Vulnerabilities > CVE-2005-0488

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN

Summary

Certain BSD-based Telnet clients, including those used on Solaris and SuSE Linux, allow remote malicious Telnet servers to read sensitive environment variables via the NEW-ENVIRON option with a SEND ENV_USERVAR command.

Vulnerable Configurations

Part Description Count
Application
Microsoft
1
Application
Mit
1
OS
Sun
1

Nessus

  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2005-504.NASL
    descriptionUpdated telnet packages that fix an information disclosure issue are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The telnet package provides a command line telnet client. Gael Delalleau discovered an information disclosure issue in the way the telnet client handles messages from a server. An attacker could construct a malicious telnet server that collects information from the environment of any victim who connects to it. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0488 to this issue. Users of telnet should upgrade to this updated package, which contains a backported patch to correct this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id21834
    published2006-07-03
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/21834
    titleCentOS 3 / 4 : telnet (CESA-2005:504)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2005:504 and 
    # CentOS Errata and Security Advisory 2005:504 respectively.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(21834);
      script_version("1.17");
      script_cvs_date("Date: 2019/10/25 13:36:02");
    
      script_cve_id("CVE-2005-0488");
      script_xref(name:"RHSA", value:"2005:504");
    
      script_name(english:"CentOS 3 / 4 : telnet (CESA-2005:504)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote CentOS host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Updated telnet packages that fix an information disclosure issue are
    now available.
    
    This update has been rated as having moderate security impact by the
    Red Hat Security Response Team.
    
    The telnet package provides a command line telnet client.
    
    Gael Delalleau discovered an information disclosure issue in the way
    the telnet client handles messages from a server. An attacker could
    construct a malicious telnet server that collects information from the
    environment of any victim who connects to it. The Common
    Vulnerabilities and Exposures project (cve.mitre.org) has assigned the
    name CVE-2005-0488 to this issue.
    
    Users of telnet should upgrade to this updated package, which contains
    a backported patch to correct this issue."
      );
      # https://lists.centos.org/pipermail/centos-announce/2005-June/011858.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?f9a14a6c"
      );
      # https://lists.centos.org/pipermail/centos-announce/2005-June/011860.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?d284630d"
      );
      # https://lists.centos.org/pipermail/centos-announce/2005-June/011864.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?c8672d2c"
      );
      # https://lists.centos.org/pipermail/centos-announce/2005-June/011865.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?a311f545"
      );
      # https://lists.centos.org/pipermail/centos-announce/2005-June/011867.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?0993013f"
      );
      # https://lists.centos.org/pipermail/centos-announce/2005-June/011869.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?3fde23ad"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected telnet packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:telnet");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:telnet-server");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:3");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:4");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2005/06/14");
      script_set_attribute(attribute:"patch_publication_date", value:"2005/06/14");
      script_set_attribute(attribute:"plugin_publication_date", value:"2006/07/03");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"CentOS Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/CentOS/release");
    if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS");
    os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(3|4)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 3.x / 4.x", "CentOS " + os_ver);
    
    if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && "ia64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"CentOS-3", reference:"telnet-0.17-26.EL3.3")) flag++;
    if (rpm_check(release:"CentOS-3", reference:"telnet-server-0.17-26.EL3.3")) flag++;
    
    if (rpm_check(release:"CentOS-4", reference:"telnet-0.17-31.EL4.3")) flag++;
    if (rpm_check(release:"CentOS-4", reference:"telnet-server-0.17-31.EL4.3")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "telnet / telnet-server");
    }
    
  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS05-033.NASL
    descriptionThe remote version of Windows contains a flaw the Telnet client that could allow an attacker to read the session variables of users connecting to a rogue telnet server.
    last seen2020-06-01
    modified2020-06-02
    plugin id18486
    published2005-06-14
    reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/18486
    titleMS05-033: Vulnerability in Telnet Client Could Allow Information Disclosure (896428)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
     script_id(18486);
     script_version("1.35");
     script_cvs_date("Date: 2018/11/15 20:50:29");
    
     script_cve_id("CVE-2005-0488", "CVE-2005-1205");
     script_bugtraq_id(13940);
     script_xref(name:"MSFT", value:"MS05-033");
     script_xref(name:"CERT", value:"800829");
     script_xref(name:"MSKB", value:"896428");
    
     script_name(english:"MS05-033: Vulnerability in Telnet Client Could Allow Information Disclosure (896428)");
     script_summary(english:"Determines the presence of update 896428");
    
     script_set_attribute(attribute:"synopsis", value:"It is possible to disclose user information.");
     script_set_attribute(attribute:"description", value:
    "The remote version of Windows contains a flaw the Telnet client that
    could allow an attacker to read the session variables of users
    connecting to a rogue telnet server.");
     script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2005/ms05-033");
     script_set_attribute(attribute:"solution", value:"Microsoft has released a set of patches for Windows XP and 2003.");
     script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N");
     script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
     script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
     script_set_attribute(attribute:"exploit_available", value:"false");
    
     script_set_attribute(attribute:"vuln_publication_date", value:"2005/06/14");
     script_set_attribute(attribute:"patch_publication_date", value:"2005/06/14");
     script_set_attribute(attribute:"plugin_publication_date", value:"2005/06/14");
    
     script_set_attribute(attribute:"plugin_type", value:"local");
     script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
     script_end_attributes();
    
     script_category(ACT_GATHER_INFO);
    
     script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");
     script_family(english:"Windows : Microsoft Bulletins");
    
     script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
     script_require_keys("SMB/MS_Bulletin_Checks/Possible");
     script_require_ports(139, 445, 'Host/patch_management_checks');
     exit(0);
    }
    
    
    include("audit.inc");
    include("smb_func.inc");
    include("smb_hotfixes.inc");
    include("smb_hotfixes_fcheck.inc");
    include("misc_func.inc");
    
    get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");
    
    bulletin = 'MS05-033';
    kb = '896428';
    
    kbs = make_list(kb);
    if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_WARNING);
    
    get_kb_item_or_exit("SMB/Registry/Enumerated");
    get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);
    
    if (hotfix_check_sp_range(win2k:'3,5', xp:'1,2', win2003:'0,1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);
    if (hotfix_check_sp_range(win2k:'3,5') <= 0) exit(0, "This plugin does not implement testing Microsoft Windows Services for UNIX on Windows 2000.");
    
    rootfile = hotfix_get_systemroot();
    if (!rootfile) exit(1, "Failed to get the system root.");
    
    share = hotfix_path2share(path:rootfile);
    if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);
    
    if (
      hotfix_is_vulnerable(os:"5.2", sp:0, file:"telnet.exe", version:"5.2.3790.329", dir:"\system32", bulletin:bulletin, kb:kb) ||
      hotfix_is_vulnerable(os:"5.2", sp:1, file:"telnet.exe", version:"5.2.3790.2442", dir:"\system32", bulletin:bulletin, kb:kb) ||
      hotfix_is_vulnerable(os:"5.1", sp:1, file:"telnet.exe", version:"5.1.2600.1684", dir:"\system32", bulletin:bulletin, kb:kb) ||
      hotfix_is_vulnerable(os:"5.1", sp:2, file:"telnet.exe", version:"5.1.2600.2674", dir:"\system32", bulletin:bulletin, kb:kb)
    )
    {
      set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
      hotfix_security_warning();
      hotfix_check_fversion_end();
      exit(0);
    }
    else
    {
      hotfix_check_fversion_end();
      audit(AUDIT_HOST_NOT, 'affected');
    }
    
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_SECUPD2006-004.NASL
    descriptionThe remote host is running Apple Mac OS X, but lacks Security Update 2006-004. This security update contains fixes for the following applications : AFP Server Bluetooth Bom DHCP dyld fetchmail gnuzip ImageIO LaunchServices OpenSSH telnet WebKit
    last seen2020-06-01
    modified2020-06-02
    plugin id22125
    published2006-08-01
    reporterThis script is Copyright (C) 2006-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/22125
    titleMac OS X Multiple Vulnerabilities (Security Update 2006-004)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(22125);
      script_version("1.23");
      script_cvs_date("Date: 2018/07/14  1:59:35");
    
      script_cve_id("CVE-2005-0488", "CVE-2005-0988", "CVE-2005-1228", "CVE-2005-2335", "CVE-2005-3088",
                    "CVE-2005-4348", "CVE-2006-0321", "CVE-2006-0392", "CVE-2006-0393", "CVE-2006-1472",
                    "CVE-2006-1473", "CVE-2006-3459", "CVE-2006-3461", "CVE-2006-3462", "CVE-2006-3465",
                    "CVE-2006-3495", "CVE-2006-3496", "CVE-2006-3497", "CVE-2006-3498", "CVE-2006-3499",
                    "CVE-2006-3500", "CVE-2006-3501", "CVE-2006-3502", "CVE-2006-3503", "CVE-2006-3504",
                    "CVE-2006-3505");
      script_bugtraq_id(19289);
    
      script_name(english:"Mac OS X Multiple Vulnerabilities (Security Update 2006-004)");
      script_summary(english:"Check for Security Update 2006-004");
    
      script_set_attribute(attribute:"synopsis", value:"The remote operating system is missing a vendor-supplied patch.");
      script_set_attribute(attribute:"description", value:
    "The remote host is running Apple Mac OS X, but lacks
    Security Update 2006-004.
    
    This security update contains fixes for the following
    applications :
    
    AFP Server
    Bluetooth
    Bom
    DHCP
    dyld
    fetchmail
    gnuzip
    ImageIO
    LaunchServices
    OpenSSH
    telnet
    WebKit");
     # http://web.archive.org/web/20070728033955/http://docs.info.apple.com/article.html?artnum=304063
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?6e97e41a");
      script_set_attribute(attribute:"solution", value:
    "Mac OS X 10.4 :
    
    http://www.apple.com/support/downloads/securityupdate2006004macosx1047clientintel.html
    http://www.apple.com/support/downloads/securityupdate2006004macosx1047clientppc.html
    
    Mac OS X 10.3 :
    
    http://www.apple.com/support/downloads/securityupdate20060041039client.html
    http://www.apple.com/support/downloads/securityupdate20060041039server.html");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Apple iOS MobileMail LibTIFF Buffer Overflow');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2006/06/26");
      script_set_attribute(attribute:"patch_publication_date", value:"2006/08/01");
      script_set_attribute(attribute:"plugin_publication_date", value:"2006/08/01");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:mac_os_x");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.");
      script_family(english:"MacOS X Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/MacOSX/packages");
      exit(0);
    }
    
    packages = get_kb_item("Host/MacOSX/packages");
    if ( ! packages ) exit(0);
    
    
    uname = get_kb_item("Host/uname");
    if ( egrep(pattern:"Darwin.* (7\.[0-9]\.|8\.[0-7]\.)", string:uname) )
    {
      if (!egrep(pattern:"^SecUpd(Srvr)?(2006-00[467]|2007-00[38])", string:packages)) security_hole(0);
    }
    
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2005-562.NASL
    descriptionUpdated krb5 packages which fix multiple security issues are now available for Red Hat Enterprise Linux 2.1 and 3. This update has been rated as having critical security impact by the Red Hat Security Response Team. [Updated 26 Sep 2005] krb5-server packages have been added to this advisory for Red Hat Enterprise Linux 3 WS and Red Hat Enterprise Linux 3 Desktop. Kerberos is a networked authentication system which uses a trusted third party (a KDC) to authenticate clients and servers to each other. A double-free flaw was found in the krb5_recvauth() routine which may be triggered by a remote unauthenticated attacker. Although no exploit is currently known to exist, this issue could potentially be exploited to allow arbitrary code execution on a Key Distribution Center (KDC). The Common Vulnerabilities and Exposures project assigned the name CVE-2005-1689 to this issue. Daniel Wachdorf discovered a single byte heap overflow in the krb5_unparse_name() function, part of krb5-libs. Sucessful exploitation of this flaw would lead to a denial of service (crash). To trigger this flaw an attacker would need to have control of a kerberos realm that shares a cross-realm key with the target, making exploitation of this flaw unlikely. (CVE-2005-1175). Gael Delalleau discovered an information disclosure issue in the way some telnet clients handle messages from a server. An attacker could construct a malicious telnet server that collects information from the environment of any victim who connects to it using the Kerberos-aware telnet client (CVE-2005-0488). The rcp protocol allows a server to instruct a client to write to arbitrary files outside of the current directory. This could potentially cause a security issue if a user uses the Kerberos-aware rcp to copy files from a malicious server (CVE-2004-0175). All users of krb5 should update to these erratum packages which contain backported patches to correct these issues. Red Hat would like to thank the MIT Kerberos Development Team for their responsible disclosure of these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id21840
    published2006-07-03
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/21840
    titleCentOS 3 : krb5 (CESA-2005:562)
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2005-119.NASL
    descriptionA number of vulnerabilities have been corrected in this Kerberos update : The rcp protocol would allow a server to instruct a client to write to arbitrary files outside of the current directory. The Kerberos-aware rcp could be abused to copy files from a malicious server (CVE-2004-0175). Gael Delalleau discovered an information disclosure vulnerability in the way some telnet clients handled messages from a server. This could be abused by a malicious telnet server to collect information from the environment of any victim connecting to the server using the Kerberos- aware telnet client (CVE-2005-0488). Daniel Wachdorf disovered that in error conditions that could occur in response to correctly-formatted client requests, the Kerberos 5 KDC may attempt to free uninitialized memory, which could cause the KDC to crash resulting in a Denial of Service (CVE-2005-1174). Daniel Wachdorf also discovered a single-byte heap overflow in the krb5_unparse_name() function that could, if successfully exploited, lead to a crash, resulting in a DoS. To trigger this flaw, an attacker would need to have control of a Kerberos realm that shares a cross- realm key with the target (CVE-2005-1175). Finally, a double-free flaw was discovered in the krb5_recvauth() routine which could be triggered by a remote unauthenticated attacker. This issue could potentially be exploited to allow for the execution of arbitrary code on a KDC. No exploit is currently known to exist (CVE-2005-1689). The updated packages have been patched to address this issue and Mandriva urges all users to upgrade to these packages as quickly as possible.
    last seen2020-06-01
    modified2020-06-02
    plugin id19201
    published2005-07-14
    reporterThis script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/19201
    titleMandrake Linux Security Advisory : krb5 (MDKSA-2005:119)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2005-567.NASL
    descriptionUpdated krb5 packages that fix multiple security issues are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. Kerberos is a networked authentication system that uses a trusted third party (a KDC) to authenticate clients and servers to each other. A double-free flaw was found in the krb5_recvauth() routine which may be triggered by a remote unauthenticated attacker. Red Hat Enterprise Linux 4 contains checks within glibc that detect double-free flaws. Therefore, on Red Hat Enterprise Linux 4 successful exploitation of this issue can only lead to a denial of service (KDC crash). The Common Vulnerabilities and Exposures project assigned the name CVE-2005-1689 to this issue. Daniel Wachdorf discovered a single byte heap overflow in the krb5_unparse_name() function, part of krb5-libs. Sucessful exploitation of this flaw would lead to a denial of service (crash). To trigger this flaw an attacker would need to have control of a kerberos realm that shares a cross-realm key with the target, making exploitation of this flaw unlikely. (CVE-2005-1175). Daniel Wachdorf also discovered that in error conditions that may occur in response to correctly-formatted client requests, the Kerberos 5 KDC may attempt to free uninitialized memory. This could allow a remote attacker to cause a denial of service (KDC crash) (CVE-2005-1174). Gael Delalleau discovered an information disclosure issue in the way some telnet clients handle messages from a server. An attacker could construct a malicious telnet server that collects information from the environment of any victim who connects to it using the Kerberos-aware telnet client (CVE-2005-0488). The rcp protocol allows a server to instruct a client to write to arbitrary files outside of the current directory. This could potentially cause a security issue if a user uses the Kerberos-aware rcp to copy files from a malicious server (CVE-2004-0175). All users of krb5 should update to these erratum packages, which contain backported patches to correct these issues. Red Hat would like to thank the MIT Kerberos Development Team for their responsible disclosure of these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id21946
    published2006-07-05
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/21946
    titleCentOS 4 : krb5 (CESA-2005:567)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2005-504.NASL
    descriptionUpdated telnet packages that fix an information disclosure issue are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The telnet package provides a command line telnet client. Gael Delalleau discovered an information disclosure issue in the way the telnet client handles messages from a server. An attacker could construct a malicious telnet server that collects information from the environment of any victim who connects to it. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0488 to this issue. Users of telnet should upgrade to this updated package, which contains a backported patch to correct this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id18501
    published2005-06-16
    reporterThis script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/18501
    titleRHEL 2.1 / 3 / 4 : telnet (RHSA-2005:504)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2005-553.NASL
    descriptionA double-free flaw was found in the krb5_recvauth() routine which may be triggered by a remote unauthenticated attacker. Fedora Core 4 contains checks within glibc that detect double-free flaws. Therefore, on Fedora Core 4, successful exploitation of this issue can only lead to a denial of service (KDC crash). The Common Vulnerabilities and Exposures project assigned the name CVE-2005-1689 to this issue. Daniel Wachdorf discovered a single byte heap overflow in the krb5_unparse_name() function, part of krb5-libs. Successful exploitation of this flaw would lead to a denial of service (crash). To trigger this flaw remotely, an attacker would need to have control of a kerberos realm that shares a cross-realm key with the target, making exploitation of this flaw unlikely. (CVE-2005-1175). Daniel Wachdorf also discovered that in error conditions that may occur in response to correctly-formatted client requests, the Kerberos 5 KDC may attempt to free uninitialized memory. This could allow a remote attacker to cause a denial of service (KDC crash) (CVE-2005-1174). Gaael Delalleau discovered an information disclosure issue in the way some telnet clients handle messages from a server. An attacker could construct a malicious telnet server that collects information from the environment of any victim who connects to it using the Kerberos-aware telnet client (CVE-2005-0488). The rcp protocol allows a server to instruct a client to write to arbitrary files outside of the current directory. This could potentially cause a security issue if a user uses the Kerberos-aware rcp to copy files from a malicious server (CVE-2004-0175). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id18685
    published2005-07-13
    reporterThis script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/18685
    titleFedora Core 4 : krb5-1.4.1-5 (2005-553)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2005-562.NASL
    descriptionUpdated krb5 packages which fix multiple security issues are now available for Red Hat Enterprise Linux 2.1 and 3. This update has been rated as having critical security impact by the Red Hat Security Response Team. [Updated 26 Sep 2005] krb5-server packages have been added to this advisory for Red Hat Enterprise Linux 3 WS and Red Hat Enterprise Linux 3 Desktop. Kerberos is a networked authentication system which uses a trusted third party (a KDC) to authenticate clients and servers to each other. A double-free flaw was found in the krb5_recvauth() routine which may be triggered by a remote unauthenticated attacker. Although no exploit is currently known to exist, this issue could potentially be exploited to allow arbitrary code execution on a Key Distribution Center (KDC). The Common Vulnerabilities and Exposures project assigned the name CVE-2005-1689 to this issue. Daniel Wachdorf discovered a single byte heap overflow in the krb5_unparse_name() function, part of krb5-libs. Sucessful exploitation of this flaw would lead to a denial of service (crash). To trigger this flaw an attacker would need to have control of a kerberos realm that shares a cross-realm key with the target, making exploitation of this flaw unlikely. (CVE-2005-1175). Gael Delalleau discovered an information disclosure issue in the way some telnet clients handle messages from a server. An attacker could construct a malicious telnet server that collects information from the environment of any victim who connects to it using the Kerberos-aware telnet client (CVE-2005-0488). The rcp protocol allows a server to instruct a client to write to arbitrary files outside of the current directory. This could potentially cause a security issue if a user uses the Kerberos-aware rcp to copy files from a malicious server (CVE-2004-0175). All users of krb5 should update to these erratum packages which contain backported patches to correct these issues. Red Hat would like to thank the MIT Kerberos Development Team for their responsible disclosure of these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id18687
    published2005-07-13
    reporterThis script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/18687
    titleRHEL 2.1 / 3 : krb5 (RHSA-2005:562)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2005-552.NASL
    descriptionA double-free flaw was found in the krb5_recvauth() routine which may be triggered by a remote unauthenticated attacker. Fedora Core 3 contains checks within glibc that detect double-free flaws. Therefore, on Fedora Core 3, successful exploitation of this issue can only lead to a denial of service (KDC crash). The Common Vulnerabilities and Exposures project assigned the name CVE-2005-1689 to this issue. Daniel Wachdorf discovered a single byte heap overflow in the krb5_unparse_name() function, part of krb5-libs. Successful exploitation of this flaw would lead to a denial of service (crash). To trigger this flaw remotely, an attacker would need to have control of a kerberos realm that shares a cross-realm key with the target, making exploitation of this flaw unlikely. (CVE-2005-1175). Daniel Wachdorf also discovered that in error conditions that may occur in response to correctly-formatted client requests, the Kerberos 5 KDC may attempt to free uninitialized memory. This could allow a remote attacker to cause a denial of service (KDC crash) (CVE-2005-1174). Gaael Delalleau discovered an information disclosure issue in the way some telnet clients handle messages from a server. An attacker could construct a malicious telnet server that collects information from the environment of any victim who connects to it using the Kerberos-aware telnet client (CVE-2005-0488). The rcp protocol allows a server to instruct a client to write to arbitrary files outside of the current directory. This could potentially cause a security issue if a user uses the Kerberos-aware rcp to copy files from a malicious server (CVE-2004-0175). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id18684
    published2005-07-13
    reporterThis script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/18684
    titleFedora Core 3 : krb5-1.3.6-7 (2005-552)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2005-567.NASL
    descriptionUpdated krb5 packages that fix multiple security issues are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. Kerberos is a networked authentication system that uses a trusted third party (a KDC) to authenticate clients and servers to each other. A double-free flaw was found in the krb5_recvauth() routine which may be triggered by a remote unauthenticated attacker. Red Hat Enterprise Linux 4 contains checks within glibc that detect double-free flaws. Therefore, on Red Hat Enterprise Linux 4 successful exploitation of this issue can only lead to a denial of service (KDC crash). The Common Vulnerabilities and Exposures project assigned the name CVE-2005-1689 to this issue. Daniel Wachdorf discovered a single byte heap overflow in the krb5_unparse_name() function, part of krb5-libs. Sucessful exploitation of this flaw would lead to a denial of service (crash). To trigger this flaw an attacker would need to have control of a kerberos realm that shares a cross-realm key with the target, making exploitation of this flaw unlikely. (CVE-2005-1175). Daniel Wachdorf also discovered that in error conditions that may occur in response to correctly-formatted client requests, the Kerberos 5 KDC may attempt to free uninitialized memory. This could allow a remote attacker to cause a denial of service (KDC crash) (CVE-2005-1174). Gael Delalleau discovered an information disclosure issue in the way some telnet clients handle messages from a server. An attacker could construct a malicious telnet server that collects information from the environment of any victim who connects to it using the Kerberos-aware telnet client (CVE-2005-0488). The rcp protocol allows a server to instruct a client to write to arbitrary files outside of the current directory. This could potentially cause a security issue if a user uses the Kerberos-aware rcp to copy files from a malicious server (CVE-2004-0175). All users of krb5 should update to these erratum packages, which contain backported patches to correct these issues. Red Hat would like to thank the MIT Kerberos Development Team for their responsible disclosure of these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id18688
    published2005-07-13
    reporterThis script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/18688
    titleRHEL 4 : krb5 (RHSA-2005:567)

Oval

  • accepted2013-04-29T04:13:35.713-04:00
    classvulnerability
    contributors
    • nameAharon Chernin
      organizationSCAP.com, LLC
    • nameDragos Prisaca
      organizationG2, Inc.
    definition_extensions
    • commentThe operating system installed on the system is Red Hat Enterprise Linux 3
      ovaloval:org.mitre.oval:def:11782
    • commentCentOS Linux 3.x
      ovaloval:org.mitre.oval:def:16651
    • commentThe operating system installed on the system is Red Hat Enterprise Linux 4
      ovaloval:org.mitre.oval:def:11831
    • commentCentOS Linux 4.x
      ovaloval:org.mitre.oval:def:16636
    • commentOracle Linux 4.x
      ovaloval:org.mitre.oval:def:15990
    descriptionCertain BSD-based Telnet clients, including those used on Solaris and SuSE Linux, allow remote malicious Telnet servers to read sensitive environment variables via the NEW-ENVIRON option with a SEND ENV_USERVAR command.
    familyunix
    idoval:org.mitre.oval:def:11373
    statusaccepted
    submitted2010-07-09T03:56:16-04:00
    titleCertain BSD-based Telnet clients, including those used on Solaris and SuSE Linux, allow remote malicious Telnet servers to read sensitive environment variables via the NEW-ENVIRON option with a SEND ENV_USERVAR command.
    version27
  • accepted2005-09-21T01:33:00.000-04:00
    classvulnerability
    contributors
    nameJay Beale
    organizationBastille Linux
    descriptionCertain BSD-based Telnet clients, including those used on Solaris and SuSE Linux, allow remote malicious Telnet servers to read sensitive environment variables via the NEW-ENVIRON option with a SEND ENV_USERVAR command.
    familyunix
    idoval:org.mitre.oval:def:1139
    statusaccepted
    submitted2005-07-11T12:00:00.000-04:00
    titleTelnet Client Information Disclosure Vulnerability
    version4

Redhat

advisories
  • rhsa
    idRHSA-2005:504
  • rhsa
    idRHSA-2005:562
rpms
  • telnet-1:0.17-26.EL3.3
  • telnet-1:0.17-31.EL4.3
  • telnet-debuginfo-1:0.17-26.EL3.3
  • telnet-debuginfo-1:0.17-31.EL4.3
  • telnet-server-1:0.17-26.EL3.3
  • telnet-server-1:0.17-31.EL4.3
  • krb5-debuginfo-0:1.2.7-47
  • krb5-devel-0:1.2.7-47
  • krb5-libs-0:1.2.7-47
  • krb5-server-0:1.2.7-47
  • krb5-workstation-0:1.2.7-47

Statements

contributorMark J Cox
lastmodified2007-03-14
organizationRed Hat
statementRed Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.