1175). \r\n\r\nGa\u00ebl Delalleau discovered an information disclosure issue in the way\r\nsome telnet clients handle messages from a server. An attacker could\r\nconstruct a malicious telnet server that collects information from the\r\nenvironment of any victim who connects to it using the Kerberos-aware\r\ntelnet client (CAN-2005-0488).\r\n\r\nThe rcp protocol allows a server to instruct a client to write to arbitrary\r\nfiles outside of the current directory. This could potentially cause a\r\nsecurity issue if a user uses the Kerberos-aware rcp to copy files from a\r\nmalicious server (CAN-2004-0175). \r\n\r\nAll users of krb5 should update to these erratum packages which contain\r\nbackported patches to correct these issues. Red Hat would like to thank\r\nthe MIT Kerberos Development Team for their responsible disclosure of these\r\nissues.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2005-July/011925.html\nhttp://lists.centos.org/pipermail/centos-announce/2005-July/011926.html\nhttp://lists.centos.org/pipermail/centos-announce/2005-July/011931.html\n\n**Affected packages:**\nkrb5\nkrb5-devel\nkrb5-libs\nkrb5-server\nkrb5-workstation\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2005-562.html", "edition": 1, "enchantments": {}, "hash": "9313219591ec4031bb67dfffa552e627d4a33b0bd0a5e3af41e084db3d19433b", "hashmap": [{"hash": "87f00bff557ff6afabef4d2d635e74b6", "key": "modified"}, {"hash": "02c20823fd778071635d2019c8c9fcb7", "key": "affectedPackage"}, {"hash": "21d7edbb10560c127ce8fa83bd402706", "key": "description"}, {"hash": "e5d275b3ebd62646b78320753699e02e", "key": "cvss"}, {"hash": "9fd95da57b33a6b0ff0b8a6605d8a5ad", "key": "references"}, {"hash": "9855627921475e40e00f92d60af14cb3", "key": "reporter"}, {"hash": "1c80a71d937986971d14dff923e76672", "key": "published"}, {"hash": "55fd4b4bbc063e05ace3cacbb97b434e", "key": "title"}, {"hash": "4913a9178621eadcdf191db17915fbcb", "key": "bulletinFamily"}, {"hash": "cdc872db616ac66adb3166c75e9ad183", "key": "type"}, {"hash": "d5de2d77f6968d454f2718653b6dd1a4", "key": "href"}, {"hash": "5e864b156dec1777b590afb94e18567a", "key": "cvelist"}], "history": [], "href": "http://lists.centos.org/pipermail/centos-announce/2005-July/011925.html", "id": "CESA-2005:562", "lastseen": "2017-10-03T18:26:31", "modified": "2005-07-14T18:12:54", "objectVersion": "1.3", "published": "2005-07-12T23:06:13", "references": ["http://iki.fi/upi/", "http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xBEFA581B", "https://rhn.redhat.com/errata/RHSA-2005-562.html"], "reporter": "CentOS Project", "title": "krb5 security update", "type": "centos", "viewCount": 0}, "differentElements": ["affectedPackage"], "edition": 1, "lastseen": "2017-10-03T18:26:31"}], "edition": 2, "hashmap": [{"key": "affectedPackage", "hash": "71e32676b3139a838bf5a8c936237d2d"}, {"key": "bulletinFamily", "hash": "4913a9178621eadcdf191db17915fbcb"}, {"key": "cvelist", "hash": "5e864b156dec1777b590afb94e18567a"}, {"key": "cvss", "hash": "e5d275b3ebd62646b78320753699e02e"}, {"key": "description", "hash": "21d7edbb10560c127ce8fa83bd402706"}, {"key": "href", "hash": "d5de2d77f6968d454f2718653b6dd1a4"}, {"key": "modified", "hash": "87f00bff557ff6afabef4d2d635e74b6"}, {"key": "published", "hash": "1c80a71d937986971d14dff923e76672"}, {"key": "references", "hash": "9fd95da57b33a6b0ff0b8a6605d8a5ad"}, {"key": "reporter", "hash": "9855627921475e40e00f92d60af14cb3"}, {"key": "title", "hash": "55fd4b4bbc063e05ace3cacbb97b434e"}, {"key": "type", "hash": "cdc872db616ac66adb3166c75e9ad183"}], "hash": "a3c18288ab1fa647430dfbfabc03ae5531e2c147d81f914dbfc713a4b3707687", "viewCount": 0, "enchantments": {"vulnersScore": 7.5}, "objectVersion": "1.3", "affectedPackage": [{"OS": "CentOS", "OSVersion": "3", "arch": "s390x", "operator": "lt", "packageFilename": "krb5-workstation-1.2.7-47.s390x.rpm", "packageName": "krb5-workstation", "packageVersion": "1.2.7-47"}, {"OS": "CentOS", "OSVersion": "3", "arch": "i386", "operator": "lt", "packageFilename": "krb5-libs-1.2.7-47.i386.rpm", "packageName": "krb5-libs", "packageVersion": "1.2.7-47"}, {"OS": "CentOS", "OSVersion": "3", "arch": "i386", "operator": "lt", "packageFilename": "krb5-libs-1.2.7-47.i386.rpm", "packageName": "krb5-libs", "packageVersion": "1.2.7-47"}, {"OS": "CentOS", "OSVersion": "3", "arch": "x86_64", "operator": "lt", "packageFilename": "krb5-libs-1.2.7-47.x86_64.rpm", "packageName": "krb5-libs", "packageVersion": "1.2.7-47"}, {"OS": "CentOS", "OSVersion": "3", "arch": "s390x", "operator": "lt", "packageFilename": "krb5-devel-1.2.7-47.s390x.rpm", "packageName": "krb5-devel", "packageVersion": "1.2.7-47"}, {"OS": "CentOS", "OSVersion": "3", "arch": "i386", "operator": "lt", "packageFilename": "krb5-workstation-1.2.7-47.i386.rpm", "packageName": "krb5-workstation", "packageVersion": "1.2.7-47"}, {"OS": "CentOS", "OSVersion": "3", "arch": "any", "operator": "lt", "packageFilename": "krb5-1.2.7-47.src.rpm", "packageName": "krb5", "packageVersion": "1.2.7-47"}, {"OS": "CentOS", "OSVersion": "3", "arch": "any", "operator": "lt", "packageFilename": "krb5-1.2.7-47.src.rpm", "packageName": "krb5", "packageVersion": "1.2.7-47"}, {"OS": "CentOS", "OSVersion": "3", "arch": "s390", "operator": "lt", "packageFilename": "krb5-server-1.2.7-47.s390.rpm", "packageName": "krb5-server", "packageVersion": "1.2.7-47"}, {"OS": "CentOS", "OSVersion": "3", "arch": "s390", "operator": "lt", "packageFilename": "krb5-devel-1.2.7-47.s390.rpm", "packageName": "krb5-devel", "packageVersion": "1.2.7-47"}, {"OS": "CentOS", "OSVersion": "3", "arch": "s390x", "operator": "lt", "packageFilename": "krb5-server-1.2.7-47.s390x.rpm", "packageName": "krb5-server", "packageVersion": "1.2.7-47"}, {"OS": "CentOS", "OSVersion": "3", "arch": "s390", "operator": "lt", "packageFilename": "krb5-workstation-1.2.7-47.s390.rpm", "packageName": "krb5-workstation", "packageVersion": "1.2.7-47"}, {"OS": "CentOS", "OSVersion": "3", "arch": "s390x", "operator": "lt", "packageFilename": "krb5-libs-1.2.7-47.s390x.rpm", "packageName": "krb5-libs", "packageVersion": "1.2.7-47"}, {"OS": "CentOS", "OSVersion": "3", "arch": "i386", "operator": "lt", "packageFilename": "krb5-devel-1.2.7-47.i386.rpm", "packageName": "krb5-devel", "packageVersion": "1.2.7-47"}, {"OS": "CentOS", "OSVersion": "3", "arch": "i386", "operator": "lt", "packageFilename": "krb5-server-1.2.7-47.i386.rpm", "packageName": "krb5-server", "packageVersion": "1.2.7-47"}, {"OS": "CentOS", "OSVersion": "3", "arch": "s390", "operator": "lt", "packageFilename": "krb5-libs-1.2.7-47.s390.rpm", "packageName": "krb5-libs", "packageVersion": "1.2.7-47"}, {"OS": "CentOS", "OSVersion": "3", "arch": "x86_64", "operator": "lt", "packageFilename": "krb5-devel-1.2.7-47.x86_64.rpm", "packageName": "krb5-devel", "packageVersion": "1.2.7-47"}, {"OS": "CentOS", "OSVersion": "3", "arch": "x86_64", "operator": "lt", "packageFilename": "krb5-workstation-1.2.7-47.x86_64.rpm", "packageName": "krb5-workstation", "packageVersion": "1.2.7-47"}, {"OS": "CentOS", "OSVersion": "3", "arch": "x86_64", "operator": "lt", "packageFilename": "krb5-server-1.2.7-47.x86_64.rpm", "packageName": "krb5-server", "packageVersion": "1.2.7-47"}]}
{"result": {"cve": [{"id": "CVE-2005-1689", "type": "cve", "title": "CVE-2005-1689", "description": "Double free vulnerability in the krb5_recvauth function in MIT Kerberos 5 (krb5) 1.4.1 and earlier allows remote attackers to execute arbitrary code via certain error conditions.", "published": "2005-07-18T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1689", "cvelist": ["CVE-2005-1689"], "lastseen": "2017-10-11T11:06:15"}, {"id": "CVE-2005-0488", "type": "cve", "title": "CVE-2005-0488", "description": "Certain BSD-based Telnet clients, including those used on Solaris and SuSE Linux, allow remote malicious Telnet servers to read sensitive environment variables via the NEW-ENVIRON option with a SEND ENV_USERVAR command.", "published": "2005-06-14T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0488", "cvelist": ["CVE-2005-0488"], "lastseen": "2017-10-11T11:06:10"}, {"id": "CVE-2005-1175", "type": "cve", "title": "CVE-2005-1175", "description": "Heap-based buffer overflow in the Key Distribution Center (KDC) in MIT Kerberos 5 (krb5) 1.4.1 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a certain valid TCP or UDP request.", "published": "2005-07-18T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1175", "cvelist": ["CVE-2005-1175"], "lastseen": "2017-10-11T11:06:13"}, {"id": "CVE-2004-0175", "type": "cve", "title": "CVE-2004-0175", "description": "Directory traversal vulnerability in scp for OpenSSH before 3.4p1 allows remote malicious servers to overwrite arbitrary files. NOTE: this may be a rediscovery of CVE-2000-0992.", "published": "2004-08-18T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0175", "cvelist": ["CVE-2004-0175"], "lastseen": "2017-10-11T11:05:54"}], "nessus": [{"id": "HPUX_PHSS_33389.NASL", "type": "nessus", "title": "HP-UX PHSS_33389 : HP-UX Kerberos Client Remote Unauthenticated Execution of Arbitrary Code (HPSBUX02152 SSRT5973 rev.1)", "description": "s700_800 11.23 KRB5-Client Version 1.0 Cumulative patch : \n\nA potential security vulnerability has been identified with HP-UX running Kerberos. The vulnerability may be exploited by a remote unauthenticated user to execute arbitrary code.", "published": "2006-09-27T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=22462", "cvelist": ["CVE-2005-1689"], "lastseen": "2017-10-29T13:42:56"}, {"id": "SOLARIS8_112237.NASL", "type": "nessus", "title": "Solaris 8 (sparc) : 112237-16", "description": "SunOS 5.8: mech_krb5.so.1 and pam_krb5.so..\nDate this patch was last updated by Sun : Mar/24/09", "published": "2004-07-12T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=13387", "cvelist": ["CVE-2005-1689"], "lastseen": "2017-10-29T13:44:30"}, {"id": "SOLARIS8_X86_112238.NASL", "type": "nessus", "title": "Solaris 8 (x86) : 112238-15", "description": "SunOS 5.8_x86: mech_krb5.so.1 and pam_krb5.\nDate this patch was last updated by Sun : Mar/24/09", "published": "2004-07-12T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=13488", "cvelist": ["CVE-2005-1689"], "lastseen": "2017-10-29T13:45:30"}, {"id": "FEDORA_2005-552.NASL", "type": "nessus", "title": "Fedora Core 3 : krb5-1.3.6-7 (2005-552)", "description": "A double-free flaw was found in the krb5_recvauth() routine which may be triggered by a remote unauthenticated attacker. Fedora Core 3 contains checks within glibc that detect double-free flaws. Therefore, on Fedora Core 3, successful exploitation of this issue can only lead to a denial of service (KDC crash). The Common Vulnerabilities and Exposures project assigned the name CVE-2005-1689 to this issue.\n\nDaniel Wachdorf discovered a single byte heap overflow in the krb5_unparse_name() function, part of krb5-libs. Successful exploitation of this flaw would lead to a denial of service (crash).\nTo trigger this flaw remotely, an attacker would need to have control of a kerberos realm that shares a cross-realm key with the target, making exploitation of this flaw unlikely. (CVE-2005-1175).\n\nDaniel Wachdorf also discovered that in error conditions that may occur in response to correctly-formatted client requests, the Kerberos 5 KDC may attempt to free uninitialized memory. This could allow a remote attacker to cause a denial of service (KDC crash) (CVE-2005-1174).\n\nGaael Delalleau discovered an information disclosure issue in the way some telnet clients handle messages from a server. An attacker could construct a malicious telnet server that collects information from the environment of any victim who connects to it using the Kerberos-aware telnet client (CVE-2005-0488).\n\nThe rcp protocol allows a server to instruct a client to write to arbitrary files outside of the current directory. This could potentially cause a security issue if a user uses the Kerberos-aware rcp to copy files from a malicious server (CVE-2004-0175).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2005-07-13T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=18684", "cvelist": ["CVE-2005-1689"], "lastseen": "2017-10-29T13:44:23"}, {"id": "SOLARIS8_112390.NASL", "type": "nessus", "title": "Solaris 8 (sparc) : 112390-14", "description": "SunOS 5.8: Supplemental Encryption Kerbero.\nDate this patch was last updated by Sun : Mar/24/09", "published": "2004-07-12T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=13388", "cvelist": ["CVE-2005-1689"], "lastseen": "2017-10-29T13:43:29"}, {"id": "HPUX_PHSS_33384.NASL", "type": "nessus", "title": "HP-UX PHSS_33384 : HP-UX Kerberos Client Remote Unauthenticated Execution of Arbitrary Code (HPSBUX02152 SSRT5973 rev.1)", "description": "s700_800 11.11 KRB5-Client Version 1.0 cumulative patch : \n\nA potential security vulnerability has been identified with HP-UX running Kerberos. The vulnerability may be exploited by a remote unauthenticated user to execute arbitrary code.", "published": "2006-09-27T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=22461", "cvelist": ["CVE-2005-1689"], "lastseen": "2017-10-29T13:34:11"}, {"id": "SOLARIS10_120469.NASL", "type": "nessus", "title": "Solaris 10 (sparc) : 120469-07", "description": "SunOS 5.10: kerberos patch.\nDate this patch was last updated by Sun : Apr/10/07", "published": "2005-08-02T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=19369", "cvelist": ["CVE-2005-1689"], "lastseen": "2016-09-26T17:26:41"}, {"id": "SOLARIS8_X86_112240.NASL", "type": "nessus", "title": "Solaris 8 (x86) : 112240-13", "description": "SunOS 5.8_x86: Supplemental Encryption Ker.\nDate this patch was last updated by Sun : Mar/24/09", "published": "2004-07-12T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=13489", "cvelist": ["CVE-2005-1689"], "lastseen": "2017-10-29T13:46:10"}, {"id": "SOLARIS10_X86_120470.NASL", "type": "nessus", "title": "Solaris 10 (x86) : 120470-02", "description": "SunOS 5.10_x86: kerberos patch.\nDate this patch was last updated by Sun : Aug/26/05", "published": "2005-08-02T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=19372", "cvelist": ["CVE-2005-1689"], "lastseen": "2016-09-26T17:23:59"}, {"id": "FEDORA_2005-553.NASL", "type": "nessus", "title": "Fedora Core 4 : krb5-1.4.1-5 (2005-553)", "description": "A double-free flaw was found in the krb5_recvauth() routine which may be triggered by a remote unauthenticated attacker. Fedora Core 4 contains checks within glibc that detect double-free flaws. Therefore, on Fedora Core 4, successful exploitation of this issue can only lead to a denial of service (KDC crash). The Common Vulnerabilities and Exposures project assigned the name CVE-2005-1689 to this issue.\n\nDaniel Wachdorf discovered a single byte heap overflow in the krb5_unparse_name() function, part of krb5-libs. Successful exploitation of this flaw would lead to a denial of service (crash).\nTo trigger this flaw remotely, an attacker would need to have control of a kerberos realm that shares a cross-realm key with the target, making exploitation of this flaw unlikely. (CVE-2005-1175).\n\nDaniel Wachdorf also discovered that in error conditions that may occur in response to correctly-formatted client requests, the Kerberos 5 KDC may attempt to free uninitialized memory. This could allow a remote attacker to cause a denial of service (KDC crash) (CVE-2005-1174).\n\nGaael Delalleau discovered an information disclosure issue in the way some telnet clients handle messages from a server. An attacker could construct a malicious telnet server that collects information from the environment of any victim who connects to it using the Kerberos-aware telnet client (CVE-2005-0488).\n\nThe rcp protocol allows a server to instruct a client to write to arbitrary files outside of the current directory. This could potentially cause a security issue if a user uses the Kerberos-aware rcp to copy files from a malicious server (CVE-2004-0175).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2005-07-13T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=18685", "cvelist": ["CVE-2005-1689"], "lastseen": "2017-10-29T13:40:56"}], "osvdb": [{"id": "OSVDB:17841", "type": "osvdb", "title": "MIT Kerberos kpropd krb5_recvauth Double Free Command Execution", "description": "# No description provided by the source\n\n## References:\n[Vendor Specific Advisory URL](http://www.debian.org/security/2005/dsa-757)\n[Vendor Specific Advisory URL](http://docs.info.apple.com/article.html?artnum=302163)\n[Vendor Specific Advisory URL](http://itrc.hp.com/service/cki/docDisplay.do?docId=c00768776)\nSecurity Tracker: 1014461\n[Secunia Advisory ID:16050](https://secuniaresearch.flexerasoftware.com/advisories/16050/)\n[Secunia Advisory ID:16341](https://secuniaresearch.flexerasoftware.com/advisories/16341/)\n[Secunia Advisory ID:16449](https://secuniaresearch.flexerasoftware.com/advisories/16449/)\n[Secunia Advisory ID:17135](https://secuniaresearch.flexerasoftware.com/advisories/17135/)\n[Secunia Advisory ID:16086](https://secuniaresearch.flexerasoftware.com/advisories/16086/)\n[Secunia Advisory ID:16041](https://secuniaresearch.flexerasoftware.com/advisories/16041/)\n[Secunia Advisory ID:16061](https://secuniaresearch.flexerasoftware.com/advisories/16061/)\n[Secunia Advisory ID:16034](https://secuniaresearch.flexerasoftware.com/advisories/16034/)\n[Secunia Advisory ID:17899](https://secuniaresearch.flexerasoftware.com/advisories/17899/)\n[Secunia Advisory ID:16057](https://secuniaresearch.flexerasoftware.com/advisories/16057/)\n[Secunia Advisory ID:16052](https://secuniaresearch.flexerasoftware.com/advisories/16052/)\n[Secunia Advisory ID:16054](https://secuniaresearch.flexerasoftware.com/advisories/16054/)\n[Secunia Advisory ID:16413](https://secuniaresearch.flexerasoftware.com/advisories/16413/)\n[Secunia Advisory ID:22090](https://secuniaresearch.flexerasoftware.com/advisories/22090/)\n[Related OSVDB ID: 17843](https://vulners.com/osvdb/OSVDB:17843)\n[Related OSVDB ID: 17842](https://vulners.com/osvdb/OSVDB:17842)\nRedHat RHSA: RHSA-2005:567\nOther Advisory URL: http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2005-002-kdc.txt\nOther Advisory URL: http://lists.suse.com/archive/suse-security-announce/2005-Jul/0004.html\nOther Advisory URL: http://sunsolve.sun.com/search/document.do?assetkey=1-26-101810-1\nOther Advisory URL: http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2005-003-recvauth.txt\nOther Advisory URL: http://www.debian.org/security/2005/dsa-773\nOther Advisory URL: http://www.ubuntulinux.org/usn/usn-224-1\nOther Advisory URL: http://lists.trustix.org/pipermail/tsl-announce/2005-July/000330.html\nOther Advisory URL: ftp://patches.sgi.com/support/free/security/advisories/20051002-01-U.asc\nOther Advisory URL: http://security.gentoo.org/glsa/glsa-200507-11.xml\nOther Advisory URL: http://frontal1.mandriva.com/security/advisories?name=MDKSA-2005:119\nOther Advisory URL: http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=000993\nKeyword: HPSBUX02152,SSRT5973\nGeneric Informational URL: http://news.com.com/Apple+unloads+dozens+of+fixes+for+OS+X/2100-1002_3-5834873.html\n[CVE-2005-1689](https://vulners.com/cve/CVE-2005-1689)\nCERT VU: 623332\n", "published": "2005-07-12T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://vulners.com/osvdb/OSVDB:17841", "cvelist": ["CVE-2005-1689"], "lastseen": "2017-04-28T13:20:14"}, {"id": "OSVDB:17303", "type": "osvdb", "title": "Multiple Vendor Telnet Client NEW-ENVIRON Variable Information Disclosure", "description": "# No description provided by the source\n\n## References:\n[Vendor Specific Advisory URL](http://sunsolve.sun.com/search/document.do?assetkey=1-26-57755-1)\n[Vendor Specific Advisory URL](http://support.wrq.com/techdocs/1704.html)\n[Vendor Specific Advisory URL](http://support.avaya.com/elmodocs2/security/ASA-2005-145_RHSA-2005-504.pdf)\n[Vendor Specific Advisory URL](http://sunsolve.sun.com/search/document.do?assetkey=1-26-57761-1)\n[Vendor Specific Advisory URL](http://docs.info.apple.com/article.html?artnum=304063)\nSecurity Tracker: 1014203\n[Secunia Advisory ID:15690](https://secuniaresearch.flexerasoftware.com/advisories/15690/)\n[Secunia Advisory ID:15820](https://secuniaresearch.flexerasoftware.com/advisories/15820/)\n[Secunia Advisory ID:17135](https://secuniaresearch.flexerasoftware.com/advisories/17135/)\n[Secunia Advisory ID:15741](https://secuniaresearch.flexerasoftware.com/advisories/15741/)\n[Secunia Advisory ID:15713](https://secuniaresearch.flexerasoftware.com/advisories/15713/)\n[Secunia Advisory ID:21253](https://secuniaresearch.flexerasoftware.com/advisories/21253/)\n[Secunia Advisory ID:15709](https://secuniaresearch.flexerasoftware.com/advisories/15709/)\n[Secunia Advisory ID:16651](https://secuniaresearch.flexerasoftware.com/advisories/16651/)\nRedHat RHSA: RHSA-2005:504\nOther Advisory URL: http://www.trustix.org/errata/2005/0029/\nOther Advisory URL: ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.35/SCOSA-2005.35.txt\nOther Advisory URL: http://www.novell.com/linux/security/advisories/2005_16_sr.html\nOther Advisory URL: ftp://patches.sgi.com/support/free/security/advisories/20051002-01-U.asc\nOther Advisory URL: http://www.idefense.com/application/poi/display?id=260&type=vulnerabilities\nMicrosoft Security Bulletin: MS05-033\nMicrosoft Knowledge Base Article: 896428\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-06/0172.html\n[CVE-2005-1205](https://vulners.com/cve/CVE-2005-1205)\n[CVE-2005-0488](https://vulners.com/cve/CVE-2005-0488)\nCERT VU: 800829\n", "published": "2005-06-14T15:10:23", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://vulners.com/osvdb/OSVDB:17303", "cvelist": ["CVE-2005-0488", "CVE-2005-1205"], "lastseen": "2017-04-28T13:20:13"}, {"id": "OSVDB:17843", "type": "osvdb", "title": "Kerberos Key Distribution Center (KDC) krb5_unparse_name Overflow", "description": "# No description provided by the source\n\n## References:\n[Vendor Specific Advisory URL](http://www-1.ibm.com/support/docview.wss?uid=swg1IY85474)\n[Vendor Specific Advisory URL](http://www.debian.org/security/2005/dsa-757)\n[Vendor Specific Advisory URL](http://docs.info.apple.com/article.html?artnum=302163)\nSecurity Tracker: 1014460\n[Secunia Advisory ID:16050](https://secuniaresearch.flexerasoftware.com/advisories/16050/)\n[Secunia Advisory ID:16341](https://secuniaresearch.flexerasoftware.com/advisories/16341/)\n[Secunia Advisory ID:16449](https://secuniaresearch.flexerasoftware.com/advisories/16449/)\n[Secunia Advisory ID:17135](https://secuniaresearch.flexerasoftware.com/advisories/17135/)\n[Secunia Advisory ID:16060](https://secuniaresearch.flexerasoftware.com/advisories/16060/)\n[Secunia Advisory ID:16086](https://secuniaresearch.flexerasoftware.com/advisories/16086/)\n[Secunia Advisory ID:16041](https://secuniaresearch.flexerasoftware.com/advisories/16041/)\n[Secunia Advisory ID:16034](https://secuniaresearch.flexerasoftware.com/advisories/16034/)\n[Secunia Advisory ID:17899](https://secuniaresearch.flexerasoftware.com/advisories/17899/)\n[Secunia Advisory ID:16052](https://secuniaresearch.flexerasoftware.com/advisories/16052/)\n[Secunia Advisory ID:16054](https://secuniaresearch.flexerasoftware.com/advisories/16054/)\n[Secunia Advisory ID:16057](https://secuniaresearch.flexerasoftware.com/advisories/16057/)\n[Secunia Advisory ID:16413](https://secuniaresearch.flexerasoftware.com/advisories/16413/)\n[Secunia Advisory ID:20364](https://secuniaresearch.flexerasoftware.com/advisories/20364/)\n[Related OSVDB ID: 1001065](https://vulners.com/osvdb/OSVDB:1001065)\n[Related OSVDB ID: 17842](https://vulners.com/osvdb/OSVDB:17842)\nRedHat RHSA: RHSA-2005:567\nOther Advisory URL: http://lists.suse.com/archive/suse-security-announce/2005-Jul/0004.html\nOther Advisory URL: http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2005-002-kdc.txt\nOther Advisory URL: http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2005-003-recvauth.txt\nOther Advisory URL: http://www.debian.org/security/2005/dsa-773\nOther Advisory URL: http://www.ubuntulinux.org/usn/usn-224-1\nOther Advisory URL: http://lists.trustix.org/pipermail/tsl-announce/2005-July/000330.html\nOther Advisory URL: ftp://patches.sgi.com/support/free/security/advisories/20051002-01-U.asc\nOther Advisory URL: http://security.gentoo.org/glsa/glsa-200507-11.xml\nOther Advisory URL: http://sunsolve.sun.com/search/document.do?assetkey=1-26-101809-1\nOther Advisory URL: http://frontal1.mandriva.com/security/advisories?name=MDKSA-2005:119\nOther Advisory URL: http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=000993\nGeneric Informational URL: http://news.com.com/Apple+unloads+dozens+of+fixes+for+OS+X/2100-1002_3-5834873.html\n[CVE-2005-1175](https://vulners.com/cve/CVE-2005-1175)\nCERT VU: 885830\n", "published": "2005-07-12T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://vulners.com/osvdb/OSVDB:17843", "cvelist": ["CVE-2005-1175"], "lastseen": "2017-04-28T13:20:14"}, {"id": "OSVDB:9550", "type": "osvdb", "title": "OpenSSH scp Traversal Arbitrary File Overwrite", "description": "## Vulnerability Description\nOpenSSH contains a flaw that may allow a context-dependent attacker to overwrite arbitrary files on a remote system. The issue is due to the scp utility not properly sanitizing file copy requests which could allow a remote server to overwrite arbitrary files on the target system.\n## Solution Description\nUpgrade to version 3.4p1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nOpenSSH contains a flaw that may allow a context-dependent attacker to overwrite arbitrary files on a remote system. The issue is due to the scp utility not properly sanitizing file copy requests which could allow a remote server to overwrite arbitrary files on the target system.\n## References:\nVendor Specific News/Changelog Entry: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=120147\n[Vendor Specific Advisory URL](ftp://patches.sgi.com/support/free/security/advisories/20041101-01-P.asc)\n[Vendor Specific Advisory URL](http://frontal1.mandriva.com/security/advisories?name=MDKSA-2005:100)\n[Vendor Specific Advisory URL](http://support.avaya.com/elmodocs2/security/ASA-2005-167.pdf)\n[Vendor Specific Advisory URL](ftp://ftp.sco.com/pub/openserver5/507/mp/osr507mp4/osr507mp4.htm)\n[Vendor Specific Advisory URL](ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2005.49/SCOSA-2005.49.txt)\n[Vendor Specific Advisory URL](https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=120147)\n[Vendor Specific Advisory URL](http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000831)\n[Vendor Specific Advisory URL](http://www.suse.de/de/security/2004_09_kernel.html)\n[Vendor Specific Advisory URL](ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2006.11/SCOSA-2006.11.txt)\n[Vendor Specific Advisory URL](http://www.juniper.net/support/security/alerts/adv59739.txt)\nSecurity Tracker: 1011193\nSecurity Tracker: 1011144\n[Secunia Advisory ID:17135](https://secuniaresearch.flexerasoftware.com/advisories/17135/)\n[Secunia Advisory ID:19243](https://secuniaresearch.flexerasoftware.com/advisories/19243/)\n[Secunia Advisory ID:15414](https://secuniaresearch.flexerasoftware.com/advisories/15414/)\n[Secunia Advisory ID:15418](https://secuniaresearch.flexerasoftware.com/advisories/15418/)\n[Secunia Advisory ID:15920](https://secuniaresearch.flexerasoftware.com/advisories/15920/)\n[Secunia Advisory ID:17645](https://secuniaresearch.flexerasoftware.com/advisories/17645/)\n[Secunia Advisory ID:12450](https://secuniaresearch.flexerasoftware.com/advisories/12450/)\n[Secunia Advisory ID:16034](https://secuniaresearch.flexerasoftware.com/advisories/16034/)\n[Secunia Advisory ID:16622](https://secuniaresearch.flexerasoftware.com/advisories/16622/)\n[Secunia Advisory ID:16057](https://secuniaresearch.flexerasoftware.com/advisories/16057/)\n[Secunia Advisory ID:16054](https://secuniaresearch.flexerasoftware.com/advisories/16054/)\nRedHat RHSA: RHSA-2005:567\nOther Advisory URL: http://www.mandriva.com/security/advisories?name=MDKSA-2005:100\nOther Advisory URL: http://www.trustix.org/errata/2005/0031/\nOther Advisory URL: ftp://patches.sgi.com/support/free/security/advisories/20051002-01-U.asc\nOther Advisory URL: http://www.juniper.net/support/security/alerts/adv59739.txt\nOther Advisory URL: http://rhn.redhat.com/errata/RHSA-2005-106.html\nOther Advisory URL: http://rhn.redhat.com/errata/RHSA-2005-074.html\nKeyword: SCOSA-2005.49\nISS X-Force ID: 16323\n[CVE-2004-0175](https://vulners.com/cve/CVE-2004-0175)\nBugtraq ID: 9986\n", "published": "2004-04-06T07:31:22", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://vulners.com/osvdb/OSVDB:9550", "cvelist": ["CVE-2004-0175"], "lastseen": "2017-04-28T13:20:04"}], "openvas": [{"id": "OPENVAS:54373", "type": "openvas", "title": "Debian Security Advisory DSA 757-1 (krb5)", "description": "The remote host is missing an update to krb5\nannounced via advisory DSA 757-1.\n\nDaniel Wachdorf reported two problems in the MIT krb5 distribution used\nfor network authentication. First, the KDC program from the krb5-kdc\npackage can corrupt the heap by trying to free memory which has already\nbeen freed on receipt of a certain TCP connection. This vulnerability\ncan cause the KDC to crash, leading to a denial of service.\n[CVE-2005-1174] Second, under certain rare circumstances this type of\nrequest can lead to a buffer overflow and remote code execution.\n[CVE-2005-1175]\n\nAdditionally, Magnus Hagander reported another problem in which the\nkrb5_recvauth function can in certain circumstances free previously\nfreed memory, potentially leading to the execution of remote code.\n[CVE-2005-1689]\n\nAll of these vulnerabilities are believed difficult to exploit, and no\nexploits have yet been discovered.\n\nFor the old stable distribution (woody), these problems have been fixed\nin version 1.2.4-5woody10. Note that woody's KDC does not have TCP\nsupport and is not vulnerable to CVE-2005-1174.", "published": "2008-01-17T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=54373", "cvelist": ["CVE-2005-1689", "CVE-2005-1174", "CVE-2005-1175"], "lastseen": "2017-07-24T12:50:25"}, {"id": "OPENVAS:54987", "type": "openvas", "title": "Gentoo Security Advisory GLSA 200507-11 (mit-krb5)", "description": "The remote host is missing updates announced in\nadvisory GLSA 200507-11.", "published": "2008-09-24T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=54987", "cvelist": ["CVE-2005-1689", "CVE-2005-1174", "CVE-2005-1175"], "lastseen": "2017-07-24T12:50:23"}, {"id": "OPENVAS:855537", "type": "openvas", "title": "Solaris Update for telnet 110668-05", "description": "Check for the Version of telnet", "published": "2009-06-03T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=855537", "cvelist": ["CVE-2005-0469", "CVE-2005-0488", "CVE-2005-0468"], "lastseen": "2017-07-02T21:14:04"}, {"id": "OPENVAS:1361412562310855072", "type": "openvas", "title": "Solaris Update for telnet 110669-05", "description": "Check for the Version of telnet", "published": "2009-06-03T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310855072", "cvelist": ["CVE-2005-0469", "CVE-2005-0488", "CVE-2005-0468"], "lastseen": "2018-04-09T11:38:49"}, {"id": "OPENVAS:1361412562310855053", "type": "openvas", "title": "Solaris Update for telnet 119434-01", "description": "Check for the Version of telnet", "published": "2009-06-03T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310855053", "cvelist": ["CVE-2005-0469", "CVE-2005-0488", "CVE-2005-0468"], "lastseen": "2018-04-09T11:39:22"}, {"id": "OPENVAS:1361412562310855537", "type": "openvas", "title": "Solaris Update for telnet 110668-05", "description": "Check for the Version of telnet", "published": "2009-06-03T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310855537", "cvelist": ["CVE-2005-0469", "CVE-2005-0488", "CVE-2005-0468"], "lastseen": "2018-04-09T11:40:20"}, {"id": "OPENVAS:855053", "type": "openvas", "title": "Solaris Update for telnet 119434-01", "description": "Check for the Version of telnet", "published": "2009-06-03T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=855053", "cvelist": ["CVE-2005-0469", "CVE-2005-0488", "CVE-2005-0468"], "lastseen": "2017-07-02T21:13:55"}, {"id": "OPENVAS:855072", "type": "openvas", "title": "Solaris Update for telnet 110669-05", "description": "Check for the Version of telnet", "published": "2009-06-03T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=855072", "cvelist": ["CVE-2005-0469", "CVE-2005-0488", "CVE-2005-0468"], "lastseen": "2017-07-02T21:13:49"}, {"id": "OPENVAS:855256", "type": "openvas", "title": "Solaris Update for telnet 119433-01", "description": "Check for the Version of telnet", "published": "2009-06-03T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=855256", "cvelist": ["CVE-2005-0469", "CVE-2005-0488", "CVE-2005-0468"], "lastseen": "2017-07-02T21:13:46"}, {"id": "OPENVAS:1361412562310855256", "type": "openvas", "title": "Solaris Update for telnet 119433-01", "description": "Check for the Version of telnet", "published": "2009-06-03T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310855256", "cvelist": ["CVE-2005-0469", "CVE-2005-0488", "CVE-2005-0468"], "lastseen": "2018-04-09T11:38:26"}], "debian": [{"id": "DSA-757", "type": "debian", "title": "krb5 -- buffer overflow, double-free memory", "description": "Daniel Wachdorf reported two problems in the MIT krb5 distribution used for network authentication. First, the KDC program from the krb5-kdc package can corrupt the heap by trying to free memory which has already been freed on receipt of a certain TCP connection. This vulnerability can cause the KDC to crash, leading to a denial of service. [[CAN-2005-1174](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1174>)] Second, under certain rare circumstances this type of request can lead to a buffer overflow and remote code execution. [[CAN-2005-1175](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1175>)] \n\nAdditionally, Magnus Hagander reported another problem in which the krb5_recvauth function can in certain circumstances free previously freed memory, potentially leading to the execution of remote code. [[CAN-2005-1689](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1689>)] \n\nAll of these vulnerabilities are believed difficult to exploit, and no exploits have yet been discovered.\n\nFor the old stable distribution (woody), these problems have been fixed in version 1.2.4-5woody10. Note that woody's KDC does not have TCP support and is not vulnerable to [CAN-2005-1174](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1174>).\n\nFor the stable distribution (sarge), these problems have been fixed in version 1.3.6-2sarge2.\n\nFor the unstable distribution (sid), these problems have been fixed in version 1.3.6-4.\n\nWe recommend that you upgrade your krb5 package.", "published": "2005-07-17T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://www.debian.org/security/dsa-757", "cvelist": ["CVE-2005-1689", "CVE-2005-1174", "CVE-2005-1175"], "lastseen": "2016-09-02T18:19:19"}], "gentoo": [{"id": "GLSA-200507-11", "type": "gentoo", "title": "MIT Kerberos 5: Multiple vulnerabilities", "description": "### Background\n\nMIT Kerberos 5 is the free implementation of the Kerberos network authentication protocol by the Massachusetts Institute of Technology. \n\n### Description\n\nDaniel Wachdorf discovered that MIT Kerberos 5 could corrupt the heap by freeing unallocated memory when receiving a special TCP request (CAN-2005-1174). He also discovered that the same request could lead to a single-byte heap overflow (CAN-2005-1175). Magnus Hagander discovered that krb5_recvauth() function of MIT Kerberos 5 might try to double-free memory (CAN-2005-1689). \n\n### Impact\n\nAlthough exploitation is considered difficult, a remote attacker could exploit the single-byte heap overflow and the double-free vulnerability to execute arbitrary code, which could lead to the compromise of the whole Kerberos realm. A remote attacker could also use the heap corruption to cause a Denial of Service. \n\n### Workaround\n\nThere are no known workarounds at this time. \n\n### Resolution\n\nAll MIT Kerberos 5 users should upgrade to the latest available version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=app-crypt/mit-krb5-1.4.1-r1\"", "published": "2005-07-12T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://security.gentoo.org/glsa/200507-11", "cvelist": ["CVE-2005-1689", "CVE-2005-1174", "CVE-2005-1175"], "lastseen": "2016-09-06T19:46:57"}], "redhat": [{"id": "RHSA-2005:567", "type": "redhat", "title": "(RHSA-2005:567) krb5 security update", "description": "Kerberos is a networked authentication system that uses a trusted third\r\nparty (a KDC) to authenticate clients and servers to each other.\r\n\r\nA double-free flaw was found in the krb5_recvauth() routine which may be\r\ntriggered by a remote unauthenticated attacker. Red Hat Enterprise Linux 4\r\ncontains checks within glibc that detect double-free flaws. Therefore, on\r\nRed Hat Enterprise Linux 4 successful exploitation of this issue can only\r\nlead to a denial of service (KDC crash). The Common Vulnerabilities and\r\nExposures project assigned the name CAN-2005-1689 to this issue.\r\n\r\nDaniel Wachdorf discovered a single byte heap overflow in the\r\nkrb5_unparse_name() function, part of krb5-libs. Sucessful exploitation of\r\nthis flaw would lead to a denial of service (crash). To trigger this flaw\r\nan attacker would need to have control of a kerberos realm that shares a\r\ncross-realm key with the target, making exploitation of this flaw unlikely.\r\n(CAN-2005-1175).\r\n\r\nDaniel Wachdorf also discovered that in error conditions that may occur in\r\nresponse to correctly-formatted client requests, the Kerberos 5 KDC may\r\nattempt to free uninitialized memory. This could allow a remote attacker\r\nto cause a denial of service (KDC crash) (CAN-2005-1174).\r\n\r\nGa\u00ebl Delalleau discovered an information disclosure issue in the way\r\nsome telnet clients handle messages from a server. An attacker could\r\nconstruct a malicious telnet server that collects information from the\r\nenvironment of any victim who connects to it using the Kerberos-aware\r\ntelnet client (CAN-2005-0488).\r\n\r\nThe rcp protocol allows a server to instruct a client to write to arbitrary\r\nfiles outside of the current directory. This could potentially cause a\r\nsecurity issue if a user uses the Kerberos-aware rcp to copy files from a\r\nmalicious server (CAN-2004-0175).\r\n\r\nAll users of krb5 should update to these erratum packages, which contain\r\nbackported patches to correct these issues. Red Hat would like to thank\r\nthe MIT Kerberos Development Team for their responsible disclosure of these\r\nissues.", "published": "2005-07-12T04:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://access.redhat.com/errata/RHSA-2005:567", "cvelist": ["CVE-2004-0175", "CVE-2005-0488", "CVE-2005-1174", "CVE-2005-1175", "CVE-2005-1689"], "lastseen": "2017-09-09T07:20:30"}, {"id": "RHSA-2005:562", "type": "redhat", "title": "(RHSA-2005:562) krb5 security update", "description": "Kerberos is a networked authentication system which uses a trusted third\r\nparty (a KDC) to authenticate clients and servers to each other.\r\n\r\nA double-free flaw was found in the krb5_recvauth() routine which may be\r\ntriggered by a remote unauthenticated attacker. Although no exploit is\r\ncurrently known to exist, this issue could potentially be exploited to\r\nallow arbitrary code execution on a Key Distribution Center (KDC). The\r\nCommon Vulnerabilities and Exposures project assigned the name\r\nCAN-2005-1689 to this issue. \r\n\r\nDaniel Wachdorf discovered a single byte heap overflow in the\r\nkrb5_unparse_name() function, part of krb5-libs. Sucessful exploitation of\r\nthis flaw would lead to a denial of service (crash). To trigger this flaw\r\nan attacker would need to have control of a kerberos realm that shares a\r\ncross-realm key with the target, making exploitation of this flaw unlikely.\r\n(CAN-2005-1175). \r\n\r\nGa\u00ebl Delalleau discovered an information disclosure issue in the way\r\nsome telnet clients handle messages from a server. An attacker could\r\nconstruct a malicious telnet server that collects information from the\r\nenvironment of any victim who connects to it using the Kerberos-aware\r\ntelnet client (CAN-2005-0488).\r\n\r\nThe rcp protocol allows a server to instruct a client to write to arbitrary\r\nfiles outside of the current directory. This could potentially cause a\r\nsecurity issue if a user uses the Kerberos-aware rcp to copy files from a\r\nmalicious server (CAN-2004-0175). \r\n\r\nAll users of krb5 should update to these erratum packages which contain\r\nbackported patches to correct these issues. Red Hat would like to thank\r\nthe MIT Kerberos Development Team for their responsible disclosure of these\r\nissues.", "published": "2005-07-12T04:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://access.redhat.com/errata/RHSA-2005:562", "cvelist": ["CVE-2004-0175", "CVE-2005-0488", "CVE-2005-1175", "CVE-2005-1689"], "lastseen": "2018-03-28T01:01:16"}, {"id": "RHSA-2005:504", "type": "redhat", "title": "(RHSA-2005:504) telnet security update", "description": "The telnet package provides a command line telnet client. \r\n\r\nGael Delalleau discovered an information disclosure issue in the way the\r\ntelnet client handles messages from a server. An attacker could construct\r\na malicious telnet server that collects information from the environment of\r\nany victim who connects to it. The Common Vulnerabilities and Exposures\r\nproject (cve.mitre.org) has assigned the name CAN-2005-0488 to this issue.\r\n\r\nUsers of telnet should upgrade to this updated package, which contains a\r\nbackported patch to correct this issue.", "published": "2005-06-14T04:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://access.redhat.com/errata/RHSA-2005:504", "cvelist": ["CVE-2005-0488"], "lastseen": "2018-03-14T15:43:51"}, {"id": "RHSA-2005:106", "type": "redhat", "title": "(RHSA-2005:106) openssh security update", "description": "OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. SSH\nreplaces rlogin and rsh, and provides secure encrypted communications\nbetween two untrusted hosts over an insecure network. X11 connections and\narbitrary TCP/IP ports can also be forwarded over a secure channel. Public\nkey authentication can be used for \"passwordless\" access to servers.\n\nThe scp protocol allows a server to instruct a client to write to arbitrary\nfiles outside of the current directory. This could potentially cause a\nsecurity issue if a user uses scp to copy files from a malicious server.\nThe Common Vulnerabilities and Exposures project (cve.mitre.org) has\nassigned the name CAN-2004-0175 to this issue.\n\nThese updated packages also correct the following bugs:\n\nOn systems where direct ssh access for the root user was disabled by\nconfiguration (setting \"PermitRootLogin no\"), attempts to guess the root\npassword could be judged as sucessful or unsucessful by observing a delay.\n\nOn systems where the privilege separation feature was turned on, the user\nresource limits were not correctly set if the configuration specified to\nraise them above the defaults. It was also not possible to change an\nexpired password.\n\nUsers of openssh should upgrade to these updated packages, which contain\nbackported patches to resolve these issues.", "published": "2005-05-18T04:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://access.redhat.com/errata/RHSA-2005:106", "cvelist": ["CVE-2004-0175"], "lastseen": "2017-08-02T22:57:48"}, {"id": "RHSA-2005:495", "type": "redhat", "title": "(RHSA-2005:495) rsh security update", "description": "The rsh package contains a set of programs that allow users to run\r\ncommands on remote machines, login to other machines, and copy files\r\nbetween machines, using the rsh, rlogin, and rcp commands. All three of\r\nthese commands use rhosts-style authentication.\r\n\r\nThe rcp protocol allows a server to instruct a client to write to arbitrary\r\nfiles outside of the current directory. This could potentially cause a\r\nsecurity issue if a user uses rcp to copy files from a malicious server. \r\nThe Common Vulnerabilities and Exposures project (cve.mitre.org) has\r\nassigned the name CAN-2004-0175 to this issue.\r\n\r\nAll users of rsh should upgrade to these updated packages, which resolve\r\nthese issues.", "published": "2005-06-13T04:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://access.redhat.com/errata/RHSA-2005:495", "cvelist": ["CVE-2004-0175"], "lastseen": "2018-03-15T06:37:24"}, {"id": "RHSA-2005:481", "type": "redhat", "title": "(RHSA-2005:481) openssh security update", "description": "OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. SSH\r\nreplaces rlogin and rsh, and provides secure encrypted communications\r\nbetween two untrusted hosts over an insecure network. X11 connections and\r\narbitrary TCP/IP ports can also be forwarded over a secure channel. Public\r\nkey authentication can be used for \"passwordless\" access to servers.\r\n\r\nThe scp protocol allows a server to instruct a client to write to arbitrary\r\nfiles outside of the current directory. This could potentially cause a\r\nsecurity issue if a user uses scp to copy files from a malicious server.\r\nThe Common Vulnerabilities and Exposures project (cve.mitre.org) has\r\nassigned the name CAN-2004-0175 to this issue.\r\n\r\nThese updated packages also correct the following bug:\r\n\r\nOn systems in which direct ssh access for the root user was disabled by\r\nconfiguration (setting \"PermitRootLogin no\"), attempts to guess the root\r\npassword could be judged as sucessful or unsucessful by observing a delay.\r\n\r\nUsers of openssh should upgrade to these updated packages, which contain\r\nbackported patches to resolve these issues.", "published": "2005-06-02T04:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://access.redhat.com/errata/RHSA-2005:481", "cvelist": ["CVE-2004-0175"], "lastseen": "2018-03-28T01:00:59"}, {"id": "RHSA-2005:165", "type": "redhat", "title": "(RHSA-2005:165) rsh security update", "description": "The rsh package contains a set of programs that allow users to run\ncommands on remote machines, login to other machines, and copy files\nbetween machines, using the rsh, rlogin, and rcp commands. All three of\nthese commands use rhosts-style authentication.\n\nThe rcp protocol allows a server to instruct a client to write to arbitrary\nfiles outside of the current directory. This could potentially cause a\nsecurity issue if a user uses rcp to copy files from a malicious server.\nThe Common Vulnerabilities and Exposures project (cve.mitre.org) has\nassigned the name CAN-2004-0175 to this issue.\n\nThese updated packages also address the following bugs:\n\nThe rlogind server reported \"SIGCHLD set to SIG_IGN but calls wait()\"\nmessage to the system log because the original BSD code was ported\nincorrectly to linux.\n\nThe rexecd server did not function on systems where client hostnames were\nnot in the DNS service, because server code called gethostbyaddr() for each\nnew connection.\n\nThe rcp command incorrectly used the \"errno\" variable and produced\nerroneous error messages.\n\nThe rexecd command ignored settings in the /etc/security/limits file,\nbecause the PAM session was incorrectly initialized.\n\nAll users of rsh should upgrade to these updated packages, which resolve\nthese issues.", "published": "2005-06-08T04:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://access.redhat.com/errata/RHSA-2005:165", "cvelist": ["CVE-2004-0175"], "lastseen": "2017-09-09T07:19:50"}, {"id": "RHSA-2005:074", "type": "redhat", "title": "(RHSA-2005:074) rsh security update", "description": "The rsh package contains a set of programs that allow users to run\ncommands on remote machines, login to other machines, and copy files\nbetween machines, using the rsh, rlogin, and rcp commands. All three of\nthese commands use rhosts-style authentication.\n\nThe rcp protocol allows a server to instruct a client to write to arbitrary\nfiles outside of the current directory. This could potentially cause a\nsecurity issue if a user uses rcp to copy files from a malicious server. \nThe Common Vulnerabilities and Exposures project (cve.mitre.org) has\nassigned the name CAN-2004-0175 to this issue.\n\nThese updated packages also address the following bugs:\n\nThe rexec command failed with \"Invalid Argument\", because the code\nused sigaction() as an unsupported signal.\n\nThe rlogind server reported \"SIGCHLD set to SIG_IGN but calls wait()\"\nmessage to the system log because the original BSD code was ported\nincorrectly to linux.\n\nThe rexecd server did not function on systems where client hostnames were\nnot in the DNS service, because server code called gethostbyaddr() for each\nnew connection.\n\nThe rcp command incorrectly used the \"errno\" variable and produced\nerroneous error messages.\n\nThe rexecd command ignored settings in the /etc/security/limits file,\nbecause the PAM session was incorrectly initialized.\n\nThe rexec command prompted for username and password regardless of the\n~/.netrc configuration file contents. This updated package contains a patch\nthat no longer skips the ~/.netrc file. \n\nAll users of rsh should upgrade to these updated packages, which resolve\nthese issues.", "published": "2005-05-18T04:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://access.redhat.com/errata/RHSA-2005:074", "cvelist": ["CVE-2004-0175"], "lastseen": "2017-08-02T22:57:29"}], "centos": [{"id": "CESA-2005:562-01", "type": "centos", "title": "krb5 security update", "description": "**CentOS Errata and Security Advisory** CESA-2005:562-01\n\n\nKerberos is a networked authentication system which uses a trusted third\r\nparty (a KDC) to authenticate clients and servers to each other.\r\n\r\nA double-free flaw was found in the krb5_recvauth() routine which may be\r\ntriggered by a remote unauthenticated attacker. Although no exploit is\r\ncurrently known to exist, this issue could potentially be exploited to\r\nallow arbitrary code execution on a Key Distribution Center (KDC). The\r\nCommon Vulnerabilities and Exposures project assigned the name\r\nCAN-2005-1689 to this issue. \r\n\r\nDaniel Wachdorf discovered a single byte heap overflow in the\r\nkrb5_unparse_name() function, part of krb5-libs. Sucessful exploitation of\r\nthis flaw would lead to a denial of service (crash). To trigger this flaw\r\nan attacker would need to have control of a kerberos realm that shares a\r\ncross-realm key with the target, making exploitation of this flaw unlikely.\r\n(CAN-2005-1175). \r\n\r\nGa\u00ebl Delalleau discovered an information disclosure issue in the way\r\nsome telnet clients handle messages from a server. An attacker could\r\nconstruct a malicious telnet server that collects information from the\r\nenvironment of any victim who connects to it using the Kerberos-aware\r\ntelnet client (CAN-2005-0488).\r\n\r\nThe rcp protocol allows a server to instruct a client to write to arbitrary\r\nfiles outside of the current directory. This could potentially cause a\r\nsecurity issue if a user uses the Kerberos-aware rcp to copy files from a\r\nmalicious server (CAN-2004-0175). \r\n\r\nAll users of krb5 should update to these erratum packages which contain\r\nbackported patches to correct these issues. Red Hat would like to thank\r\nthe MIT Kerberos Development Team for their responsible disclosure of these\r\nissues.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2005-July/011936.html\n\n**Affected packages:**\nkrb5-devel\nkrb5-libs\nkrb5-server\nkrb5-workstation\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/rh21as-errata.html", "published": "2005-07-18T23:04:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2005-July/011936.html", "cvelist": ["CVE-2005-1689", "CVE-2005-0488", "CVE-2005-1175", "CVE-2004-0175"], "lastseen": "2017-10-12T14:46:11"}, {"id": "CESA-2005:567", "type": "centos", "title": "krb5 security update", "description": "**CentOS Errata and Security Advisory** CESA-2005:567\n\n\nKerberos is a networked authentication system that uses a trusted third\r\nparty (a KDC) to authenticate clients and servers to each other.\r\n\r\nA double-free flaw was found in the krb5_recvauth() routine which may be\r\ntriggered by a remote unauthenticated attacker. Red Hat Enterprise Linux 4\r\ncontains checks within glibc that detect double-free flaws. Therefore, on\r\nRed Hat Enterprise Linux 4 successful exploitation of this issue can only\r\nlead to a denial of service (KDC crash). The Common Vulnerabilities and\r\nExposures project assigned the name CAN-2005-1689 to this issue.\r\n\r\nDaniel Wachdorf discovered a single byte heap overflow in the\r\nkrb5_unparse_name() function, part of krb5-libs. Sucessful exploitation of\r\nthis flaw would lead to a denial of service (crash). To trigger this flaw\r\nan attacker would need to have control of a kerberos realm that shares a\r\ncross-realm key with the target, making exploitation of this flaw unlikely.\r\n(CAN-2005-1175).\r\n\r\nDaniel Wachdorf also discovered that in error conditions that may occur in\r\nresponse to correctly-formatted client requests, the Kerberos 5 KDC may\r\nattempt to free uninitialized memory. This could allow a remote attacker\r\nto cause a denial of service (KDC crash) (CAN-2005-1174).\r\n\r\nGa\u00ebl Delalleau discovered an information disclosure issue in the way\r\nsome telnet clients handle messages from a server. An attacker could\r\nconstruct a malicious telnet server that collects information from the\r\nenvironment of any victim who connects to it using the Kerberos-aware\r\ntelnet client (CAN-2005-0488).\r\n\r\nThe rcp protocol allows a server to instruct a client to write to arbitrary\r\nfiles outside of the current directory. This could potentially cause a\r\nsecurity issue if a user uses the Kerberos-aware rcp to copy files from a\r\nmalicious server (CAN-2004-0175).\r\n\r\nAll users of krb5 should update to these erratum packages, which contain\r\nbackported patches to correct these issues. Red Hat would like to thank\r\nthe MIT Kerberos Development Team for their responsible disclosure of these\r\nissues.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2005-July/011927.html\nhttp://lists.centos.org/pipermail/centos-announce/2005-July/011928.html\nhttp://lists.centos.org/pipermail/centos-announce/2005-July/011929.html\nhttp://lists.centos.org/pipermail/centos-announce/2005-July/011930.html\n\n**Affected packages:**\nkrb5\nkrb5-devel\nkrb5-libs\nkrb5-server\nkrb5-workstation\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2005-562.html\nhttps://rhn.redhat.com/errata/RHSA-2005-567.html", "published": "2005-07-13T00:28:39", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2005-July/011927.html", "cvelist": ["CVE-2005-1689", "CVE-2005-1174", "CVE-2005-0488", "CVE-2005-1175", "CVE-2004-0175"], "lastseen": "2017-10-12T14:45:54"}, {"id": "CESA-2005:504-00", "type": "centos", "title": "telnet security update", "description": "**CentOS Errata and Security Advisory** CESA-2005:504-00\n\n\nThe telnet package provides a command line telnet client. \r\n\r\nGael Delalleau discovered an information disclosure issue in the way the\r\ntelnet client handles messages from a server. An attacker could construct\r\na malicious telnet server that collects information from the environment of\r\nany victim who connects to it. The Common Vulnerabilities and Exposures\r\nproject (cve.mitre.org) has assigned the name CAN-2005-0488 to this issue.\r\n\r\nUsers of telnet should upgrade to this updated package, which contains a\r\nbackported patch to correct this issue.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2005-June/011871.html\n\n**Affected packages:**\ntelnet\ntelnet-server\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/rh21as-errata.html", "published": "2005-06-14T23:05:19", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2005-June/011871.html", "cvelist": ["CVE-2005-0488"], "lastseen": "2017-10-12T14:46:28"}, {"id": "CESA-2005:504", "type": "centos", "title": "telnet security update", "description": "**CentOS Errata and Security Advisory** CESA-2005:504\n\n\nThe telnet package provides a command line telnet client. \r\n\r\nGael Delalleau discovered an information disclosure issue in the way the\r\ntelnet client handles messages from a server. An attacker could construct\r\na malicious telnet server that collects information from the environment of\r\nany victim who connects to it. The Common Vulnerabilities and Exposures\r\nproject (cve.mitre.org) has assigned the name CAN-2005-0488 to this issue.\r\n\r\nUsers of telnet should upgrade to this updated package, which contains a\r\nbackported patch to correct this issue.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2005-June/011858.html\nhttp://lists.centos.org/pipermail/centos-announce/2005-June/011860.html\nhttp://lists.centos.org/pipermail/centos-announce/2005-June/011861.html\nhttp://lists.centos.org/pipermail/centos-announce/2005-June/011864.html\nhttp://lists.centos.org/pipermail/centos-announce/2005-June/011865.html\nhttp://lists.centos.org/pipermail/centos-announce/2005-June/011867.html\nhttp://lists.centos.org/pipermail/centos-announce/2005-June/011869.html\n\n**Affected packages:**\ntelnet\ntelnet-server\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2005-504.html", "published": "2005-06-14T20:30:21", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2005-June/011858.html", "cvelist": ["CVE-2005-0488"], "lastseen": "2017-10-12T14:45:04"}, {"id": "CESA-2005:481-01", "type": "centos", "title": "openssh security update", "description": "**CentOS Errata and Security Advisory** CESA-2005:481-01\n\n\nOpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. SSH\r\nreplaces rlogin and rsh, and provides secure encrypted communications\r\nbetween two untrusted hosts over an insecure network. X11 connections and\r\narbitrary TCP/IP ports can also be forwarded over a secure channel. Public\r\nkey authentication can be used for \"passwordless\" access to servers.\r\n\r\nThe scp protocol allows a server to instruct a client to write to arbitrary\r\nfiles outside of the current directory. This could potentially cause a\r\nsecurity issue if a user uses scp to copy files from a malicious server.\r\nThe Common Vulnerabilities and Exposures project (cve.mitre.org) has\r\nassigned the name CAN-2004-0175 to this issue.\r\n\r\nThese updated packages also correct the following bug:\r\n\r\nOn systems in which direct ssh access for the root user was disabled by\r\nconfiguration (setting \"PermitRootLogin no\"), attempts to guess the root\r\npassword could be judged as sucessful or unsucessful by observing a delay.\r\n\r\nUsers of openssh should upgrade to these updated packages, which contain\r\nbackported patches to resolve these issues.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2005-June/011796.html\n\n**Affected packages:**\nopenssh\nopenssh-askpass\nopenssh-askpass-gnome\nopenssh-clients\nopenssh-server\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/rh21as-errata.html", "published": "2005-06-05T22:53:04", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2005-June/011796.html", "cvelist": ["CVE-2004-0175"], "lastseen": "2018-01-25T13:03:16"}, {"id": "CESA-2005:106", "type": "centos", "title": "openssh security update", "description": "**CentOS Errata and Security Advisory** CESA-2005:106\n\n\nOpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. SSH\nreplaces rlogin and rsh, and provides secure encrypted communications\nbetween two untrusted hosts over an insecure network. X11 connections and\narbitrary TCP/IP ports can also be forwarded over a secure channel. Public\nkey authentication can be used for \"passwordless\" access to servers.\n\nThe scp protocol allows a server to instruct a client to write to arbitrary\nfiles outside of the current directory. This could potentially cause a\nsecurity issue if a user uses scp to copy files from a malicious server.\nThe Common Vulnerabilities and Exposures project (cve.mitre.org) has\nassigned the name CAN-2004-0175 to this issue.\n\nThese updated packages also correct the following bugs:\n\nOn systems where direct ssh access for the root user was disabled by\nconfiguration (setting \"PermitRootLogin no\"), attempts to guess the root\npassword could be judged as sucessful or unsucessful by observing a delay.\n\nOn systems where the privilege separation feature was turned on, the user\nresource limits were not correctly set if the configuration specified to\nraise them above the defaults. It was also not possible to change an\nexpired password.\n\nUsers of openssh should upgrade to these updated packages, which contain\nbackported patches to resolve these issues.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2005-May/011674.html\nhttp://lists.centos.org/pipermail/centos-announce/2005-May/011680.html\nhttp://lists.centos.org/pipermail/centos-announce/2005-May/011722.html\nhttp://lists.centos.org/pipermail/centos-announce/2005-May/011723.html\nhttp://lists.centos.org/pipermail/centos-announce/2005-May/011731.html\nhttp://lists.centos.org/pipermail/centos-announce/2005-May/011732.html\n\n**Affected packages:**\nopenssh\nopenssh-askpass\nopenssh-askpass-gnome\nopenssh-clients\nopenssh-server\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2005-106.html", "published": "2005-05-18T18:00:09", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2005-May/011674.html", "cvelist": ["CVE-2004-0175"], "lastseen": "2017-10-12T14:46:01"}, {"id": "CESA-2005:495-01", "type": "centos", "title": "rsh security update", "description": "**CentOS Errata and Security Advisory** CESA-2005:495-01\n\n\nThe rsh package contains a set of programs that allow users to run\r\ncommands on remote machines, login to other machines, and copy files\r\nbetween machines, using the rsh, rlogin, and rcp commands. All three of\r\nthese commands use rhosts-style authentication.\r\n\r\nThe rcp protocol allows a server to instruct a client to write to arbitrary\r\nfiles outside of the current directory. This could potentially cause a\r\nsecurity issue if a user uses rcp to copy files from a malicious server. \r\nThe Common Vulnerabilities and Exposures project (cve.mitre.org) has\r\nassigned the name CAN-2004-0175 to this issue.\r\n\r\nAll users of rsh should upgrade to these updated packages, which resolve\r\nthese issues.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2005-June/011853.html\n\n**Affected packages:**\nrsh\nrsh-server\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/rh21as-errata.html", "published": "2005-06-13T22:49:37", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2005-June/011853.html", "cvelist": ["CVE-2004-0175"], "lastseen": "2018-01-25T07:01:00"}, {"id": "CESA-2005:074", "type": "centos", "title": "rsh security update", "description": "**CentOS Errata and Security Advisory** CESA-2005:074\n\n\nThe rsh package contains a set of programs that allow users to run\ncommands on remote machines, login to other machines, and copy files\nbetween machines, using the rsh, rlogin, and rcp commands. All three of\nthese commands use rhosts-style authentication.\n\nThe rcp protocol allows a server to instruct a client to write to arbitrary\nfiles outside of the current directory. This could potentially cause a\nsecurity issue if a user uses rcp to copy files from a malicious server. \nThe Common Vulnerabilities and Exposures project (cve.mitre.org) has\nassigned the name CAN-2004-0175 to this issue.\n\nThese updated packages also address the following bugs:\n\nThe rexec command failed with \"Invalid Argument\", because the code\nused sigaction() as an unsupported signal.\n\nThe rlogind server reported \"SIGCHLD set to SIG_IGN but calls wait()\"\nmessage to the system log because the original BSD code was ported\nincorrectly to linux.\n\nThe rexecd server did not function on systems where client hostnames were\nnot in the DNS service, because server code called gethostbyaddr() for each\nnew connection.\n\nThe rcp command incorrectly used the \"errno\" variable and produced\nerroneous error messages.\n\nThe rexecd command ignored settings in the /etc/security/limits file,\nbecause the PAM session was incorrectly initialized.\n\nThe rexec command prompted for username and password regardless of the\n~/.netrc configuration file contents. This updated package contains a patch\nthat no longer skips the ~/.netrc file. \n\nAll users of rsh should upgrade to these updated packages, which resolve\nthese issues.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2005-May/011673.html\nhttp://lists.centos.org/pipermail/centos-announce/2005-May/011679.html\nhttp://lists.centos.org/pipermail/centos-announce/2005-May/011724.html\nhttp://lists.centos.org/pipermail/centos-announce/2005-May/011725.html\nhttp://lists.centos.org/pipermail/centos-announce/2005-May/011733.html\nhttp://lists.centos.org/pipermail/centos-announce/2005-May/011734.html\n\n**Affected packages:**\nrsh\nrsh-server\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2005-074.html", "published": "2005-05-18T17:58:16", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2005-May/011673.html", "cvelist": ["CVE-2004-0175"], "lastseen": "2017-10-12T14:45:54"}, {"id": "CESA-2005:165", "type": "centos", "title": "rsh security update", "description": "**CentOS Errata and Security Advisory** CESA-2005:165\n\n\nThe rsh package contains a set of programs that allow users to run\ncommands on remote machines, login to other machines, and copy files\nbetween machines, using the rsh, rlogin, and rcp commands. All three of\nthese commands use rhosts-style authentication.\n\nThe rcp protocol allows a server to instruct a client to write to arbitrary\nfiles outside of the current directory. This could potentially cause a\nsecurity issue if a user uses rcp to copy files from a malicious server.\nThe Common Vulnerabilities and Exposures project (cve.mitre.org) has\nassigned the name CAN-2004-0175 to this issue.\n\nThese updated packages also address the following bugs:\n\nThe rlogind server reported \"SIGCHLD set to SIG_IGN but calls wait()\"\nmessage to the system log because the original BSD code was ported\nincorrectly to linux.\n\nThe rexecd server did not function on systems where client hostnames were\nnot in the DNS service, because server code called gethostbyaddr() for each\nnew connection.\n\nThe rcp command incorrectly used the \"errno\" variable and produced\nerroneous error messages.\n\nThe rexecd command ignored settings in the /etc/security/limits file,\nbecause the PAM session was incorrectly initialized.\n\nAll users of rsh should upgrade to these updated packages, which resolve\nthese issues.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2005-June/011799.html\nhttp://lists.centos.org/pipermail/centos-announce/2005-June/011801.html\nhttp://lists.centos.org/pipermail/centos-announce/2005-June/011802.html\n\n**Affected packages:**\nrsh\nrsh-server\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2005-165.html", "published": "2005-06-08T17:59:42", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2005-June/011799.html", "cvelist": ["CVE-2004-0175"], "lastseen": "2017-10-12T14:46:08"}], "ubuntu": [{"id": "USN-224-1", "type": "ubuntu", "title": "Kerberos vulnerabilities", "description": "Ga\ufffdl Delalleau discovered a buffer overflow in the env_opt_add() function of the Kerberos 4 and 5 telnet clients. By sending specially crafted replies, a malicious telnet server could exploit this to execute arbitrary code with the privileges of the user running the telnet client. (CVE-2005-0468)\n\nGa\ufffdl Delalleau discovered a buffer overflow in the handling of the LINEMODE suboptions in the telnet clients of Kerberos 4 and 5. By sending a specially constructed reply containing a large number of SLC (Set Local Character) commands, a remote attacker (i. e. a malicious telnet server) could execute arbitrary commands with the privileges of the user running the telnet client. (CVE-2005-0469)\n\nDaniel Wachdorf discovered two remote vulnerabilities in the Key Distribution Center of Kerberos 5 (krb5-kdc). By sending certain TCP connection requests, a remote attacker could trigger a double-freeing of memory, which led to memory corruption and a crash of the KDC server. (CVE-2005-1174). Under rare circumstances the same type of TCP connection requests could also trigger a buffer overflow that could be exploited to run arbitrary code with the privileges of the KDC server. (CVE-2005-1175)\n\nMagnus Hagander discovered that the krb5_recvauth() function attempted to free previously freed memory in some situations. A remote attacker could possibly exploit this to run arbitrary code with the privileges of the program that called this function. Most imporantly, this affects the following daemons: kpropd (from the krb5-kdc package), klogind, and kshd (both from the krb5-rsh-server package). (CVE-2005-1689)\n\nPlease note that these packages are not officially supported by Ubuntu (they are in the \u2018universe\u2019 component of the archive).", "published": "2005-12-06T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://usn.ubuntu.com/224-1/", "cvelist": ["CVE-2005-1689", "CVE-2005-1174", "CVE-2005-0469", "CVE-2005-0468", "CVE-2005-1175"], "lastseen": "2018-03-29T18:19:35"}], "f5": [{"id": "F5:K4616", "type": "f5", "title": "BSD telnet environment vulnerability CAN-2005-0488", "description": "", "published": "2005-07-22T04:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://support.f5.com/csp/article/K4616", "cvelist": ["CVE-2005-0488"], "lastseen": "2017-10-02T23:55:18"}, {"id": "SOL4616", "type": "f5", "title": "SOL4616 - BSD telnet environment vulnerability CAN-2005-0488", "description": "#### Was this resource helpful in solving your issue?\n\nYes - this resource was helpful \nNo - this resource was not helpful \nI don\u0091t know yet \n\n\nNOTE: Please do not provide personal information.\n\n \n \n\n\n#### Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear: \n", "published": "2005-07-21T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "http://support.f5.com/kb/en-us/solutions/public/4000/600/sol4616.html", "cvelist": ["CVE-2005-0488"], "lastseen": "2016-09-26T17:23:21"}], "cert": [{"id": "VU:800829", "type": "cert", "title": "Telnet Client Information Disclosure Vulnerability", "description": "### Overview\n\nA vulnerability in the handling of the NEW-ENVIRON command allows a malicious telnet server to gain information from a client's environment variables.\n\n### Description\n\nThe Telnet network protocol is described in [RFC854](<http://www.apps.ietf.org/rfc/rfc854.html>) and [RFC855](<http://www.apps.ietf.org/rfc/rfc855.html>) as a general, bi-directional communications facility. The Telnet protocol is commonly used for command-line login sessions between Internet hosts. \n\nThe vulnerability is in the NEW-ENVIRON sub-command that is the mechanism to used for passing environment information between a telnet client and server. Use of this mechanism enables a telnet user to propagate configuration information to a remote host when connecting. Please see [RFC1572](<http://www.apps.ietf.org/rfc/rfc1572.html>) for more information. As specified in section 3 of RFC1572 the expected default behavior should be \"that there will not be any exchange of environment information\". \n \nIn order to exploit this vulnerability, a malicious server can send a connected client the following telnet command: \n \n`SB NEW-ENVIRON SEND ENV_USERVAR <name of environment variable> SE \n` \nVulnerable telnet clients will send the value of the referenced environment variable. Environment variables may contain a variety of the information such as local username, executable file search paths, locations of sensitive data, and other potentially sensitive information about the client computer. \n \nPlease note telnet functionality has been embedded in many applications and not just underlying operating systems distributions. \n \nThe [iDefense Security Advisory](<http://www.idefense.com/application/poi/display?id=260>) contains additional information about affected and unaffected vendors. \n \n--- \n \n### Impact\n\nAn attacker may be able to gather information about remote systems and users who connect to attackers malicious telnet server. An attacker would have to trick a victim into initiating a telnet connection using a vulnerable client. This may be accomplished with an HTML rendered email or web page, using the TELNET:// URI handler, however further user interaction may be required. \n \n--- \n \n### Solution\n\n**Apply an update from your vendor**\n\nPatches, updates, and fixes should be available from multiple vendors. \n \n--- \n \n \n**Workarounds** \nDisable access to telnet, limit the use of telnet to trusted sites and/or encourage the use more secure remote connection clients. \n \nOn Unix systems it might be viable to remove execute permission from telnet and other binaries that perform telnet. \n \nOn Windows systems changing or removing the registry key entry: HKEY_CLASSES_ROOT\\telnet\\shell\\open\\command \nshould reduce the likelihood of successful automatic exploitation attempts such as those using telnet URLs. \n \nNote these workarounds do not address the underlying vulnerability. \n \n--- \n \n### Systems Affected \n\nVendor| Status| Date Notified| Date Updated \n---|---|---|--- \nMicrosoft Corporation| | -| 14 Jun 2005 \nRed Hat Inc.| | -| 28 Jul 2005 \nSun Microsystems Inc.| | -| 14 Jun 2005 \nIf you are a vendor and your product is affected, [let us know](<mailto:cert@cert.org?Subject=VU%23800829 Vendor Status Inquiry>).\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | N/A | N/A \nTemporal | N/A | N/A \nEnvironmental | N/A | N/A \n \n### References\n\n * <http://www.idefense.com/application/poi/display?id=260>\n * <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0488>\n * <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1205>\n * <http://www.apps.ietf.org/rfc/rfc1572.html>\n * <http://www.securityfocus.com/archive/1/402230>\n\n### Credit\n\nGa\u00ebl Delalleau is credited with this discovery. Thank you to iDefense for coordinating the release of information about this issue.\n\nThis document was written by Robert Mead based on information in the [iDEFENSE Security Advisory](<http://www.idefense.com/application/poi/display?id=260>)\n\n### Other Information\n\n * CVE IDs: [CAN-2005-0488](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CAN-2005-0488>)\n * Date Public: 14 Jun 2005\n * Date First Published: 14 Jun 2005\n * Date Last Updated: 28 Jul 2005\n * Severity Metric: 0.17\n * Document Revision: 22\n\n", "published": "2005-06-14T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://www.kb.cert.org/vuls/id/800829", "cvelist": ["CVE-2005-0488", "CVE-2005-0488", "CVE-2005-0488", "CVE-2005-1205"], "lastseen": "2016-02-03T09:12:36"}], "suse": [{"id": "SUSE-SA:2004:009", "type": "suse", "title": "local privilege escalation in Linux Kernel", "description": "iDEFENSE Inc. informed us about a buffer overflow in the linux 2.4 kernel code which handles ISO9660 filesystems. The original code is not able to handle very long symlink names. The vulnerability can be triggered locally by mounting removable media that contains a malformed filesystem or by using the loopback device. Exploiting this buffer overflow results in kernel-level access to the system.", "published": "2004-04-14T15:46:44", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2004-04/msg00004.html", "cvelist": ["CVE-2003-0991", "CVE-2004-0113", "CVE-2004-0179", "CVE-2004-0174", "CVE-2004-0153", "CVE-2004-0175", "CVE-2003-0020", "CVE-2004-0152", "CVE-2004-0181", "CVE-2004-0109"], "lastseen": "2016-09-04T11:50:35"}]}}
