Caldera Systems, Inc. Security Advisory
Subject: Security problem in telnetd
Advisory number: CSSA-2000-008.0
Issue date: 2000 March, 13
Cross reference:
1. Problem Description
The telnet daemon from the Linux netkit supports a command line
option -L that lets the administrator specify a login program other
than /bin/login.
An unintended interaction with some other piece of code in
telnetd has the effect that the memory location holding the name is
overwritten with information obtained from the client host.
This bug can be abused by an attacker to bypass authentication
completely. However, in almost all cases, this will just cause
telnetd to not work at all, which makes it unlikely that this
feature has been used widely.
If you have installed the netkit-telnet RPM as shipped by
Caldera, you are not vulnerable because the default configuration
does not use the -L flag.
2. Vulnerable Versions
System Package
-----------------------------------------------------------
OpenLinux Desktop 2.3 All packages previous to
netkit-telnet-0.16
OpenLinux eServer 2.3 All packages previous to
netkit-telnet-0.16
3. Solution
We urge our customers to verify whether their configuration is
secure. Using the following command
should either yield no output at all (meaning that telnet service
is disabled on your machine) or
in.telnetd
If neither of this is the case, you can fix the configuration using
the following command:
lisa --inetd install telnet stream tcp nowait root
/usr/sbin/tcpd in.telnetd
The proper solution is to upgrade to the fixed packages.
4. OpenLinux Desktop 2.3
4.1 Location of Fixed Packages
The upgrade packages can be found on Caldera’s FTP site at:
ftp://ftp.calderasystems.com/pub/openlinux/updates/2.3/current/RPMS/
The corresponding source code package can be found at:
ftp://ftp.calderaystems.com/pub/openlinux/updates/2.3/current/SRPMS
4.2 Verification
5320b50c2c694edcb899021f279a6fb9 RPMS/netkit-telnet-0.16-1.i386.rpm
8e4edd9c49a1ef7c4de467150609a9e3 SRPMS/netkit-telnet-0.16-1.src.rpm
4.3 Installing Fixed Packages
Upgrade the affected packages with the following commands:
rpm -F netkit-telnet-0.16-1.i386.rpm
5. OpenLinux eServer 2.3
4.1 Location of Fixed Packages
The upgrade packages can be found on Caldera’s FTP site at:
ftp://ftp.calderasystems.com/pub/eServer/updates/2.3/current/RPMS/
The corresponding source code package can be found at:
ftp://ftp.calderaystems.com/pub/eServer/updates/2.3/current/SRPMS
4.2 Verification
d9e66b4d9cf37551b8e6bbb6003d76bf RPMS/netkit-telnet-0.16-1.i386.rpm
fe6df64c3a20c0bcebe65143d766ddc0 SRPMS/netkit-telnet-0.16-1.src.rpm
4.3 Installing Fixed Packages
Upgrade the affected packages with the following commands:
rpm -F netkit-telnet-0.16-1.i386.rpm
6. References
This and other Caldera security resources are located at:
http://www.calderasystems.com/support/security/index.html
7. Disclaimer
Caldera Systems, Inc. is not responsible for the misuse of any
of the information we provide on this website and/or through our
security advisories. Our advisories are a service to our customers
intended to promote secure installation and use of Caldera
OpenLinux.
8. Credits
Caldera Systems wishes to thank netkit maintainer David Holland
for reporting the problem.