ID B62C80C2-B81A-11DA-BEC5-00123FFE8333 Type freebsd Reporter FreeBSD Modified 2006-02-06T00:00:00
Description
A Project heimdal Security Advisory reports:
The telnet client program in Heimdal has buffer overflows
in the functions slc_add_reply() and env_opt_add(), which
may lead to remote code execution.
The telnetd server program in Heimdal has buffer overflows
in the function getterminaltype, which may lead to remote code
execution.
The rshd server in Heimdal has a privilege escalation bug
when storing forwarded credentials. The code allowes a user
to overwrite a file with its credential cache, and get ownership
of the file.
{"modified": "2006-02-06T00:00:00", "cvelist": ["CVE-2005-0469", "CVE-2006-0677", "CVE-2005-2040", "CVE-2006-0582"], "edition": 1, "type": "freebsd", "reporter": "FreeBSD", "references": ["http://www.pdc.kth.se/heimdal/advisory/2006-02-06", "http://www.pdc.kth.se/heimdal/advisory/2005-06-20", "http://www.pdc.kth.se/heimdal/advisory/2005-04-20"], "hashmap": [{"hash": "dd87fe906c9e58742bde5f731777dd1f", "key": "affectedPackage"}, {"hash": "4913a9178621eadcdf191db17915fbcb", "key": "bulletinFamily"}, {"hash": "4d3675005ca2bb30af1cc05c91bb9395", "key": "cvelist"}, {"hash": "ed3111898fb94205e2b64cefef5a2081", "key": "cvss"}, {"hash": "d481232e6439ee1c8ae19c72f905a32c", "key": "description"}, {"hash": "604344130cfcab16fc525cba800b4db6", "key": "href"}, {"hash": "a91befc413f784cd2693e4ca12d70029", "key": "modified"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "a91befc413f784cd2693e4ca12d70029", "key": "published"}, {"hash": "47761e8d20ffb5a4d45ed63b049279e4", "key": "references"}, {"hash": "a3dc630729e463135f4e608954fa6e19", "key": "reporter"}, {"hash": "c47280972e61b6b985cb3c3aa5bf8c65", "key": "title"}, {"hash": "1527e888767cdce15d200b870b39cfd0", "key": "type"}, {"hash": "cfcd208495d565ef66e7dff9f98764da", "key": "viewCount"}], "href": "https://vuxml.freebsd.org/freebsd/b62c80c2-b81a-11da-bec5-00123ffe8333.html", "description": "\nA Project heimdal Security Advisory reports:\n\nThe telnet client program in Heimdal has buffer overflows\n\t in the functions slc_add_reply() and env_opt_add(), which\n\t may lead to remote code execution.\n\n\nThe telnetd server program in Heimdal has buffer overflows\n\t in the function getterminaltype, which may lead to remote code\n\t execution.\n\n\nThe rshd server in Heimdal has a privilege escalation bug\n\t when storing forwarded credentials. The code allowes a user\n\t to overwrite a file with its credential cache, and get ownership\n\t of the file.\n\n", "id": "B62C80C2-B81A-11DA-BEC5-00123FFE8333", "lastseen": "2016-09-26T17:25:08", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "hash": "ad1bef8567fccfd828264a2667bf1126f36be7c9d3cf91568f3c03497168e455", "enchantments": {"vulnersScore": 9.3}, "bulletinFamily": "unix", "history": [], "published": "2006-02-06T00:00:00", "objectVersion": "1.2", "affectedPackage": [{"packageFilename": "UNKNOWN", "operator": "lt", "packageVersion": "0.6.6", "OS": "FreeBSD", "packageName": "heimdal", "OSVersion": "any", "arch": "noarch"}], "title": "heimdal -- Multiple vulnerabilities", "viewCount": 2}
{"result": {"cve": [{"id": "CVE-2005-0469", "type": "cve", "title": "CVE-2005-0469", "description": "Buffer overflow in the slc_add_reply function in various BSD-based Telnet clients, when handling LINEMODE suboptions, allows remote attackers to execute arbitrary code via a reply with a large number of Set Local Character (SLC) commands.", "published": "2005-05-02T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0469", "cvelist": ["CVE-2005-0469"], "lastseen": "2017-10-11T11:06:09"}, {"id": "CVE-2006-0677", "type": "cve", "title": "CVE-2006-0677", "description": "telnetd in Heimdal 0.6.x before 0.6.6 and 0.7.x before 0.7.2 allows remote unauthenticated attackers to cause a denial of service (server crash) via unknown vectors that trigger a null dereference.", "published": "2006-02-14T06:06:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-0677", "cvelist": ["CVE-2006-0677"], "lastseen": "2017-07-20T10:49:06"}, {"id": "CVE-2005-2040", "type": "cve", "title": "CVE-2005-2040", "description": "Multiple buffer overflows in the getterminaltype function in telnetd for Heimdal before 0.6.5 may allow remote attackers to execute arbitrary code, a different vulnerability than CVE-2005-0468 and CVE-2005-0469.", "published": "2005-06-20T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2040", "cvelist": ["CVE-2005-2040"], "lastseen": "2016-09-03T05:33:38"}, {"id": "CVE-2006-0582", "type": "cve", "title": "CVE-2006-0582", "description": "Unspecified vulnerability in rshd in Heimdal 0.6.x before 0.6.6 and 0.7.x before 0.7.2, when storing forwarded credentials, allows attackers to overwrite arbitrary files and change file ownership via unknown vectors.", "published": "2006-02-07T20:02:00", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-0582", "cvelist": ["CVE-2006-0582"], "lastseen": "2017-07-20T10:49:05"}], "cert": [{"id": "VU:291924", "type": "cert", "title": "Multiple Telnet clients fail to properly handle the \"LINEMODE\" SLC suboption", "description": "### Overview\n\nMultiple Telnet clients contain a data length validation flaw which may allow a server to induce arbitrary code execution on the client host.\n\n### Description\n\nThe Telnet network protocol is described in RFC854 and RFC855 as a general, bi-directional communications facility. The Telnet protocol is commonly used for command line login sessions between Internet hosts. \n\nMany Telnet client implementations may be vulnerable to a flaw which may allow arbitrary code to be executed on the connected client. The Telnet server may supply a specially crafted reply containing a larger number of RFC1184 LINEMODE \"Set Local Character\" (SLC) suboption commands, which are not checked for proper length before being stored into a fixed length buffer. Affected Telnet clients possibly include the BSD Telnet implementation and the MIT Kerberos distribution. \n \nThe Telnet LINEMODE mode is enabled by default in a majority of modern Telnet clients and servers, and is often negotiated automatically before user input is required. Therefore, an attacker may be able to launch a vulnerable client, for example, through commands embedded in web pages such as an IFRAME with a \"telnet:\" URL, and exploit this flaw requiring only minimal or no user interaction. \n \n--- \n \n### Impact\n\nA remote server may be able to execute arbitrary code under the permissions of the user running the Telnet client on the local host. \n \n--- \n \n### Solution\n\n**Apply an update from your vendor** \nPatches, updates, and fixes are available from multiple vendors. \n \n--- \n \nAs a workaround, the client may explicitly disable the LINEMODE mode before connecting in order to prevent LINEMODE command processing. In addition, as a best practice clients should never connect to unknown servers. \n \n--- \n \n### Systems Affected \n\nVendor| Status| Date Notified| Date Updated \n---|---|---|--- \nApple Computer, Inc.| | 28 Mar 2005| 01 Apr 2005 \nDebian Linux| | 28 Mar 2005| 29 Mar 2005 \nF5 Networks, Inc.| | 28 Mar 2005| 02 May 2005 \nMandriva, Inc.| | 28 Mar 2005| 01 Apr 2005 \nMiT Kerberos Development Team| | -| 29 Mar 2005 \nRed Hat, Inc.| | 28 Mar 2005| 22 Dec 2005 \nSun Microsystems, Inc.| | 28 Mar 2005| 29 Mar 2005 \nMicrosoft Corporation| | 28 Mar 2005| 01 Apr 2005 \nCray Inc.| | 28 Mar 2005| 29 Mar 2005 \nEMC Corporation| | 28 Mar 2005| 29 Mar 2005 \nEngarde| | 28 Mar 2005| 29 Mar 2005 \nFreeBSD, Inc.| | 28 Mar 2005| 29 Mar 2005 \nFujitsu| | 28 Mar 2005| 29 Mar 2005 \nHitachi| | 28 Mar 2005| 29 Mar 2005 \nHP| | 28 Mar 2005| 29 Mar 2005 \nIf you are a vendor and your product is affected, [let us know](<mailto:cert@cert.org?Subject=VU%23291924 Vendor Status Inquiry>). \n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | N/A | N/A \nTemporal | N/A | N/A \nEnvironmental | N/A | N/A \n \n### References\n\n * [http://www.idefense.com/application/poi/display?id=220&type;=vulnerabilities](<http://www.idefense.com/application/poi/display?id=220&type=vulnerabilities>)\n * <https://rhn.redhat.com/errata/RHSA-2005-327.html>\n * <http://secunia.com/advisories/14745/>\n * <http://web.mit.edu/kerberos/www/...s/MITKRB5-SA-2005-001-telnet.txt>\n * <http://sunsolve.sun.com/search/document.do?assetkey=1-26-57755-1>\n * <http://www.auscert.org.au/5134>\n\n### Credit\n\nThanks to iDEFENSE Labs for reporting this vulnerability.\n\nThis document was written by Ken MacInnis.\n\n### Other Information\n\n * CVE IDs: [CVE-2005-0469](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0469>)\n * Date Public: 28 Mar 2005\n * Date First Published: 29 Mar 2005\n * Date Last Updated: 22 Dec 2005\n * Severity Metric: 12.60\n * Document Revision: 29\n\n", "published": "2005-03-29T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.kb.cert.org/vuls/id/291924", "cvelist": ["CVE-2005-0469", "CVE-2005-0469"], "lastseen": "2016-02-03T09:12:20"}], "openvas": [{"id": "OPENVAS:53527", "type": "openvas", "title": "Debian Security Advisory DSA 699-1 (netkit-telnet-ssl)", "description": "The remote host is missing an update to netkit-telnet-ssl\nannounced via advisory DSA 699-1.", "published": "2008-01-17T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=53527", "cvelist": ["CVE-2005-0469"], "lastseen": "2017-07-24T12:49:55"}, {"id": "OPENVAS:54901", "type": "openvas", "title": "Gentoo Security Advisory GLSA 200503-36 (netkit-telnetd)", "description": "The remote host is missing updates announced in\nadvisory GLSA 200503-36.", "published": "2008-09-24T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=54901", "cvelist": ["CVE-2005-0469"], "lastseen": "2017-07-24T12:49:47"}, {"id": "OPENVAS:53528", "type": "openvas", "title": "Debian Security Advisory DSA 697-1 (netkit-telnet)", "description": "The remote host is missing an update to netkit-telnet\nannounced via advisory DSA 697-1.", "published": "2008-01-17T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=53528", "cvelist": ["CVE-2005-0469"], "lastseen": "2017-07-24T12:50:16"}, {"id": "OPENVAS:54444", "type": "openvas", "title": "Debian Security Advisory DSA 765-1 (heimdal)", "description": "The remote host is missing an update to heimdal\nannounced via advisory DSA 765-1.\n\nGa\u00ebl Delalleau discovered a buffer overflow in the handling of the\nLINEMODE suboptions in telnet clients. Heimdal, a free implementation\nof Kerberos 5, also contains such a client. This can lead to the\nexecution of arbitrary code when connected to a malicious server.\n\nFor the old stable distribution (woody) this problem has been fixed in\nversion 0.4e-7.woody.11.", "published": "2008-01-17T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=54444", "cvelist": ["CVE-2005-0469"], "lastseen": "2017-07-24T12:50:25"}, {"id": "OPENVAS:65401", "type": "openvas", "title": "SLES9: Security update for telnet", "description": "The remote host is missing updates to packages that affect\nthe security of your system. One or more of the following packages\nare affected:\n\n telnet\n\nFor more information, please visit the referenced security\nadvisories.\n\nMore details may also be found by searching for keyword\n5015478 within the SuSE Enterprise Server 9 patch\ndatabase at http://download.novell.com/patch/finder/", "published": "2009-10-10T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=65401", "cvelist": ["CVE-2005-0469", "CVE-2005-0468"], "lastseen": "2017-07-26T08:55:24"}, {"id": "OPENVAS:53560", "type": "openvas", "title": "Debian Security Advisory DSA 731-1 (krb4)", "description": "The remote host is missing an update to krb4\nannounced via advisory DSA 731-1.", "published": "2008-01-17T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=53560", "cvelist": ["CVE-2005-0469", "CVE-2005-0468"], "lastseen": "2017-07-24T12:49:43"}, {"id": "OPENVAS:65149", "type": "openvas", "title": "SLES9: Security update for heimdal", "description": "The remote host is missing updates to packages that affect\nthe security of your system. One or more of the following packages\nare affected:\n\n heimdal-devel\n heimdal-lib\n heimdal\n\nFor more information, please visit the referenced security\nadvisories.\n\nMore details may also be found by searching for keyword\n5012765 within the SuSE Enterprise Server 9 patch\ndatabase at http://download.novell.com/patch/finder/", "published": "2009-10-10T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=65149", "cvelist": ["CVE-2005-0469", "CVE-2005-0468"], "lastseen": "2017-07-26T08:56:20"}, {"id": "OPENVAS:54930", "type": "openvas", "title": "Gentoo Security Advisory GLSA 200504-28 (Heimdal)", "description": "The remote host is missing updates announced in\nadvisory GLSA 200504-28.", "published": "2008-09-24T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=54930", "cvelist": ["CVE-2005-0469", "CVE-2005-0468"], "lastseen": "2017-07-24T12:49:46"}, {"id": "OPENVAS:54906", "type": "openvas", "title": "Gentoo Security Advisory GLSA 200504-04 (telnet)", "description": "The remote host is missing updates announced in\nadvisory GLSA 200504-04.", "published": "2008-09-24T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=54906", "cvelist": ["CVE-2005-0469", "CVE-2005-0468"], "lastseen": "2017-07-24T12:49:45"}, {"id": "OPENVAS:136141256231054459", "type": "openvas", "title": "Slackware Advisory SSA:2005-210-01 telnet client", "description": "The remote host is missing an update as announced\nvia advisory SSA:2005-210-01.", "published": "2012-09-11T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=136141256231054459", "cvelist": ["CVE-2005-0469", "CVE-2005-0468"], "lastseen": "2018-04-06T11:18:54"}], "nessus": [{"id": "DEBIAN_DSA-699.NASL", "type": "nessus", "title": "Debian DSA-699-1 : netkit-telnet-ssl - buffer overflow", "description": "Gael Delalleau discovered a buffer overflow in the handling of the LINEMODE suboptions in telnet clients. This can lead to the execution of arbitrary code when connected to a malicious server.", "published": "2005-03-29T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=17641", "cvelist": ["CVE-2005-0469"], "lastseen": "2017-10-29T13:39:54"}, {"id": "GENTOO_GLSA-200503-36.NASL", "type": "nessus", "title": "GLSA-200503-36 : netkit-telnetd: Buffer overflow", "description": "The remote host is affected by the vulnerability described in GLSA-200503-36 (netkit-telnetd: Buffer overflow)\n\n A buffer overflow has been identified in the slc_add_reply() function of netkit-telnetd client, where a large number of SLC commands can overflow a fixed size buffer.\n Impact :\n\n Successful exploitation would require a vulnerable user to connect to an attacker-controlled host using telnet, potentially executing arbitrary code with the permissions of the telnet user.\n Workaround :\n\n There is no known workaround at this time.", "published": "2005-04-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=17666", "cvelist": ["CVE-2005-0469"], "lastseen": "2017-10-29T13:35:33"}, {"id": "DEBIAN_DSA-697.NASL", "type": "nessus", "title": "Debian DSA-697-1 : netkit-telnet - buffer overflow", "description": "Gael Delalleau discovered a buffer overflow in the handling of the LINEMODE suboptions in telnet clients. This can lead to the execution of arbitrary code when connected to a malicious server.", "published": "2005-03-29T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=17639", "cvelist": ["CVE-2005-0469"], "lastseen": "2017-10-29T13:38:19"}, {"id": "DEBIAN_DSA-765.NASL", "type": "nessus", "title": "Debian DSA-765-1 : heimdal - buffer overflow", "description": "Gael Delalleau discovered a buffer overflow in the handling of the LINEMODE suboptions in telnet clients. Heimdal, a free implementation of Kerberos 5, also contains such a client. This can lead to the execution of arbitrary code when connected to a malicious server.", "published": "2005-07-22T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=19270", "cvelist": ["CVE-2005-0469"], "lastseen": "2017-10-29T13:35:54"}, {"id": "FEDORA_2005-269.NASL", "type": "nessus", "title": "Fedora Core 2 : krb5-1.3.6-4 (2005-269)", "description": "Updated krb5 packages which fix two buffer overflow vulnerabilities in the included Kerberos-aware telnet client are now available.\n\nKerberos is a networked authentication system which uses a trusted third-party (a KDC) to authenticate clients and servers to each other.\n\nThe krb5-workstation package includes a Kerberos-aware telnet client.\nTwo buffer overflow flaws were discovered in the way the telnet client handles messages from a server. An attacker may be able to execute arbitrary code on a victim's machine if the victim can be tricked into connecting to a malicious telnet server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2005-0468 and CVE-2005-0469 to these issues.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2005-05-19T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=18327", "cvelist": ["CVE-2005-0469", "CVE-2005-0468"], "lastseen": "2017-10-29T13:44:30"}, {"id": "FEDORA_2005-277.NASL", "type": "nessus", "title": "Fedora Core 2 : telnet-0.17-28.FC2.1 (2005-277)", "description": "Two buffer overflow flaws were discovered in the way the telnet client handles messages from a server. An attacker may be able to execute arbitrary code on a victim's machine if the victim can be tricked into connecting to a malicious telnet server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2005-0468 and CVE-2005-0469 to these issues.\n\nRed Hat would like to thank iDEFENSE for their responsible disclosure of this issue.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2005-05-19T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=18330", "cvelist": ["CVE-2005-0469", "CVE-2005-0468"], "lastseen": "2017-10-29T13:44:07"}, {"id": "GENTOO_GLSA-200504-01.NASL", "type": "nessus", "title": "GLSA-200504-01 : telnet-bsd: Multiple buffer overflows", "description": "The remote host is affected by the vulnerability described in GLSA-200504-01 (telnet-bsd: Multiple buffer overflows)\n\n A buffer overflow has been identified in the env_opt_add() function of telnet-bsd, where a response requiring excessive escaping can cause a heap-based buffer overflow. Another issue has been identified in the slc_add_reply() function, where a large number of SLC commands can overflow a fixed size buffer.\n Impact :\n\n Successful exploitation would require a vulnerable user to connect to an attacker-controlled host using telnet, potentially executing arbitrary code with the permissions of the telnet user.\n Workaround :\n\n There is no known workaround at this time.", "published": "2005-04-02T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=17675", "cvelist": ["CVE-2005-0469", "CVE-2005-0468"], "lastseen": "2017-10-29T13:38:20"}, {"id": "FEDORA_2005-274.NASL", "type": "nessus", "title": "Fedora Core 3 : telnet-0.17-32.FC3.2 (2005-274)", "description": "Two buffer overflow flaws were discovered in the way the telnet client handles messages from a server. An attacker may be able to execute arbitrary code on a victim's machine if the victim can be tricked into connecting to a malicious telnet server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2005-0468 and CVE-2005-0469 to these issues.\n\nRed Hat would like to thank iDEFENSE for their responsible disclosure of this issue.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2005-09-12T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=19642", "cvelist": ["CVE-2005-0469", "CVE-2005-0468"], "lastseen": "2017-10-29T13:45:10"}, {"id": "DEBIAN_DSA-731.NASL", "type": "nessus", "title": "Debian DSA-731-1 : krb4 - buffer overflows", "description": "Several problems have been discovered in telnet clients that could be exploited by malicious daemons the client connects to. The Common Vulnerabilities and Exposures project identifies the following problems :\n\n - CAN-2005-0468 Gael Delalleau discovered a buffer overflow in the env_opt_add() function that allow a remote attacker to execute arbitrary code.\n\n - CAN-2005-0469\n\n Gael Delalleau discovered a buffer overflow in the handling of the LINEMODE suboptions in telnet clients.\n This can lead to the execution of arbitrary code when connected to a malicious server.", "published": "2005-06-17T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=18518", "cvelist": ["CVE-2005-0469", "CVE-2005-0468"], "lastseen": "2017-10-29T13:36:38"}, {"id": "REDHAT-RHSA-2005-330.NASL", "type": "nessus", "title": "RHEL 2.1 / 3 / 4 : krb5 (RHSA-2005:330)", "description": "Updated krb5 packages which fix two buffer overflow vulnerabilities in the included Kerberos-aware telnet client are now available.\n\nThis update has been rated as having important security impact by the Red Hat Security Response Team.\n\nKerberos is a networked authentication system which uses a trusted third party (a KDC) to authenticate clients and servers to each other.\n\nThe krb5-workstation package includes a Kerberos-aware telnet client.\nTwo buffer overflow flaws were discovered in the way the telnet client handles messages from a server. An attacker may be able to execute arbitrary code on a victim's machine if the victim can be tricked into connecting to a malicious telnet server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2005-0468 and CVE-2005-0469 to these issues.\n\nUsers of krb5 should update to these erratum packages which contain a backported patch to correct this issue.\n\nRed Hat would like to thank iDEFENSE for their responsible disclosure of this issue.", "published": "2005-03-30T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=17659", "cvelist": ["CVE-2005-0469", "CVE-2005-0468"], "lastseen": "2017-10-29T13:45:05"}], "debian": [{"id": "DSA-699", "type": "debian", "title": "netkit-telnet-ssl -- buffer overflow", "description": "Ga\u0106\u00abl Delalleau discovered a buffer overflow in the handling of the LINEMODE suboptions in telnet clients. This can lead to the execution of arbitrary code when connected to a malicious server.\n\nFor the stable distribution (woody) this problem has been fixed in version 0.17.17+0.1-2woody4.\n\nFor the unstable distribution (sid) these problems have been fixed in version 0.17.24+0.1-8.\n\nWe recommend that you upgrade your telnet-ssl package.", "published": "2005-03-29T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://www.debian.org/security/dsa-699", "cvelist": ["CVE-2005-0469"], "lastseen": "2017-10-05T13:03:15"}, {"id": "DSA-765", "type": "debian", "title": "heimdal -- buffer overflow", "description": "Ga\u0106\u00abl Delalleau discovered a buffer overflow in the handling of the LINEMODE suboptions in telnet clients. Heimdal, a free implementation of Kerberos 5, also contains such a client. This can lead to the execution of arbitrary code when connected to a malicious server.\n\nFor the old stable distribution (woody) this problem has been fixed in version 0.4e-7.woody.11.\n\nFor the stable distribution (sarge) this problem has been fixed in version 0.6.3-10.\n\nFor the unstable distribution (sid) this problem has been fixed in version 0.6.3-10.\n\nWe recommend that you upgrade your heimdal package.", "published": "2005-07-22T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://www.debian.org/security/dsa-765", "cvelist": ["CVE-2005-0469"], "lastseen": "2017-10-05T12:58:41"}, {"id": "DSA-697", "type": "debian", "title": "netkit-telnet -- buffer overflow", "description": "Ga\u0106\u00abl Delalleau discovered a buffer overflow in the handling of the LINEMODE suboptions in telnet clients. This can lead to the execution of arbitrary code when connected to a malicious server.\n\nFor the stable distribution (woody) this problem has been fixed in version 0.17-18woody3.\n\nFor the unstable distribution (sid) this problem has been fixed in version 0.17-28.\n\nWe recommend that you upgrade your telnet package.", "published": "2005-03-29T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://www.debian.org/security/dsa-697", "cvelist": ["CVE-2005-0469"], "lastseen": "2017-10-05T13:12:28"}, {"id": "DSA-731", "type": "debian", "title": "krb4 -- buffer overflows", "description": "Several problems have been discovered in telnet clients that could be exploited by malicious daemons the client connects to. The Common Vulnerabilities and Exposures project identifies the following problems:\n\n * [CAN-2005-0468](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0468>)\n\nGa\u00ebl Delalleau discovered a buffer overflow in the env_opt_add() function that allow a remote attacker to execute arbitrary code.\n\n * [CAN-2005-0469](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0469>)\n\nGa\u00ebl Delalleau discovered a buffer overflow in the handling of the LINEMODE suboptions in telnet clients. This can lead to the execution of arbitrary code when connected to a malicious server.\n\nFor the stable distribution (woody) these problems have been fixed in version 1.1-8-2.4.\n\nFor the testing distribution (sarge) these problems have been fixed in version 1.2.2-11.2.\n\nFor the unstable distribution (sid) these problems have been fixed in version 1.2.2-11.2.\n\nWe recommend that you upgrade your krb4 packages.", "published": "2005-06-02T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://www.debian.org/security/dsa-731", "cvelist": ["CVE-2005-0469", "CVE-2005-0468"], "lastseen": "2017-10-05T13:11:52"}, {"id": "DSA-703", "type": "debian", "title": "krb5 -- buffer overflows", "description": "Several problems have been discovered in telnet clients that could be exploited by malicious daemons the client connects to. The Common Vulnerabilities and Exposures project identifies the following problems:\n\n * [CAN-2005-0468](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0468>)\n\nGa\u00ebl Delalleau discovered a buffer overflow in the env_opt_add() function that allow a remote attacker to execute arbitrary code.\n\n * [CAN-2005-0469](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0469>)\n\nGa\u00ebl Delalleau discovered a buffer overflow in the handling of the LINEMODE suboptions in telnet clients. This can lead to the execution of arbitrary code when connected to a malicious server.\n\nFor the stable distribution (woody) these problems have been fixed in version 1.2.4-5woody8.\n\nFor the unstable distribution (sid) these problems have been fixed in version 1.3.6-1.\n\nWe recommend that you upgrade your krb5 package.", "published": "2005-04-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://www.debian.org/security/dsa-703", "cvelist": ["CVE-2005-0469", "CVE-2005-0468"], "lastseen": "2017-10-05T13:12:36"}, {"id": "DSA-977", "type": "debian", "title": "heimdal -- several vulnerabilities", "description": "Two vulnerabilities have been discovered in heimdal, a free implementation of Kerberos 5. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities:\n\n * [CVE-2006-0582](<https://security-tracker.debian.org/tracker/CVE-2006-0582>)\n\nPrivilege escalation in the rsh server allows an authenticated attacker to overwrite arbitrary files and gain ownership of them.\n\n * [CVE-2006-0677](<https://security-tracker.debian.org/tracker/CVE-2006-0677>)\n\nA remote attacker could force the telnet server to crash before the user logged in, resulting in inetd turning telnetd off because it forked too fast.\n\nThe old stable distribution (woody) does not expose rsh and telnet servers.\n\nFor the stable distribution (sarge) these problems have been fixed in version 0.6.3-10sarge2.\n\nFor the unstable distribution (sid) these problems will be fixed soon.\n\nWe recommend that you upgrade your heimdal packages.", "published": "2006-02-16T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://www.debian.org/security/dsa-977", "cvelist": ["CVE-2006-0677", "CVE-2006-0582"], "lastseen": "2016-09-02T18:26:01"}, {"id": "DSA-758", "type": "debian", "title": "heimdal -- buffer overflow", "description": "A buffer overflow has been discovered in the telnet server from Heimdal, a free implementation of Kerberos 5, that could lead to the execution of arbitrary code.\n\nFor the old stable distribution (woody) this problem has been fixed in version 0.4e-7.woody.10.\n\nFor the stable distribution (sarge) this problem has been fixed in version 0.6.3-10sarge1.\n\nFor the unstable distribution (sid) this problem has been fixed in version 0.6.3-11.\n\nWe recommend that you upgrade your heimdal packages.", "published": "2005-07-18T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://www.debian.org/security/dsa-758", "cvelist": ["CVE-2005-2040"], "lastseen": "2016-09-02T18:27:56"}], "gentoo": [{"id": "GLSA-200503-36", "type": "gentoo", "title": "netkit-telnetd: Buffer overflow", "description": "### Background\n\nnetkit-telnetd provides standard Linux telnet client and server. \n\n### Description\n\nA buffer overflow has been identified in the slc_add_reply() function of netkit-telnetd client, where a large number of SLC commands can overflow a fixed size buffer. \n\n### Impact\n\nSuccessful explotation would require a vulnerable user to connect to an attacker-controlled host using telnet, potentially executing arbitrary code with the permissions of the telnet user. \n\n### Workaround\n\nThere is no known workaround at this time. \n\n### Resolution\n\nAll netkit-telnetd users should upgrade to the latest version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=net-misc/netkit-telnetd-0.17-r6\"", "published": "2005-03-31T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://security.gentoo.org/glsa/200503-36", "cvelist": ["CVE-2005-0469"], "lastseen": "2016-09-06T19:46:20"}, {"id": "GLSA-200504-04", "type": "gentoo", "title": "mit-krb5: Multiple buffer overflows in telnet client", "description": "### Background\n\nThe MIT Kerberos 5 implementation provides a command line telnet client which is used for remote login via the telnet protocol. \n\n### Description\n\nA buffer overflow has been identified in the env_opt_add() function, where a response requiring excessive escaping can cause a heap-based buffer overflow. Another issue has been identified in the slc_add_reply() function, where a large number of SLC commands can overflow a fixed size buffer. \n\n### Impact\n\nSuccessful exploitation would require a vulnerable user to connect to an attacker-controlled telnet host, potentially executing arbitrary code with the permissions of the telnet user on the client. \n\n### Workaround\n\nThere is no known workaround at this time. \n\n### Resolution\n\nAll mit-krb5 users should upgrade to the latest version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=app-crypt/mit-krb5-1.3.6-r2\"", "published": "2005-04-06T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://security.gentoo.org/glsa/200504-04", "cvelist": ["CVE-2005-0469", "CVE-2005-0468"], "lastseen": "2016-09-06T19:47:01"}, {"id": "GLSA-200504-28", "type": "gentoo", "title": "Heimdal: Buffer overflow vulnerabilities", "description": "### Background\n\nHeimdal is a free implementation of Kerberos 5 that includes a telnet client program. \n\n### Description\n\nBuffer overflow vulnerabilities in the slc_add_reply() and env_opt_add() functions have been discovered by Gael Delalleau in the telnet client in Heimdal. \n\n### Impact\n\nSuccessful exploitation would require a vulnerable user to connect to an attacker-controlled host using the telnet client, potentially executing arbitrary code with the permissions of the user running the application. \n\n### Workaround\n\nThere is no known workaround at this time. \n\n### Resolution\n\nAll Heimdal users should upgrade to the latest version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=app-crypt/heimdal-0.6.4\"", "published": "2005-04-28T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://security.gentoo.org/glsa/200504-28", "cvelist": ["CVE-2005-0469", "CVE-2005-0468"], "lastseen": "2016-09-06T19:46:04"}, {"id": "GLSA-200504-01", "type": "gentoo", "title": "telnet-bsd: Multiple buffer overflows", "description": "### Background\n\ntelnet-bsd provides a command line telnet client which is used for remote login using the telnet protocol. \n\n### Description\n\nA buffer overflow has been identified in the env_opt_add() function of telnet-bsd, where a response requiring excessive escaping can cause a heap-based buffer overflow. Another issue has been identified in the slc_add_reply() function, where a large number of SLC commands can overflow a fixed size buffer. \n\n### Impact\n\nSuccessful exploitation would require a vulnerable user to connect to an attacker-controlled host using telnet, potentially executing arbitrary code with the permissions of the telnet user. \n\n### Workaround\n\nThere is no known workaround at this time. \n\n### Resolution\n\nAll telnet-bsd users should upgrade to the latest version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=net-misc/telnet-bsd-1.0-r1\"", "published": "2005-04-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://security.gentoo.org/glsa/200504-01", "cvelist": ["CVE-2005-0469", "CVE-2005-0468"], "lastseen": "2016-09-06T19:46:37"}, {"id": "GLSA-200506-24", "type": "gentoo", "title": "Heimdal: Buffer overflow vulnerabilities", "description": "### Background\n\nHeimdal is a free implementation of Kerberos 5 that includes a telnetd server. \n\n### Description\n\nIt has been reported that the \"getterminaltype\" function of Heimdal's telnetd server is vulnerable to buffer overflows. \n\n### Impact\n\nAn attacker could exploit this vulnerability to execute arbitrary code with the permission of the telnetd server program. \n\n### Workaround\n\nThere is no known workaround at this time. \n\n### Resolution\n\nAll users should upgrade to the latest available version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=app-crypt/heimdal-0.6.5\"", "published": "2005-06-29T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://security.gentoo.org/glsa/200506-24", "cvelist": ["CVE-2005-2040"], "lastseen": "2016-09-06T19:46:18"}, {"id": "GLSA-200603-14", "type": "gentoo", "title": "Heimdal: rshd privilege escalation", "description": "### Background\n\nHeimdal is a free implementation of Kerberos 5. \n\n### Description\n\nAn unspecified privilege escalation vulnerability in the rshd server of Heimdal has been reported. \n\n### Impact\n\nAuthenticated users could exploit the vulnerability to escalate privileges or to change the ownership and content of arbitrary files. \n\n### Workaround\n\nThere is no known workaround at this time. \n\n### Resolution\n\nAll Heimdal users should upgrade to the latest version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=app-crypt/heimdal-0.7.2\"", "published": "2006-03-17T00:00:00", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://security.gentoo.org/glsa/200603-14", "cvelist": ["CVE-2006-0582"], "lastseen": "2016-09-06T19:46:41"}], "osvdb": [{"id": "OSVDB:15094", "type": "osvdb", "title": "Multiple Vendor Telnet slc_add_reply Function Remote Overflow", "description": "# No description provided by the source\n\n## References:\n[Vendor Specific Advisory URL](http://sunsolve.sun.com/search/document.do?assetkey=1-26-57755-1)\n[Vendor Specific Advisory URL](http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2005-001-telnet.txt)\n[Vendor Specific Advisory URL](http://tech.f5.com/home/bigip/solutions/advisories/sol4441.html)\n[Vendor Specific Advisory URL](http://sunsolve.sun.com/search/document.do?assetkey=1-26-57761-1)\n[Vendor Specific Advisory URL](http://support.avaya.com/elmodocs2/security/ASA-2005-156.pdf)\n[Vendor Specific Advisory URL](http://www.trustix.org/errata/2005/0028/)\n[Vendor Specific Advisory URL](http://support.avaya.com/elmodocs2/security/ASA-2005-132_RHSA-2005-327.pdf)\nSecurity Tracker: 1013575\n[Secunia Advisory ID:17389](https://secuniaresearch.flexerasoftware.com/advisories/17389/)\n[Secunia Advisory ID:14745](https://secuniaresearch.flexerasoftware.com/advisories/14745/)\n[Secunia Advisory ID:17899](https://secuniaresearch.flexerasoftware.com/advisories/17899/)\n[Secunia Advisory ID:16171](https://secuniaresearch.flexerasoftware.com/advisories/16171/)\n[Secunia Advisory ID:16293](https://secuniaresearch.flexerasoftware.com/advisories/16293/)\n[Secunia Advisory ID:16413](https://secuniaresearch.flexerasoftware.com/advisories/16413/)\nRedHat RHSA: RHSA-2005:330\nRedHat RHSA: RHSA-2005:327\nOther Advisory URL: http://www.debian.org/security/2005/dsa-697\nOther Advisory URL: http://security.gentoo.org/glsa/glsa-200503-36.xml\nOther Advisory URL: http://www.debian.org/security/2005/dsa-703\nOther Advisory URL: ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2005.23/SCOSA-2005.23.txt\nOther Advisory URL: http://www.debian.org/security/2005/dsa-699\nOther Advisory URL: http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:061\nOther Advisory URL: http://www.pdc.kth.se/heimdal/advisory/2005-04-20/\nOther Advisory URL: http://www.debian.org/security/2005/dsa-773\nOther Advisory URL: http://www.ubuntulinux.org/usn/usn-224-1\nOther Advisory URL: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:01.telnet.asc\nOther Advisory URL: http://www.ubuntulinux.org/support/documentation/usn/usn-101-1\nOther Advisory URL: http://rhn.redhat.com/errata/RHSA-2005-330.html\nOther Advisory URL: http://security.gentoo.org/glsa/glsa-200504-04.xml\nOther Advisory URL: ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.21/SCOSA-2005.21.txt\nOther Advisory URL: http://security.gentoo.org/glsa/glsa-200504-28.xml\nOther Advisory URL: http://www.novell.com/linux/security/advisories/2005_12_sr.html\nOther Advisory URL: ftp://patches.sgi.com/support/free/security/advisories/20050405-01-P.asc\nOther Advisory URL: http://www.debian.org/security/2005/dsa-731\nOther Advisory URL: http://www.debian.org/security/2005/dsa-765\nOther Advisory URL: ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2005-004.txt.asc\nOther Advisory URL: http://www.idefense.com/application/poi/display?id=220&type=vulnerabilities&flashstatus=true\nOther Advisory URL: http://rhn.redhat.com/errata/RHSA-2005-327.html\nOther Advisory URL: http://www.openbsd.org/errata.html#telnet\nOther Advisory URL: http://security.gentoo.org/glsa/glsa-200504-01.xml\nOther Advisory URL: http://support.avaya.com/elmodocs2/security/ASA-2005-088_RHSA-2005-330.pdf\nOther Advisory URL: http://slackware.com/security/viewer.php?l=slackware-security&y=2005&m=slackware-security.425797\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-03/0478.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-03/0500.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-03/0465.html\n[CVE-2005-0469](https://vulners.com/cve/CVE-2005-0469)\nCERT VU: 291924\nBugtraq ID: 12918\n", "published": "2005-03-28T07:40:47", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://vulners.com/osvdb/OSVDB:15094", "cvelist": ["CVE-2005-0469"], "lastseen": "2017-04-28T13:20:11"}, {"id": "OSVDB:23244", "type": "osvdb", "title": "Heimdal telnetd Unspecified Remote DoS", "description": "## Solution Description\nUpgrade to version 0.7.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## References:\n[Vendor Specific Advisory URL](http://www.ubuntu.com/usn/usn-253-1)\n[Vendor Specific Advisory URL](http://lists.suse.de/archive/suse-security-announce/2006-Feb/0009.html)\n[Vendor Specific Advisory URL](http://www.debian.org/security/2006/dsa-977)\n[Secunia Advisory ID:18961](https://secuniaresearch.flexerasoftware.com/advisories/18961/)\n[Secunia Advisory ID:18894](https://secuniaresearch.flexerasoftware.com/advisories/18894/)\n[Secunia Advisory ID:19005](https://secuniaresearch.flexerasoftware.com/advisories/19005/)\nMail List Post: http://archives.neohapsis.com/archives/apps/freshmeat/2007-01/0013.html\nMail List Post: http://www.stacken.kth.se/lists/heimdal-discuss/2006-02/msg00028.html\n[CVE-2006-0677](https://vulners.com/cve/CVE-2006-0677)\n", "published": "2006-02-06T09:35:58", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://vulners.com/osvdb/OSVDB:23244", "cvelist": ["CVE-2006-0677"], "lastseen": "2017-04-28T13:20:20"}, {"id": "OSVDB:17449", "type": "osvdb", "title": "Heimdal telnetd getterminaltype Function Overflow", "description": "## Solution Description\nUpgrade to version 0.6.5, 0.7 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## References:\n[Vendor Specific Advisory URL](http://www.debian.org/security/2005/dsa-758)\nSecurity Tracker: 1014244\n[Secunia Advisory ID:15965](https://secuniaresearch.flexerasoftware.com/advisories/15965/)\n[Secunia Advisory ID:15718](https://secuniaresearch.flexerasoftware.com/advisories/15718/)\n[Secunia Advisory ID:15858](https://secuniaresearch.flexerasoftware.com/advisories/15858/)\n[Secunia Advisory ID:16413](https://secuniaresearch.flexerasoftware.com/advisories/16413/)\nOther Advisory URL: http://www.debian.org/security/2005/dsa-773\nOther Advisory URL: http://www.pdc.kth.se/heimdal/advisory/2005-06-20/\nOther Advisory URL: http://www.gentoo.org/security/en/glsa/glsa-200506-24.xml\nOther Advisory URL: http://lists.suse.com/archive/suse-security-announce/2005-Jul/0002.html\n[CVE-2005-2040](https://vulners.com/cve/CVE-2005-2040)\n", "published": "2005-06-20T08:39:12", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://vulners.com/osvdb/OSVDB:17449", "cvelist": ["CVE-2005-2040"], "lastseen": "2017-04-28T13:20:13"}, {"id": "OSVDB:22986", "type": "osvdb", "title": "Heimdal rshd Server Forwarded Credential Overwrite Privilege Escalation", "description": "## Solution Description\nUpgrade to version 0.6.6, 0.7.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## References:\n[Vendor Specific Advisory URL](http://lists.suse.de/archive/suse-security-announce/2006-Feb/0009.html)\n[Vendor Specific Advisory URL](http://www.debian.org/security/2006/dsa-977)\nSecurity Tracker: 1015591\n[Secunia Advisory ID:18733](https://secuniaresearch.flexerasoftware.com/advisories/18733/)\n[Secunia Advisory ID:18806](https://secuniaresearch.flexerasoftware.com/advisories/18806/)\n[Secunia Advisory ID:19302](https://secuniaresearch.flexerasoftware.com/advisories/19302/)\n[Secunia Advisory ID:18894](https://secuniaresearch.flexerasoftware.com/advisories/18894/)\n[Secunia Advisory ID:19005](https://secuniaresearch.flexerasoftware.com/advisories/19005/)\nOther Advisory URL: http://www.ubuntu.com/usn/usn-247-1\nOther Advisory URL: http://www.gentoo.org/security/en/glsa/glsa-200603-14.xml\nOther Advisory URL: http://www.pdc.kth.se/heimdal/advisory/2006-02-06/\n[CVE-2006-0582](https://vulners.com/cve/CVE-2006-0582)\n", "published": "2006-02-06T03:47:52", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://vulners.com/osvdb/OSVDB:22986", "cvelist": ["CVE-2006-0582"], "lastseen": "2017-04-28T13:20:19"}], "ubuntu": [{"id": "USN-101-1", "type": "ubuntu", "title": "telnet vulnerabilities", "description": "A buffer overflow was discovered in the telnet client\u2019s handling of the LINEMODE suboptions. By sending a specially constructed reply containing a large number of SLC (Set Local Character) commands, a remote attacker (i. e. a malicious telnet server) could execute arbitrary commands with the privileges of the user running the telnet client. (CAN-2005-0469)\n\nMichal Zalewski discovered a Denial of Service vulnerability in the telnet server (telnetd). A remote attacker could cause the telnetd process to free an invalid pointer, which caused the server process to crash, leading to a denial of service (inetd will disable the service if telnetd crashed repeatedly), or possibly the execution of arbitrary code with the privileges of the telnetd process (by default, the \u2018telnetd\u2019 user). Please note that the telnet server is not officially supported by Ubuntu, it is in the \u201cuniverse\u201d component. (CAN-2004-0911)", "published": "2005-03-29T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://usn.ubuntu.com/101-1/", "cvelist": ["CVE-2005-0469", "CVE-2004-0911"], "lastseen": "2018-03-29T18:18:06"}, {"id": "USN-224-1", "type": "ubuntu", "title": "Kerberos vulnerabilities", "description": "Ga\ufffdl Delalleau discovered a buffer overflow in the env_opt_add() function of the Kerberos 4 and 5 telnet clients. By sending specially crafted replies, a malicious telnet server could exploit this to execute arbitrary code with the privileges of the user running the telnet client. (CVE-2005-0468)\n\nGa\ufffdl Delalleau discovered a buffer overflow in the handling of the LINEMODE suboptions in the telnet clients of Kerberos 4 and 5. By sending a specially constructed reply containing a large number of SLC (Set Local Character) commands, a remote attacker (i. e. a malicious telnet server) could execute arbitrary commands with the privileges of the user running the telnet client. (CVE-2005-0469)\n\nDaniel Wachdorf discovered two remote vulnerabilities in the Key Distribution Center of Kerberos 5 (krb5-kdc). By sending certain TCP connection requests, a remote attacker could trigger a double-freeing of memory, which led to memory corruption and a crash of the KDC server. (CVE-2005-1174). Under rare circumstances the same type of TCP connection requests could also trigger a buffer overflow that could be exploited to run arbitrary code with the privileges of the KDC server. (CVE-2005-1175)\n\nMagnus Hagander discovered that the krb5_recvauth() function attempted to free previously freed memory in some situations. A remote attacker could possibly exploit this to run arbitrary code with the privileges of the program that called this function. Most imporantly, this affects the following daemons: kpropd (from the krb5-kdc package), klogind, and kshd (both from the krb5-rsh-server package). (CVE-2005-1689)\n\nPlease note that these packages are not officially supported by Ubuntu (they are in the \u2018universe\u2019 component of the archive).", "published": "2005-12-06T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://usn.ubuntu.com/224-1/", "cvelist": ["CVE-2005-1689", "CVE-2005-1174", "CVE-2005-0469", "CVE-2005-0468", "CVE-2005-1175"], "lastseen": "2018-03-29T18:19:35"}, {"id": "USN-253-1", "type": "ubuntu", "title": "heimdal vulnerability", "description": "A remote Denial of Service vulnerability was discovered in the heimdal implementation of the telnet daemon. A remote attacker could force the server to crash due to a NULL de-reference before the user logged in, resulting in inetd turning telnetd off because it forked too fast.\n\nPlease note that the heimdal-servers package is not officially supported in Ubuntu (it is in the \u2018universe\u2019 component of the archive). However, this affects you if you use a customized version built from the heimdal source package (which is supported).", "published": "2006-02-18T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://usn.ubuntu.com/253-1/", "cvelist": ["CVE-2006-0677", "CVE-2006-0582"], "lastseen": "2018-03-29T18:20:15"}, {"id": "USN-247-1", "type": "ubuntu", "title": "Heimdal vulnerability", "description": "A privilege escalation flaw has been found in the heimdal rsh (remote shell) server. This allowed an authenticated attacker to overwrite arbitrary files and gain ownership of them.\n\nPlease note that the heimdal-servers package is not officially supported in Ubuntu (it is in the \u2018universe\u2019 component of the archive). However, this affects you if you use a customized version built from the heimdal source package (which is supported).", "published": "2006-02-11T00:00:00", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://usn.ubuntu.com/247-1/", "cvelist": ["CVE-2006-0582"], "lastseen": "2018-03-29T18:18:30"}], "slackware": [{"id": "SSA-2005-210-01", "type": "slackware", "title": "telnet client", "description": "New tcpip packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1,\nand -current to fix a security issues with the telnet client. Overflows in\nthe telnet client may lead to the execution of arbitrary code as the telnet\nuser if the user connects to a malicious telnet server.\n\nMore details about this issue may be found in the Common\nVulnerabilities and Exposures (CVE) database:\n\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0468\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0469\n\nHere are the details from the Slackware 10.1 ChangeLog:\n\npatches/packages/tcpip-0.17-i486-31b.tgz: Patched two overflows in\n the telnet client that could allow the execution of arbitrary code\n when connected to a malicious telnet server.\n For more information, see:\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0468\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0469\n (* Security fix *)\n\nWhere to find the new packages:\n\nUpdated package for Slackware 8.1:\nftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/tcpip-0.17-i386-13b.tgz\n\nUpdated package for Slackware 9.0:\nftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/tcpip-0.17-i386-16b.tgz\n\nUpdated package for Slackware 9.1:\nftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/tcpip-0.17-i486-24b.tgz\n\nUpdated package for Slackware 10.0:\nftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/tcpip-0.17-i486-29b.tgz\n\nUpdated package for Slackware 10.1:\nftp://ftp.slackware.com/pub/slackware/slackware-10.1/patches/packages/tcpip-0.17-i486-31b.tgz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/tcpip-0.17-i486-33.tgz\n\n\nMD5 signatures:\n\nSlackware 8.1 package:\n87b10fbcc7480a702549b4816417e189 tcpip-0.17-i386-13b.tgz\n\nSlackware 9.0 package:\nf1ecdc9628575e00b12a33fd373deb4b tcpip-0.17-i386-16b.tgz\n\nSlackware 9.1 package:\n53b479b39b124c760e8a394d7a77202e tcpip-0.17-i486-24b.tgz\n\nSlackware 10.0 package:\n27bccd82765b690a1be50a0c380cfae4 tcpip-0.17-i486-29b.tgz\n\nSlackware 10.1 package:\n1372bff0f83f8147ae8adb84c10058ec tcpip-0.17-i486-31b.tgz\n\nSlackware -current package:\n6169015f5860175119d426c0170f040b tcpip-0.17-i486-33.tgz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg tcpip-0.17-i486-33.tgz", "published": "2005-07-29T21:44:43", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2005&m=slackware-security.425797", "cvelist": ["CVE-2005-0469", "CVE-2005-0468"], "lastseen": "2018-02-02T18:11:31"}], "redhat": [{"id": "RHSA-2005:330", "type": "redhat", "title": "(RHSA-2005:330) krb5 security update", "description": "Kerberos is a networked authentication system which uses a trusted third\nparty (a KDC) to authenticate clients and servers to each other.\n\nThe krb5-workstation package includes a Kerberos-aware telnet client. \nTwo buffer overflow flaws were discovered in the way the telnet client\nhandles messages from a server. An attacker may be able to execute\narbitrary code on a victim's machine if the victim can be tricked into\nconnecting to a malicious telnet server. The Common Vulnerabilities and\nExposures project (cve.mitre.org) has assigned the names CAN-2005-0468 and\nCAN-2005-0469 to these issues.\n\nUsers of krb5 should update to these erratum packages which contain a\nbackported patch to correct this issue.\n\nRed Hat would like to thank iDEFENSE for their responsible disclosure of\nthis issue.", "published": "2005-03-30T05:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://access.redhat.com/errata/RHSA-2005:330", "cvelist": ["CVE-2005-0468", "CVE-2005-0469"], "lastseen": "2018-05-11T21:14:01"}, {"id": "RHSA-2005:327", "type": "redhat", "title": "(RHSA-2005:327) telnet security update", "description": "The telnet package provides a command line telnet client. The telnet-server\npackage includes a telnet daemon, telnetd, that supports remote login to\nthe host machine.\n\nTwo buffer overflow flaws were discovered in the way the telnet client\nhandles messages from a server. An attacker may be able to execute\narbitrary code on a victim's machine if the victim can be tricked into\nconnecting to a malicious telnet server. The Common Vulnerabilities and\nExposures project (cve.mitre.org) has assigned the names CAN-2005-0468\nand CAN-2005-0469 to these issues.\n\nAdditionally, the following bugs have been fixed in these erratum packages\nfor Red Hat Enterprise Linux 2.1 and Red Hat Enterprise Linux 3:\n\n- telnetd could loop on an error in the child side process\n\n- There was a race condition in telnetd on a wtmp lock on some occasions\n\n- The command line in the process table was sometimes too long and caused\nbad output from the ps command\n\n- The 8-bit binary option was not working\n\nUsers of telnet should upgrade to this updated package, which contains\nbackported patches to correct these issues.\n\nRed Hat would like to thank iDEFENSE for their responsible disclosure of\nthis issue.", "published": "2005-03-28T05:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://access.redhat.com/errata/RHSA-2005:327", "cvelist": ["CVE-2005-0468", "CVE-2005-0469"], "lastseen": "2018-05-11T21:13:47"}], "f5": [{"id": "SOL4441", "type": "f5", "title": "SOL4441 - BSD telnet vulnerabilities CAN-2005-0468 and CAN-2005-0469", "description": "#### Was this resource helpful in solving your issue?\n\nYes - this resource was helpful \nNo - this resource was not helpful \nI don\u0091t know yet \n\n\nNOTE: Please do not provide personal information.\n\n \n \n\n\n#### Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear: \n", "published": "2005-07-20T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://support.f5.com/kb/en-us/solutions/public/4000/400/sol4441.html", "cvelist": ["CVE-2005-0469", "CVE-2005-0468"], "lastseen": "2016-09-26T17:23:29"}, {"id": "F5:K4441", "type": "f5", "title": "BSD telnet vulnerabilities CAN-2005-0468 and CAN-2005-0469", "description": "", "published": "2005-07-21T04:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://support.f5.com/csp/article/K4441", "cvelist": ["CVE-2005-0469", "CVE-2005-0468"], "lastseen": "2018-07-11T01:29:02"}], "suse": [{"id": "SUSE-SA:2006:011", "type": "suse", "title": "remote denial of service in heimdal", "description": "Heimdal is a Kerberos 5 implementation from the Royal Institut of Techno- logy in Stockholm. This update fixes two bugs in heimdal. The first one occurs in the rsh daemon and allows an authenticated malicious user to gain ownership of files that belong to other users (CVE-2006-0582). The second bug affects the telnet server and can be used to crash the server before authentication happens. It is even a denial-of-service attack when the telnetd is started via inetd because inetd stops forking the daemon when it forks too fast (CVE-2006-0677).\n#### Solution\nThere is no work-around known.", "published": "2006-02-24T14:44:34", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2006-02/msg00020.html", "cvelist": ["CVE-2006-0677", "CVE-2006-0582"], "lastseen": "2016-09-04T11:52:33"}, {"id": "SUSE-SA:2006:010", "type": "suse", "title": "remote denial of service in heimdal", "description": "Heimdal is a Kerberos 5 implementation from the Royal Institut of Techno- logy in Stockholm. This update fixes two bugs in heimdal. The first one occurs in the rsh daemon and allows an authenticated malicious user to gain ownership of files that belong to other users (CVE-2006-0582). The second bug affects the telnet server and can be used to crash the server before authentication happens. It is even a denial-of-service attack when the telnetd is started via inetd because inetd stops forking the daemon when it forks too fast (CVE-2006-0677).\n#### Solution\nThere is no work-around known.", "published": "2006-02-24T13:58:32", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2006-02/msg00018.html", "cvelist": ["CVE-2006-0677", "CVE-2006-0736", "CVE-2006-0582"], "lastseen": "2016-09-04T11:17:41"}, {"id": "SUSE-SA:2005:040", "type": "suse", "title": "remote code execution in heimdal", "description": "A remote buffer overflow has been fixed in the heimdal / kerberos telnetd daemon which could lead to a remote user executing code as root by overflowing a buffer.\n#### Solution\nPlease install the updated packages.", "published": "2005-07-06T15:31:34", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2005-07/msg00008.html", "cvelist": ["CVE-2005-2040"], "lastseen": "2016-09-04T11:32:37"}]}}
