Caldera Systems Security Advisory: Security problem in telnetd

                   Caldera Systems, Inc.  Security Advisory

Subject:                Security problem in telnetd
Advisory number:        CSSA-2000-008.0
Issue date:             2000 March, 13
Cross reference:

---

1. Problem Description

The telnet daemon from the Linux netkit supports a command line
option -L that lets the administrator specify a login program other
than /bin/login.

An unintended interaction with some other piece of code in
telnetd has the effect that the memory location holding the name is
overwritten with information obtained from the client host.

This bug can be abused by an attacker to bypass authentication
completely. However, in almost all cases, this will just cause
telnetd to not work at all, which makes it unlikely that this
feature has been used widely.

If you have installed the netkit-telnet RPM as shipped by
Caldera, you are not vulnerable because the default configuration
does not use the -L flag.

2. Vulnerable Versions

   System                       Package
   -----------------------------------------------------------
   OpenLinux Desktop 2.3        All packages previous to
                                netkit-telnet-0.16

   OpenLinux eServer 2.3        All packages previous to
                                netkit-telnet-0.16

3. Solution

We urge our customers to verify whether their configuration is
secure. Using the following command

grep ^telnet /etc/inetd.conf

should either yield no output at all (meaning that telnet service
is disabled on your machine) or

telnet stream tcp nowait root /usr/sbin/tcpd

in.telnetd

If neither of this is the case, you can fix the configuration using
the following command:

          lisa --inetd install telnet stream tcp nowait root 
                        /usr/sbin/tcpd in.telnetd

The proper solution is to upgrade to the fixed packages.

4. OpenLinux Desktop 2.3

4.1 Location of Fixed Packages

The upgrade packages can be found on Caldera’s FTP site at:

ftp://ftp.calderasystems.com/pub/openlinux/updates/2.3/current/RPMS/

The corresponding source code package can be found at:

ftp://ftp.calderaystems.com/pub/openlinux/updates/2.3/current/SRPMS

4.2 Verification

       5320b50c2c694edcb899021f279a6fb9  RPMS/netkit-telnet-0.16-1.i386.rpm
       8e4edd9c49a1ef7c4de467150609a9e3  SRPMS/netkit-telnet-0.16-1.src.rpm

4.3 Installing Fixed Packages

Upgrade the affected packages with the following commands:

rpm -F netkit-telnet-0.16-1.i386.rpm

5. OpenLinux eServer 2.3

4.1 Location of Fixed Packages

The upgrade packages can be found on Caldera’s FTP site at:

ftp://ftp.calderasystems.com/pub/eServer/updates/2.3/current/RPMS/

The corresponding source code package can be found at:

ftp://ftp.calderaystems.com/pub/eServer/updates/2.3/current/SRPMS

4.2 Verification

       d9e66b4d9cf37551b8e6bbb6003d76bf  RPMS/netkit-telnet-0.16-1.i386.rpm
       fe6df64c3a20c0bcebe65143d766ddc0  SRPMS/netkit-telnet-0.16-1.src.rpm

4.3 Installing Fixed Packages

Upgrade the affected packages with the following commands:

rpm -F netkit-telnet-0.16-1.i386.rpm

6. References

This and other Caldera security resources are located at:

http://www.calderasystems.com/support/security/index.html

7. Disclaimer

Caldera Systems, Inc. is not responsible for the misuse of any
of the information we provide on this website and/or through our
security advisories. Our advisories are a service to our customers
intended to promote secure installation and use of Caldera
OpenLinux.

8. Credits

Caldera Systems wishes to thank netkit maintainer David Holland
for reporting the problem.