Vulnerabilities > CVE-2011-4862 - Classic Buffer Overflow vulnerability in multiple products

047910
CVSS 10.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
gnu
heimdal-project
mit
freebsd
fedoraproject
debian
opensuse
suse
CWE-120
critical
nessus
exploit available
metasploit

Summary

Buffer overflow in libtelnet/encrypt.c in telnetd in FreeBSD 7.3 through 9.0, MIT Kerberos Version 5 Applications (aka krb5-appl) 1.0.2 and earlier, Heimdal 1.5.1 and earlier, GNU inetutils, and possibly other products allows remote attackers to execute arbitrary code via a long encryption key, as exploited in the wild in December 2011.

Vulnerable Configurations

Part Description Count
Application
Gnu
11
Application
Heimdal_Project
110
Application
Mit
1
OS
Freebsd
109
OS
Fedoraproject
2
OS
Debian
3
OS
Opensuse
2
OS
Suse
10

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Exploit-Db

  • descriptionFreeBSD Telnet Service Encryption Key ID Buffer Overflow. CVE-2011-4862. Remote exploit for bsd platform
    idEDB-ID:18369
    last seen2016-02-02
    modified2012-01-14
    published2012-01-14
    reportermetasploit
    sourcehttps://www.exploit-db.com/download/18369/
    titleFreeBSD Telnet Service Encryption Key ID Buffer Overflow
  • descriptionLinux BSD-derived Telnet Service Encryption Key ID Buffer Overflow. CVE-2011-4862. Remote exploit for linux platform
    idEDB-ID:18368
    last seen2016-02-02
    modified2012-01-14
    published2012-01-14
    reportermetasploit
    sourcehttps://www.exploit-db.com/download/18368/
    titleLinux BSD-derived Telnet Service Encryption Key ID Buffer Overflow
  • descriptionTelnetd encrypt_keyid - Remote Root Function Pointer Overwrite. CVE-2011-4862. Remote exploit for linux platform
    fileexploits/linux/remote/18280.c
    idEDB-ID:18280
    last seen2016-02-02
    modified2011-12-26
    platformlinux
    port
    published2011-12-26
    reporterNighterMan and BatchDrake
    sourcehttps://www.exploit-db.com/download/18280/
    titleTelnetd encrypt_keyid - Remote Root Function Pointer Overwrite
    typeremote

Metasploit

Nessus

  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-2375.NASL
    descriptionIt was discovered that the encryption support for BSD telnetd contains a pre-authentication buffer overflow, which may enable remote attackers who can connect to the Telnet port to execute arbitrary code with root privileges.
    last seen2020-03-17
    modified2012-01-12
    plugin id57515
    published2012-01-12
    reporterThis script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/57515
    titleDebian DSA-2375-1 : krb5, krb5-appl - buffer overflow
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-2375. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(57515);
      script_version("1.13");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12");
    
      script_cve_id("CVE-2011-4862");
      script_xref(name:"DSA", value:"2375");
    
      script_name(english:"Debian DSA-2375-1 : krb5, krb5-appl - buffer overflow");
      script_summary(english:"Checks dpkg output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "It was discovered that the encryption support for BSD telnetd contains
    a pre-authentication buffer overflow, which may enable remote
    attackers who can connect to the Telnet port to execute arbitrary code
    with root privileges."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/squeeze/krb5-appl"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.debian.org/security/2011/dsa-2375"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the krb5 and krb5-appl packages.
    
    For the oldstable distribution (lenny), this problem has been fixed in
    version 1.6.dfsg.4~beta1-5lenny7 of krb5.
    
    For the stable distribution (squeeze), this problem has been fixed in
    version 1:1.0.1-1.2 of krb5-appl."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"exploithub_sku", value:"EH-11-760");
      script_set_attribute(attribute:"exploit_framework_exploithub", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Linux BSD-derived Telnet Service Encryption Key ID Buffer Overflow');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:krb5");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:krb5-appl");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:5.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:6.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2011/12/26");
      script_set_attribute(attribute:"plugin_publication_date", value:"2012/01/12");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"5.0", prefix:"krb5", reference:"1.6.dfsg.4~beta1-5lenny7")) flag++;
    if (deb_check(release:"6.0", prefix:"krb5-clients", reference:"1:1.0.1-1.2")) flag++;
    if (deb_check(release:"6.0", prefix:"krb5-ftpd", reference:"1:1.0.1-1.2")) flag++;
    if (deb_check(release:"6.0", prefix:"krb5-rsh-server", reference:"1:1.0.1-1.2")) flag++;
    if (deb_check(release:"6.0", prefix:"krb5-telnetd", reference:"1:1.0.1-1.2")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2011-1851.NASL
    descriptionUpdated krb5 packages that fix one security issue are now available for Red Hat Enterprise Linux 4 and 5. The Red Hat Security Response Team has rated this update as having Critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third- party, the Key Distribution Center (KDC). A buffer overflow flaw was found in the MIT krb5 telnet daemon (telnetd). A remote attacker who can access the telnet port of a target machine could use this flaw to execute arbitrary code as root. (CVE-2011-4862) Note that the krb5 telnet daemon is not enabled by default in any version of Red Hat Enterprise Linux. In addition, the default firewall rules block remote access to the telnet port. This flaw does not affect the telnet daemon distributed in the telnet-server package. For users who have installed the krb5-workstation package, have enabled the telnet daemon, and have it accessible remotely, this update should be applied immediately. All krb5-workstation users should upgrade to these updated packages, which contain a backported patch to correct this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id57405
    published2011-12-28
    reporterThis script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/57405
    titleCentOS 4 / 5 : krb5 (CESA-2011:1851)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2011:1851 and 
    # CentOS Errata and Security Advisory 2011:1851 respectively.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(57405);
      script_version("1.12");
      script_cvs_date("Date: 2019/10/25 13:36:06");
    
      script_cve_id("CVE-2011-4862");
      script_bugtraq_id(51182);
      script_xref(name:"RHSA", value:"2011:1851");
    
      script_name(english:"CentOS 4 / 5 : krb5 (CESA-2011:1851)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote CentOS host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Updated krb5 packages that fix one security issue are now available
    for Red Hat Enterprise Linux 4 and 5.
    
    The Red Hat Security Response Team has rated this update as having
    Critical security impact. A Common Vulnerability Scoring System (CVSS)
    base score, which gives a detailed severity rating, is available from
    the CVE link in the References section.
    
    Kerberos is a network authentication system which allows clients and
    servers to authenticate to each other using symmetric encryption and a
    trusted third- party, the Key Distribution Center (KDC).
    
    A buffer overflow flaw was found in the MIT krb5 telnet daemon
    (telnetd). A remote attacker who can access the telnet port of a
    target machine could use this flaw to execute arbitrary code as root.
    (CVE-2011-4862)
    
    Note that the krb5 telnet daemon is not enabled by default in any
    version of Red Hat Enterprise Linux. In addition, the default firewall
    rules block remote access to the telnet port. This flaw does not
    affect the telnet daemon distributed in the telnet-server package.
    
    For users who have installed the krb5-workstation package, have
    enabled the telnet daemon, and have it accessible remotely, this
    update should be applied immediately.
    
    All krb5-workstation users should upgrade to these updated packages,
    which contain a backported patch to correct this issue."
      );
      # https://lists.centos.org/pipermail/centos-announce/2011-December/018359.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?e44f57b9"
      );
      # https://lists.centos.org/pipermail/centos-announce/2011-December/018360.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?e476e566"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected krb5 packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"exploithub_sku", value:"EH-11-760");
      script_set_attribute(attribute:"exploit_framework_exploithub", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Linux BSD-derived Telnet Service Encryption Key ID Buffer Overflow');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:krb5-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:krb5-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:krb5-server");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:krb5-server-ldap");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:krb5-workstation");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:4");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:5");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2011/12/24");
      script_set_attribute(attribute:"patch_publication_date", value:"2011/12/27");
      script_set_attribute(attribute:"plugin_publication_date", value:"2011/12/28");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"CentOS Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/CentOS/release");
    if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS");
    os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(4|5)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 4.x / 5.x", "CentOS " + os_ver);
    
    if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && "ia64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"CentOS-4", cpu:"i386", reference:"krb5-devel-1.3.4-65.el4")) flag++;
    if (rpm_check(release:"CentOS-4", cpu:"x86_64", reference:"krb5-devel-1.3.4-65.el4")) flag++;
    if (rpm_check(release:"CentOS-4", cpu:"i386", reference:"krb5-libs-1.3.4-65.el4")) flag++;
    if (rpm_check(release:"CentOS-4", cpu:"x86_64", reference:"krb5-libs-1.3.4-65.el4")) flag++;
    if (rpm_check(release:"CentOS-4", cpu:"i386", reference:"krb5-server-1.3.4-65.el4")) flag++;
    if (rpm_check(release:"CentOS-4", cpu:"x86_64", reference:"krb5-server-1.3.4-65.el4")) flag++;
    if (rpm_check(release:"CentOS-4", cpu:"i386", reference:"krb5-workstation-1.3.4-65.el4")) flag++;
    if (rpm_check(release:"CentOS-4", cpu:"x86_64", reference:"krb5-workstation-1.3.4-65.el4")) flag++;
    
    if (rpm_check(release:"CentOS-5", reference:"krb5-devel-1.6.1-63.el5_7")) flag++;
    if (rpm_check(release:"CentOS-5", reference:"krb5-libs-1.6.1-63.el5_7")) flag++;
    if (rpm_check(release:"CentOS-5", reference:"krb5-server-1.6.1-63.el5_7")) flag++;
    if (rpm_check(release:"CentOS-5", reference:"krb5-server-ldap-1.6.1-63.el5_7")) flag++;
    if (rpm_check(release:"CentOS-5", reference:"krb5-workstation-1.6.1-63.el5_7")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "krb5-devel / krb5-libs / krb5-server / krb5-server-ldap / etc");
    }
    
  • NASL familyMisc.
    NASL idVMWARE_VMSA-2012-0006_REMOTE.NASL
    descriptionThe remote VMware ESX / ESXi host is missing a security-related patch. It is, therefore, affected by multiple vulnerabilities, including remote code execution vulnerabilities, in the following components : - Kernel - krb5 telnet daemon
    last seen2020-06-01
    modified2020-06-02
    plugin id89107
    published2016-03-03
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/89107
    titleVMware ESX / ESXi Multiple Vulnerabilities (VMSA-2012-0006) (remote check)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(89107);
      script_version("1.8");
      script_cvs_date("Date: 2019/09/24 15:02:54");
    
      script_cve_id(
        "CVE-2011-2482",
        "CVE-2011-3191",
        "CVE-2011-4348",
        "CVE-2011-4862",
        "CVE-2012-1515"
      );
      script_bugtraq_id(
        49295,
        49373,
        51182,
        51363,
        52820
      );
      script_xref(name:"VMSA", value:"2012-0006");
      script_xref(name:"EDB-ID", value:"18280");
      script_xref(name:"EDB-ID", value:"18368");
      script_xref(name:"EDB-ID", value:"18369");
    
      script_name(english:"VMware ESX / ESXi Multiple Vulnerabilities (VMSA-2012-0006) (remote check)");
      script_summary(english:"Checks the remote ESX/ESXi host's version and build number.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote VMware ESXi / ESX host is missing a security-related patch.");
      script_set_attribute(attribute:"description", value:
    "The remote VMware ESX / ESXi host is missing a security-related patch.
    It is, therefore, affected by multiple vulnerabilities, including
    remote code execution vulnerabilities, in the following components :
    
      - Kernel
      - krb5 telnet daemon");
      script_set_attribute(attribute:"see_also", value:"https://www.vmware.com/security/advisories/VMSA-2012-0006.html");
      script_set_attribute(attribute:"solution", value:
    "Apply the appropriate patch according to the vendor advisory.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"exploithub_sku", value:"EH-11-760");
      script_set_attribute(attribute:"exploit_framework_exploithub", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Linux BSD-derived Telnet Service Encryption Key ID Buffer Overflow');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2011/08/23");
      script_set_attribute(attribute:"patch_publication_date", value:"2012/03/29");
      script_set_attribute(attribute:"plugin_publication_date", value:"2016/03/03");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Misc.");
    
      script_dependencies("vmware_vsphere_detect.nbin");
      script_require_keys("Host/VMware/version", "Host/VMware/release");
      script_require_ports("Host/VMware/vsphere");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    
    ver = get_kb_item_or_exit("Host/VMware/version");
    rel = get_kb_item_or_exit("Host/VMware/release");
    port = get_kb_item_or_exit("Host/VMware/vsphere");
    
    esx = "ESX/ESXi";
    
    extract = eregmatch(pattern:"^(ESXi?) (\d\.\d).*$", string:ver);
    if (isnull(extract))
      audit(AUDIT_UNKNOWN_APP_VER, esx);
    else
    {
      esx = extract[1];
      ver = extract[2];
    }
    
    product = "VMware " + esx;
    
    # fixed builds
    fixes = make_array(
      "ESX 3.5",  604481,
      "ESXi 3.5", 604481,
      "ESX 4.0",  660575,
      "ESXi 4.0", 660575,
      "ESX 4.1",  348481,
      "ESXi 4.1", 348481
    );
    
    key = esx + ' ' + ver;
    fix = NULL;
    fix = fixes[key];
    
    bmatch = eregmatch(pattern:'^VMware ESXi?.*build-([0-9]+)$', string:rel);
    if (empty_or_null(bmatch))
      audit(AUDIT_UNKNOWN_BUILD, product, ver);
    
    build = int(bmatch[1]);
    
    if (!fix)
      audit(AUDIT_INST_VER_NOT_VULN, product, ver, build);
    
    if (build < fix)
    {
      # properly spaced label
      if ("ESXi" >< esx) ver_label = ' version    : ';
      else ver_label = ' version     : ';
      report = '\n  ' + esx + ver_label + ver +
               '\n  Installed build : ' + build +
               '\n  Fixed build     : ' + fix +
               '\n';
      security_report_v4(port:port, extra:report, severity:SECURITY_HOLE);
    }
    else
      audit(AUDIT_INST_VER_NOT_VULN, product, ver, build);
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_KRB5-7899.NASL
    descriptionThis update of krb5 fixes two security issues. - A remote code execution in the kerberized telnet daemon was fixed. (This only affects the ktelnetd from the krb5-appl RPM, not the regular telnetd supplied by SUSE.). (CVE-2011-4862) - / MITKRB5-SA-2011-005: Fixed krb5 ftpd unauthorized file access problems. (CVE-2011-1526)
    last seen2020-06-01
    modified2020-06-02
    plugin id57431
    published2012-01-03
    reporterThis script is Copyright (C) 2012-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/57431
    titleSuSE 10 Security Update : Kerberos 5 (ZYPP Patch Number 7899)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The text description of this plugin is (C) Novell, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(57431);
      script_version ("1.13");
      script_cvs_date("Date: 2019/10/25 13:36:43");
    
      script_cve_id("CVE-2011-1526", "CVE-2011-4862");
    
      script_name(english:"SuSE 10 Security Update : Kerberos 5 (ZYPP Patch Number 7899)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SuSE 10 host is missing a security-related patch."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update of krb5 fixes two security issues.
    
      - A remote code execution in the kerberized telnet daemon
        was fixed. (This only affects the ktelnetd from the
        krb5-appl RPM, not the regular telnetd supplied by
        SUSE.). (CVE-2011-4862)
    
      - / MITKRB5-SA-2011-005: Fixed krb5 ftpd unauthorized file
        access problems. (CVE-2011-1526)"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2011-1526.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2011-4862.html"
      );
      script_set_attribute(attribute:"solution", value:"Apply ZYPP patch number 7899.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"exploithub_sku", value:"EH-11-760");
      script_set_attribute(attribute:"exploit_framework_exploithub", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Linux BSD-derived Telnet Service Encryption Key ID Buffer Overflow');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:suse:suse_linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2011/12/29");
      script_set_attribute(attribute:"plugin_publication_date", value:"2012/01/03");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2012-2019 Tenable Network Security, Inc.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) exit(0, "Local checks are not enabled.");
    if (!get_kb_item("Host/SuSE/release")) exit(0, "The host is not running SuSE.");
    if (!get_kb_item("Host/SuSE/rpm-list")) exit(1, "Could not obtain the list of installed packages.");
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) exit(1, "Failed to determine the architecture type.");
    if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") exit(1, "Local checks for SuSE 10 on the '"+cpu+"' architecture have not been implemented.");
    
    
    flag = 0;
    if (rpm_check(release:"SLED10", sp:4, reference:"krb5-1.4.3-19.49.49.1")) flag++;
    if (rpm_check(release:"SLED10", sp:4, reference:"krb5-client-1.4.3-19.49.49.1")) flag++;
    if (rpm_check(release:"SLED10", sp:4, reference:"krb5-devel-1.4.3-19.49.49.1")) flag++;
    if (rpm_check(release:"SLED10", sp:4, cpu:"x86_64", reference:"krb5-32bit-1.4.3-19.49.49.1")) flag++;
    if (rpm_check(release:"SLED10", sp:4, cpu:"x86_64", reference:"krb5-devel-32bit-1.4.3-19.49.49.1")) flag++;
    if (rpm_check(release:"SLES10", sp:4, reference:"krb5-1.4.3-19.49.49.1")) flag++;
    if (rpm_check(release:"SLES10", sp:4, reference:"krb5-apps-clients-1.4.3-19.49.49.1")) flag++;
    if (rpm_check(release:"SLES10", sp:4, reference:"krb5-apps-servers-1.4.3-19.49.49.1")) flag++;
    if (rpm_check(release:"SLES10", sp:4, reference:"krb5-client-1.4.3-19.49.49.1")) flag++;
    if (rpm_check(release:"SLES10", sp:4, reference:"krb5-devel-1.4.3-19.49.49.1")) flag++;
    if (rpm_check(release:"SLES10", sp:4, reference:"krb5-server-1.4.3-19.49.49.1")) flag++;
    if (rpm_check(release:"SLES10", sp:4, cpu:"x86_64", reference:"krb5-32bit-1.4.3-19.49.49.1")) flag++;
    if (rpm_check(release:"SLES10", sp:4, cpu:"x86_64", reference:"krb5-devel-32bit-1.4.3-19.49.49.1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else exit(0, "The host is not affected.");
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_KRB5-111229.NASL
    descriptionThis update of krb5 fixes two security issues. - A remote code execution in the kerberized telnet daemon was fixed. (This only affects the ktelnetd from the krb5-appl RPM, not the regular telnetd supplied by SUSE.). (CVE-2011-4862) - / MITKRB5-SA-2011-005: Fixed krb5 ftpd unauthorized file access problems. (CVE-2011-1526)
    last seen2020-06-01
    modified2020-06-02
    plugin id57430
    published2012-01-03
    reporterThis script is Copyright (C) 2012-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/57430
    titleSuSE 11.1 Security Update : Kerberos 5 (SAT Patch Number 5594)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from SuSE 11 update information. The text itself is
    # copyright (C) Novell, Inc.
    #
    
    if (NASL_LEVEL < 3000) exit(0);
    
    include("compat.inc");
    
    if (description)
    {
      script_id(57430);
      script_version("1.16");
      script_cvs_date("Date: 2019/10/25 13:36:42");
    
      script_cve_id("CVE-2011-1526", "CVE-2011-4862");
    
      script_name(english:"SuSE 11.1 Security Update : Kerberos 5 (SAT Patch Number 5594)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SuSE 11 host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update of krb5 fixes two security issues.
    
      - A remote code execution in the kerberized telnet daemon
        was fixed. (This only affects the ktelnetd from the
        krb5-appl RPM, not the regular telnetd supplied by
        SUSE.). (CVE-2011-4862)
    
      - / MITKRB5-SA-2011-005: Fixed krb5 ftpd unauthorized file
        access problems. (CVE-2011-1526)"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=698471"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=738632"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2011-1526.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2011-4862.html"
      );
      script_set_attribute(attribute:"solution", value:"Apply SAT patch number 5594.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"exploithub_sku", value:"EH-11-760");
      script_set_attribute(attribute:"exploit_framework_exploithub", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Linux BSD-derived Telnet Service Encryption Key ID Buffer Overflow');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:krb5");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:krb5-32bit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:krb5-apps-clients");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:krb5-apps-servers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:krb5-client");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:krb5-server");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:11");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2011/12/29");
      script_set_attribute(attribute:"plugin_publication_date", value:"2012/01/03");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2012-2019 Tenable Network Security, Inc.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release !~ "^(SLED|SLES)11") audit(AUDIT_OS_NOT, "SuSE 11");
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SuSE 11", cpu);
    
    pl = get_kb_item("Host/SuSE/patchlevel");
    if (isnull(pl) || int(pl) != 1) audit(AUDIT_OS_NOT, "SuSE 11.1");
    
    
    flag = 0;
    if (rpm_check(release:"SLED11", sp:1, cpu:"i586", reference:"krb5-1.6.3-133.48.48.1")) flag++;
    if (rpm_check(release:"SLED11", sp:1, cpu:"i586", reference:"krb5-client-1.6.3-133.48.48.1")) flag++;
    if (rpm_check(release:"SLED11", sp:1, cpu:"x86_64", reference:"krb5-1.6.3-133.48.48.1")) flag++;
    if (rpm_check(release:"SLED11", sp:1, cpu:"x86_64", reference:"krb5-32bit-1.6.3-133.48.48.1")) flag++;
    if (rpm_check(release:"SLED11", sp:1, cpu:"x86_64", reference:"krb5-client-1.6.3-133.48.48.1")) flag++;
    if (rpm_check(release:"SLES11", sp:1, reference:"krb5-1.6.3-133.48.48.1")) flag++;
    if (rpm_check(release:"SLES11", sp:1, reference:"krb5-apps-clients-1.6.3-133.48.48.1")) flag++;
    if (rpm_check(release:"SLES11", sp:1, reference:"krb5-apps-servers-1.6.3-133.48.48.1")) flag++;
    if (rpm_check(release:"SLES11", sp:1, reference:"krb5-client-1.6.3-133.48.48.1")) flag++;
    if (rpm_check(release:"SLES11", sp:1, reference:"krb5-server-1.6.3-133.48.48.1")) flag++;
    if (rpm_check(release:"SLES11", sp:1, cpu:"s390x", reference:"krb5-32bit-1.6.3-133.48.48.1")) flag++;
    if (rpm_check(release:"SLES11", sp:1, cpu:"x86_64", reference:"krb5-32bit-1.6.3-133.48.48.1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2011-1852.NASL
    descriptionFrom Red Hat Security Advisory 2011:1852 : Updated krb5-appl packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having Critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The krb5-appl packages provide Kerberos-aware telnet, ftp, rcp, rsh, and rlogin clients and servers. Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third-party, the Key Distribution Center (KDC). A buffer overflow flaw was found in the MIT krb5 telnet daemon (telnetd). A remote attacker who can access the telnet port of a target machine could use this flaw to execute arbitrary code as root. (CVE-2011-4862) Note that the krb5 telnet daemon is not enabled by default in any version of Red Hat Enterprise Linux. In addition, the default firewall rules block remote access to the telnet port. This flaw does not affect the telnet daemon distributed in the telnet-server package. For users who have installed the krb5-appl-servers package, have enabled the krb5 telnet daemon, and have it accessible remotely, this update should be applied immediately. All krb5-appl-server users should upgrade to these updated packages, which contain a backported patch to correct this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id68413
    published2013-07-12
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/68413
    titleOracle Linux 6 : krb5-appl (ELSA-2011-1852)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Red Hat Security Advisory RHSA-2011:1852 and 
    # Oracle Linux Security Advisory ELSA-2011-1852 respectively.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(68413);
      script_version("1.9");
      script_cvs_date("Date: 2019/10/25 13:36:09");
    
      script_cve_id("CVE-2011-4862");
      script_xref(name:"RHSA", value:"2011:1852");
    
      script_name(english:"Oracle Linux 6 : krb5-appl (ELSA-2011-1852)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Oracle Linux host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "From Red Hat Security Advisory 2011:1852 :
    
    Updated krb5-appl packages that fix one security issue are now
    available for Red Hat Enterprise Linux 6.
    
    The Red Hat Security Response Team has rated this update as having
    Critical security impact. A Common Vulnerability Scoring System (CVSS)
    base score, which gives a detailed severity rating, is available from
    the CVE link in the References section.
    
    The krb5-appl packages provide Kerberos-aware telnet, ftp, rcp, rsh,
    and rlogin clients and servers. Kerberos is a network authentication
    system which allows clients and servers to authenticate to each other
    using symmetric encryption and a trusted third-party, the Key
    Distribution Center (KDC).
    
    A buffer overflow flaw was found in the MIT krb5 telnet daemon
    (telnetd). A remote attacker who can access the telnet port of a
    target machine could use this flaw to execute arbitrary code as root.
    (CVE-2011-4862)
    
    Note that the krb5 telnet daemon is not enabled by default in any
    version of Red Hat Enterprise Linux. In addition, the default firewall
    rules block remote access to the telnet port. This flaw does not
    affect the telnet daemon distributed in the telnet-server package.
    
    For users who have installed the krb5-appl-servers package, have
    enabled the krb5 telnet daemon, and have it accessible remotely, this
    update should be applied immediately.
    
    All krb5-appl-server users should upgrade to these updated packages,
    which contain a backported patch to correct this issue."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://oss.oracle.com/pipermail/el-errata/2011-December/002538.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected krb5-appl packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"exploithub_sku", value:"EH-11-760");
      script_set_attribute(attribute:"exploit_framework_exploithub", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Linux BSD-derived Telnet Service Encryption Key ID Buffer Overflow');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:krb5-appl-clients");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:krb5-appl-servers");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:6");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2011/12/24");
      script_set_attribute(attribute:"patch_publication_date", value:"2011/12/27");
      script_set_attribute(attribute:"plugin_publication_date", value:"2013/07/12");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Oracle Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux");
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux");
    os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux");
    os_ver = os_ver[1];
    if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 6", "Oracle Linux " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu);
    
    flag = 0;
    if (rpm_check(release:"EL6", reference:"krb5-appl-clients-1.0.1-7.el6_2")) flag++;
    if (rpm_check(release:"EL6", reference:"krb5-appl-servers-1.0.1-7.el6_2")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "krb5-appl-clients / krb5-appl-servers");
    }
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2011-1852.NASL
    descriptionUpdated krb5-appl packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having Critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The krb5-appl packages provide Kerberos-aware telnet, ftp, rcp, rsh, and rlogin clients and servers. Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third-party, the Key Distribution Center (KDC). A buffer overflow flaw was found in the MIT krb5 telnet daemon (telnetd). A remote attacker who can access the telnet port of a target machine could use this flaw to execute arbitrary code as root. (CVE-2011-4862) Note that the krb5 telnet daemon is not enabled by default in any version of Red Hat Enterprise Linux. In addition, the default firewall rules block remote access to the telnet port. This flaw does not affect the telnet daemon distributed in the telnet-server package. For users who have installed the krb5-appl-servers package, have enabled the krb5 telnet daemon, and have it accessible remotely, this update should be applied immediately. All krb5-appl-server users should upgrade to these updated packages, which contain a backported patch to correct this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id57409
    published2011-12-28
    reporterThis script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/57409
    titleRHEL 6 : krb5-appl (RHSA-2011:1852)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2011:1852. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(57409);
      script_version ("1.20");
      script_cvs_date("Date: 2019/10/25 13:36:16");
    
      script_cve_id("CVE-2011-4862");
      script_xref(name:"RHSA", value:"2011:1852");
    
      script_name(english:"RHEL 6 : krb5-appl (RHSA-2011:1852)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Updated krb5-appl packages that fix one security issue are now
    available for Red Hat Enterprise Linux 6.
    
    The Red Hat Security Response Team has rated this update as having
    Critical security impact. A Common Vulnerability Scoring System (CVSS)
    base score, which gives a detailed severity rating, is available from
    the CVE link in the References section.
    
    The krb5-appl packages provide Kerberos-aware telnet, ftp, rcp, rsh,
    and rlogin clients and servers. Kerberos is a network authentication
    system which allows clients and servers to authenticate to each other
    using symmetric encryption and a trusted third-party, the Key
    Distribution Center (KDC).
    
    A buffer overflow flaw was found in the MIT krb5 telnet daemon
    (telnetd). A remote attacker who can access the telnet port of a
    target machine could use this flaw to execute arbitrary code as root.
    (CVE-2011-4862)
    
    Note that the krb5 telnet daemon is not enabled by default in any
    version of Red Hat Enterprise Linux. In addition, the default firewall
    rules block remote access to the telnet port. This flaw does not
    affect the telnet daemon distributed in the telnet-server package.
    
    For users who have installed the krb5-appl-servers package, have
    enabled the krb5 telnet daemon, and have it accessible remotely, this
    update should be applied immediately.
    
    All krb5-appl-server users should upgrade to these updated packages,
    which contain a backported patch to correct this issue."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2011-4862"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-008.txt"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2011:1852"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Update the affected krb5-appl-clients, krb5-appl-debuginfo and / or
    krb5-appl-servers packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"exploithub_sku", value:"EH-11-760");
      script_set_attribute(attribute:"exploit_framework_exploithub", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Linux BSD-derived Telnet Service Encryption Key ID Buffer Overflow');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:krb5-appl-clients");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:krb5-appl-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:krb5-appl-servers");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6.2");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2011/12/24");
      script_set_attribute(attribute:"patch_publication_date", value:"2011/12/27");
      script_set_attribute(attribute:"plugin_publication_date", value:"2011/12/28");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 6.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2011:1852";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL6", cpu:"i686", reference:"krb5-appl-clients-1.0.1-7.el6_2")) flag++;
    
      if (rpm_check(release:"RHEL6", cpu:"s390x", reference:"krb5-appl-clients-1.0.1-7.el6_2")) flag++;
    
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"krb5-appl-clients-1.0.1-7.el6_2")) flag++;
    
      if (rpm_check(release:"RHEL6", cpu:"i686", reference:"krb5-appl-debuginfo-1.0.1-7.el6_2")) flag++;
    
      if (rpm_check(release:"RHEL6", cpu:"s390x", reference:"krb5-appl-debuginfo-1.0.1-7.el6_2")) flag++;
    
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"krb5-appl-debuginfo-1.0.1-7.el6_2")) flag++;
    
      if (rpm_check(release:"RHEL6", cpu:"i686", reference:"krb5-appl-servers-1.0.1-7.el6_2")) flag++;
    
      if (rpm_check(release:"RHEL6", cpu:"s390x", reference:"krb5-appl-servers-1.0.1-7.el6_2")) flag++;
    
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"krb5-appl-servers-1.0.1-7.el6_2")) flag++;
    
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "krb5-appl-clients / krb5-appl-debuginfo / krb5-appl-servers");
      }
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-2372.NASL
    descriptionIt was discovered that the Kerberos support for telnetd contains a pre-authentication buffer overflow, which may enable remote attackers who can connect to TELNET to execute arbitrary code with root privileges.
    last seen2020-03-17
    modified2012-01-12
    plugin id57512
    published2012-01-12
    reporterThis script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/57512
    titleDebian DSA-2372-1 : heimdal - buffer overflow
  • NASL familySolaris Local Security Checks
    NASL idSOLARIS11_TELNET_20120404.NASL
    descriptionThe remote Solaris system is missing necessary patches to address security updates : - Buffer overflow in libtelnet/encrypt.c in telnetd in FreeBSD 7.3 through 9.0, MIT Kerberos Version 5 Applications (aka krb5-appl) 1.0.2 and earlier, Heimdal 1.5.1 and earlier, GNU inetutils, and possibly other products allows remote attackers to execute arbitrary code via a long encryption key, as exploited in the wild in December 2011. (CVE-2011-4862)
    last seen2020-06-01
    modified2020-06-02
    plugin id80781
    published2015-01-19
    reporterThis script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/80781
    titleOracle Solaris Third-Party Patch Update : telnet (cve_2011_4862_buffer_overflow)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201202-05.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201202-05 (Heimdal: Arbitrary code execution) A boundary error in the
    last seen2020-06-01
    modified2020-06-02
    plugin id58101
    published2012-02-23
    reporterThis script is Copyright (C) 2012-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/58101
    titleGLSA-201202-05 : Heimdal: Arbitrary code execution
  • NASL familyCISCO
    NASL idCISCO-SA-20120126-ESA.NASL
    descriptionAccording to its self-reported version, the version of AsyncOS running on the remote Cisco Email Security Appliance (ESA) is affected by a remote code execution vulnerability due to a buffer overflow condition in the telnet component.
    last seen2020-06-01
    modified2020-06-02
    plugin id79271
    published2014-11-17
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/79271
    titleCisco Email Security Appliance Telnet Remote Code Execution (cisco-sa-20120126-ironport)
  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2011-195.NASL
    descriptionA vulnerability has been discovered and corrected in krb5-appl, heimdal and netkit-telnet : An unauthenticated remote attacker can cause a buffer overflow and probably execute arbitrary code with the privileges of the telnet daemon (CVE-2011-4862). In Mandriva the telnetd daemon from the netkit-telnet-server package does not have an initscript to start and stop the service, however one could rather easily craft an initscript or start the service by other means rendering the system vulnerable to this issue. The updated packages have been patched to correct this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id57412
    published2011-12-29
    reporterThis script is Copyright (C) 2011-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/57412
    titleMandriva Linux Security Advisory : krb5-appl (MDVSA-2011:195)
  • NASL familyCISCO
    NASL idCISCO-SA-20120126-WSA.NASL
    descriptionAccording to its self-reported version, the version of AsyncOS running on the remote Cisco Web Security Appliance (WSA) is affected by a remote code execution vulnerability due to a buffer overflow condition in the telnet component.
    last seen2020-06-01
    modified2020-06-02
    plugin id79273
    published2014-11-17
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/79273
    titleCisco Web Security Appliance Telnet Remote Code Execution (cisco-sa-20120126-ironport)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201201-14.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201201-14 (MIT Kerberos 5 Applications: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in MIT Kerberos 5 Applications: An error in the FTP daemon prevents it from dropping its initial effective group identifier (CVE-2011-1526). A boundary error in the telnet daemon and client could cause a buffer overflow (CVE-2011-4862). Impact : An unauthenticated remote attacker may be able to execute arbitrary code with the privileges of the user running the telnet daemon or client. Furthermore, an authenticated remote attacker may be able to read or write files owned by the same group as the effective group of the FTP daemon. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id57656
    published2012-01-24
    reporterThis script is Copyright (C) 2012-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/57656
    titleGLSA-201201-14 : MIT Kerberos 5 Applications: Multiple vulnerabilities
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2011-1853.NASL
    descriptionUpdated krb5 packages that fix one security issue are now available for Red Hat Enterprise Linux 3 Extended Life Cycle Support, 5.3 Long Life and 5.6 Extended Update Support The Red Hat Security Response Team has rated this update as having critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third-party, the Key Distribution Center (KDC). A buffer overflow flaw was found in the MIT krb5 telnet daemon (telnetd). A remote attacker who can access the telnet port of a target machine could use this flaw to execute arbitrary code as root. (CVE-2011-4862) Note that the krb5 telnet daemon is not enabled by default in any version of Red Hat Enterprise Linux. In addition, the default firewall rules block remote access to the telnet port. This flaw does not affect the telnet daemon distributed in the telnet-server package. For users who have installed the krb5-workstation package, have enabled the telnet daemon, and have it accessible remotely, this update should be applied immediately. All krb5-workstation users should upgrade to these updated packages, which contain a backported patch to correct this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id64017
    published2013-01-24
    reporterThis script is Copyright (C) 2013-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/64017
    titleRHEL 5 : krb5 (RHSA-2011:1853)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_4_KRB5-APPL-111229.NASL
    descriptionThis update of krb5 applications fixes two security issues. CVE-2011-4862: A remote code execution in the kerberized telnet daemon was fixed. (This only affects the ktelnetd from the krb5-appl RPM, not the regular telnetd supplied by SUSE.) CVE-2011-1526 / MITKRB5-SA-2011-005: Fixed krb5 ftpd unauthorized file access problems.
    last seen2020-06-01
    modified2020-06-02
    plugin id75886
    published2014-06-13
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/75886
    titleopenSUSE Security Update : krb5-appl (openSUSE-SU-2012:0019-1)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2011-17492.NASL
    descriptionThis update incorporates the upstream patch to fix a buffer overflow in the Kerberos-aware telnet server. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id57442
    published2012-01-06
    reporterThis script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/57442
    titleFedora 15 : krb5-appl-1.0.1-8.fc15 (2011-17492)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2011-1851.NASL
    descriptionFrom Red Hat Security Advisory 2011:1851 : Updated krb5 packages that fix one security issue are now available for Red Hat Enterprise Linux 4 and 5. The Red Hat Security Response Team has rated this update as having Critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third- party, the Key Distribution Center (KDC). A buffer overflow flaw was found in the MIT krb5 telnet daemon (telnetd). A remote attacker who can access the telnet port of a target machine could use this flaw to execute arbitrary code as root. (CVE-2011-4862) Note that the krb5 telnet daemon is not enabled by default in any version of Red Hat Enterprise Linux. In addition, the default firewall rules block remote access to the telnet port. This flaw does not affect the telnet daemon distributed in the telnet-server package. For users who have installed the krb5-workstation package, have enabled the telnet daemon, and have it accessible remotely, this update should be applied immediately. All krb5-workstation users should upgrade to these updated packages, which contain a backported patch to correct this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id68412
    published2013-07-12
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/68412
    titleOracle Linux 4 / 5 : krb5 (ELSA-2011-1851)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2011-17493.NASL
    descriptionThis update incorporates the upstream patch to fix a buffer overflow in the Kerberos-aware telnet server. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id57443
    published2012-01-06
    reporterThis script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/57443
    titleFedora 16 : krb5-appl-1.0.2-2.fc16 (2011-17493)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2011-1854.NASL
    descriptionUpdated krb5-appl packages that fix one security issue are now available for Red Hat Enterprise Linux 6.0 and 6.1 Extended Update Support. The Red Hat Security Response Team has rated this update as having critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The krb5-appl packages provide Kerberos-aware telnet, ftp, rcp, rsh, and rlogin clients and servers. Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third-party, the Key Distribution Center (KDC). A buffer overflow flaw was found in the MIT krb5 telnet daemon (telnetd). A remote attacker who can access the telnet port of a target machine could use this flaw to execute arbitrary code as root. (CVE-2011-4862) Note that the krb5 telnet daemon is not enabled by default in any version of Red Hat Enterprise Linux. In addition, the default firewall rules block remote access to the telnet port. This flaw does not affect the telnet daemon distributed in the telnet-server package. For users who have installed the krb5-appl-servers package, have enabled the krb5 telnet daemon, and have it accessible remotely, this update should be applied immediately. All krb5-appl-server users should upgrade to these updated packages, which contain a backported patch to correct this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id64018
    published2013-01-24
    reporterThis script is Copyright (C) 2013-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/64018
    titleRHEL 6 : krb5-appl (RHSA-2011:1854)
  • NASL familyCISCO
    NASL idCISCO-SA-20120126-SMA.NASL
    descriptionAccording to its self-reported version, the version of AsyncOS running on the remote Cisco Content Security Management Appliance (SMA) is affected by a remote code execution vulnerability due to a buffer overflow condition in the telnet component.
    last seen2020-06-01
    modified2020-06-02
    plugin id79272
    published2014-11-17
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/79272
    titleCisco Content Security Management Appliance Telnet Remote Code Execution (cisco-sa-20120126-ironport)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_4DDC78DC300A11E1A2AA0016CE01E285.NASL
    descriptionThe MIT Kerberos Team reports : When an encryption key is supplied via the TELNET protocol, its length is not validated before the key is copied into a fixed-size buffer. Also see MITKRB5-SA-2011-008.
    last seen2020-06-01
    modified2020-06-02
    plugin id57403
    published2011-12-27
    reporterThis script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/57403
    titleFreeBSD : krb5-appl -- telnetd code execution vulnerability (4ddc78dc-300a-11e1-a2aa-0016ce01e285)
  • NASL familyVMware ESX Local Security Checks
    NASL idVMWARE_VMSA-2012-0006.NASL
    descriptiona. VMware ROM Overwrite Privilege Escalation A flaw in the way port-based I/O is handled allows for modifying Read-Only Memory that belongs to the Virtual DOS Machine. Exploitation of this issue may lead to privilege escalation on Guest Operating Systems that run Windows 2000, Windows XP 32-bit, Windows Server 2003 32-bit or Windows Server 2003 R2 32-bit. VMware would like to thank Derek Soeder of Ridgeway Internet Security, L.L.C. for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-1515 to this issue. b. ESX third-party update for Service Console kernel The ESX Service Console Operating System (COS) kernel is updated to kernel-400.2.6.18-238.4.11.591731 to fix multiple security issues in the COS kernel. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2011-2482, CVE-2011-3191 and CVE-2011-4348 to these issues. c. ESX third-party update for Service Console krb5 RPM This patch updates the krb5-libs and krb5-workstation RPMs to version 1.6.1-63.el5_7 to resolve a security issue. By default, the affected krb5-telnet and ekrb5-telnet services do not run. The krb5 telnet daemon is an xinetd service. You can run the following commands to check if krb5 telnetd is enabled : /sbin/chkconfig --list krb5-telnet /sbin/chkconfig --list ekrb5-telnet The output of these commands displays if krb5 telnet is enabled. You can run the following commands to disable krb5 telnet daemon : /sbin/chkconfig krb5-telnet off /sbin/chkconfig ekrb5-telnet off The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2011-4862 to this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id58535
    published2012-03-30
    reporterThis script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/58535
    titleVMSA-2012-0006 : VMware Workstation, ESXi, and ESX address several security issues
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2011-1852.NASL
    descriptionUpdated krb5-appl packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having Critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The krb5-appl packages provide Kerberos-aware telnet, ftp, rcp, rsh, and rlogin clients and servers. Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third-party, the Key Distribution Center (KDC). A buffer overflow flaw was found in the MIT krb5 telnet daemon (telnetd). A remote attacker who can access the telnet port of a target machine could use this flaw to execute arbitrary code as root. (CVE-2011-4862) Note that the krb5 telnet daemon is not enabled by default in any version of Red Hat Enterprise Linux. In addition, the default firewall rules block remote access to the telnet port. This flaw does not affect the telnet daemon distributed in the telnet-server package. For users who have installed the krb5-appl-servers package, have enabled the krb5 telnet daemon, and have it accessible remotely, this update should be applied immediately. All krb5-appl-server users should upgrade to these updated packages, which contain a backported patch to correct this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id57406
    published2011-12-28
    reporterThis script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/57406
    titleCentOS 6 : krb5-appl (CESA-2011:1852)
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2011-0015.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : - Fix for (CVE-2011-4862) - incorporate a fix to teach the file labeling bits about when replay caches are expunged (#712453) - rebuild - ftp: handle larger command inputs (#665833) - don
    last seen2020-06-01
    modified2020-06-02
    plugin id79475
    published2014-11-26
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/79475
    titleOracleVM 2.2 : krb5 (OVMSA-2011-0015)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_3_KRB5-APPL-111229.NASL
    descriptionThis update of krb5 applications fixes two security issues. CVE-2011-4862: A remote code execution in the kerberized telnet daemon was fixed. (This only affects the ktelnetd from the krb5-appl RPM, not the regular telnetd supplied by SUSE.) CVE-2011-1526 / MITKRB5-SA-2011-005: Fixed krb5 ftpd unauthorized file access problems.
    last seen2020-06-01
    modified2020-06-02
    plugin id75564
    published2014-06-13
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/75564
    titleopenSUSE Security Update : krb5-appl (openSUSE-SU-2012:0019-1)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2011-1851.NASL
    descriptionUpdated krb5 packages that fix one security issue are now available for Red Hat Enterprise Linux 4 and 5. The Red Hat Security Response Team has rated this update as having Critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third- party, the Key Distribution Center (KDC). A buffer overflow flaw was found in the MIT krb5 telnet daemon (telnetd). A remote attacker who can access the telnet port of a target machine could use this flaw to execute arbitrary code as root. (CVE-2011-4862) Note that the krb5 telnet daemon is not enabled by default in any version of Red Hat Enterprise Linux. In addition, the default firewall rules block remote access to the telnet port. This flaw does not affect the telnet daemon distributed in the telnet-server package. For users who have installed the krb5-workstation package, have enabled the telnet daemon, and have it accessible remotely, this update should be applied immediately. All krb5-workstation users should upgrade to these updated packages, which contain a backported patch to correct this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id57408
    published2011-12-28
    reporterThis script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/57408
    titleRHEL 4 / 5 : krb5 (RHSA-2011:1851)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20111227_KRB5_APPL_ON_SL6_X.NASL
    descriptionThe krb5-appl packages provide Kerberos-aware telnet, ftp, rcp, rsh, and rlogin clients and servers. Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third party, the Key Distribution Center (KDC). A buffer overflow flaw was found in the MIT krb5 telnet daemon (telnetd). A remote attacker who can access the telnet port of a target machine could use this flaw to execute arbitrary code as root. (CVE-2011-4862) Note that the krb5 telnet daemon is not enabled by default in any version of Scientific Linux. In addition, the default firewall rules block remote access to the telnet port. This flaw does not affect the telnet daemon distributed in the telnet-server package. For users who have installed the krb5-appl-servers package, have enabled the krb5 telnet daemon, and have it accessible remotely, this update should be applied immediately. All krb5-appl-server users should upgrade to these updated packages, which contain a backported patch to correct this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id61213
    published2012-08-01
    reporterThis script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/61213
    titleScientific Linux Security Update : krb5-appl on SL6.x i386/x86_64
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-2373.NASL
    descriptionIt was discovered that the Kerberos support for telnetd contains a pre-authentication buffer overflow, which may enable remote attackers who can connect to TELNET to execute arbitrary code with root privileges.
    last seen2020-03-17
    modified2012-01-12
    plugin id57513
    published2012-01-12
    reporterThis script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/57513
    titleDebian DSA-2373-1 : inetutils - buffer overflow
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20111227_KRB5_ON_SL4_X.NASL
    descriptionKerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third- party, the Key Distribution Center (KDC). A buffer overflow flaw was found in the MIT krb5 telnet daemon (telnetd). A remote attacker who can access the telnet port of a target machine could use this flaw to execute arbitrary code as root. (CVE-2011-4862) Note that the krb5 telnet daemon is not enabled by default in any version of Scientific Linux. In addition, the default firewall rules block remote access to the telnet port. This flaw does not affect the telnet daemon distributed in the telnet-server package. For users who have installed the krb5-workstation package, have enabled the telnet daemon, and have it accessible remotely, this update should be applied immediately. All krb5-workstation users should upgrade to these updated packages, which contain a backported patch to correct this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id61214
    published2012-08-01
    reporterThis script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/61214
    titleScientific Linux Security Update : krb5 on SL4.x, SL5.x i386/x86_64
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2012-17.NASL
    description - Fixed a remote code execution in ktelnetd (CVE-2011-4862 / bnc#738632)
    last seen2020-06-05
    modified2014-06-13
    plugin id74578
    published2014-06-13
    reporterThis script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/74578
    titleopenSUSE Security Update : krb5-appl (openSUSE-2012-17)

Packetstorm

Redhat

advisories
  • bugzilla
    id770325
    titleCVE-2011-4862 krb5: telnet client and server encrypt_keyid heap-based buffer overflow
    oval
    OR
    • commentRed Hat Enterprise Linux must be installed
      ovaloval:com.redhat.rhba:tst:20070304026
    • AND
      • commentRed Hat Enterprise Linux 4 is installed
        ovaloval:com.redhat.rhba:tst:20070304025
      • OR
        • AND
          • commentkrb5-devel is earlier than 0:1.3.4-65.el4
            ovaloval:com.redhat.rhsa:tst:20111851001
          • commentkrb5-devel is signed with Red Hat master key
            ovaloval:com.redhat.rhsa:tst:20060612004
        • AND
          • commentkrb5-server is earlier than 0:1.3.4-65.el4
            ovaloval:com.redhat.rhsa:tst:20111851003
          • commentkrb5-server is signed with Red Hat master key
            ovaloval:com.redhat.rhsa:tst:20060612002
        • AND
          • commentkrb5-libs is earlier than 0:1.3.4-65.el4
            ovaloval:com.redhat.rhsa:tst:20111851005
          • commentkrb5-libs is signed with Red Hat master key
            ovaloval:com.redhat.rhsa:tst:20060612008
        • AND
          • commentkrb5-workstation is earlier than 0:1.3.4-65.el4
            ovaloval:com.redhat.rhsa:tst:20111851007
          • commentkrb5-workstation is signed with Red Hat master key
            ovaloval:com.redhat.rhsa:tst:20060612006
    • AND
      • commentRed Hat Enterprise Linux 5 is installed
        ovaloval:com.redhat.rhba:tst:20070331005
      • OR
        • AND
          • commentkrb5-libs is earlier than 0:1.6.1-63.el5_7
            ovaloval:com.redhat.rhsa:tst:20111851010
          • commentkrb5-libs is signed with Red Hat redhatrelease key
            ovaloval:com.redhat.rhsa:tst:20070095013
        • AND
          • commentkrb5-workstation is earlier than 0:1.6.1-63.el5_7
            ovaloval:com.redhat.rhsa:tst:20111851012
          • commentkrb5-workstation is signed with Red Hat redhatrelease key
            ovaloval:com.redhat.rhsa:tst:20070095011
        • AND
          • commentkrb5-server-ldap is earlier than 0:1.6.1-63.el5_7
            ovaloval:com.redhat.rhsa:tst:20111851014
          • commentkrb5-server-ldap is signed with Red Hat redhatrelease key
            ovaloval:com.redhat.rhsa:tst:20110199008
        • AND
          • commentkrb5-devel is earlier than 0:1.6.1-63.el5_7
            ovaloval:com.redhat.rhsa:tst:20111851016
          • commentkrb5-devel is signed with Red Hat redhatrelease key
            ovaloval:com.redhat.rhsa:tst:20070095015
        • AND
          • commentkrb5-server is earlier than 0:1.6.1-63.el5_7
            ovaloval:com.redhat.rhsa:tst:20111851018
          • commentkrb5-server is signed with Red Hat redhatrelease key
            ovaloval:com.redhat.rhsa:tst:20070095017
    rhsa
    idRHSA-2011:1851
    released2011-12-27
    severityCritical
    titleRHSA-2011:1851: krb5 security update (Critical)
  • bugzilla
    id770325
    titleCVE-2011-4862 krb5: telnet client and server encrypt_keyid heap-based buffer overflow
    oval
    OR
    • commentRed Hat Enterprise Linux must be installed
      ovaloval:com.redhat.rhba:tst:20070304026
    • AND
      • commentRed Hat Enterprise Linux 6 is installed
        ovaloval:com.redhat.rhba:tst:20111656003
      • OR
        • AND
          • commentkrb5-appl-servers is earlier than 0:1.0.1-7.el6_2
            ovaloval:com.redhat.rhsa:tst:20111852001
          • commentkrb5-appl-servers is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20110920004
        • AND
          • commentkrb5-appl-clients is earlier than 0:1.0.1-7.el6_2
            ovaloval:com.redhat.rhsa:tst:20111852003
          • commentkrb5-appl-clients is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20110920002
    rhsa
    idRHSA-2011:1852
    released2011-12-27
    severityCritical
    titleRHSA-2011:1852: krb5-appl security update (Critical)
  • rhsa
    idRHSA-2011:1853
  • rhsa
    idRHSA-2011:1854
rpms
  • krb5-debuginfo-0:1.3.4-65.el4
  • krb5-debuginfo-0:1.6.1-63.el5_7
  • krb5-devel-0:1.3.4-65.el4
  • krb5-devel-0:1.6.1-63.el5_7
  • krb5-libs-0:1.3.4-65.el4
  • krb5-libs-0:1.6.1-63.el5_7
  • krb5-server-0:1.3.4-65.el4
  • krb5-server-0:1.6.1-63.el5_7
  • krb5-server-ldap-0:1.6.1-63.el5_7
  • krb5-workstation-0:1.3.4-65.el4
  • krb5-workstation-0:1.6.1-63.el5_7
  • krb5-appl-clients-0:1.0.1-7.el6_2
  • krb5-appl-debuginfo-0:1.0.1-7.el6_2
  • krb5-appl-servers-0:1.0.1-7.el6_2
  • krb5-debuginfo-0:1.2.7-73
  • krb5-debuginfo-0:1.6.1-31.el5_3.5
  • krb5-debuginfo-0:1.6.1-55.el5_6.3
  • krb5-devel-0:1.2.7-73
  • krb5-devel-0:1.6.1-31.el5_3.5
  • krb5-devel-0:1.6.1-55.el5_6.3
  • krb5-libs-0:1.2.7-73
  • krb5-libs-0:1.6.1-31.el5_3.5
  • krb5-libs-0:1.6.1-55.el5_6.3
  • krb5-server-0:1.2.7-73
  • krb5-server-0:1.6.1-31.el5_3.5
  • krb5-server-0:1.6.1-55.el5_6.3
  • krb5-server-ldap-0:1.6.1-55.el5_6.3
  • krb5-workstation-0:1.2.7-73
  • krb5-workstation-0:1.6.1-31.el5_3.5
  • krb5-workstation-0:1.6.1-55.el5_6.3
  • krb5-appl-clients-0:1.0.1-1.el6_0.1
  • krb5-appl-clients-0:1.0.1-2.el6_1.3
  • krb5-appl-debuginfo-0:1.0.1-1.el6_0.1
  • krb5-appl-debuginfo-0:1.0.1-2.el6_1.3
  • krb5-appl-servers-0:1.0.1-1.el6_0.1
  • krb5-appl-servers-0:1.0.1-2.el6_1.3

Saint

bid51182
descriptionTelnetd Encryption Key ID Code Execution
idshell_telnet_freebsd
osvdb78020
titletelnet_server_encrypt_keyid
typeremote

Seebug

bulletinFamilyexploit
descriptionBugtraq ID: 51182 CVE ID:CVE-2011-4862 FreeBSD是一款基于BSD的操作系统。 FreeBSD Telnet协议有一个对数据流进行加密的机制(但其加密性不强,不能在任何关键性安全应用上使用) 当通过TELNET协议提供加密密钥时,在拷贝密钥到固定缓冲区时没有对其长度进行校验,可触发缓冲区溢出。能连接telnetd守护程序的攻击者可以以守护进程上下文执行任意代码 0 Freebsd 9.0-STABLE Freebsd 9.0-RELEASE Freebsd 9.0-RC3 Freebsd 9.0-RC1 Freebsd 8.2-STABLE Freebsd 8.2-STABLE Freebsd 8.2-RELEASE-p2 Freebsd 8.2-RELEASE-p1 Freebsd 8.2 - RELEASE -p3 Freebsd 8.2 Freebsd 8.1-RELEASE-p5 Freebsd 8.1-RELEASE-p4 FreeBSD 8.1-RELEASE FreeBSD 8.1-PRERELEASE Freebsd 8.1 Freebsd 7.4-STABLE Freebsd 7.4-RELEASE-p2 Freebsd 7.4 -RELEASE-p3 Freebsd 7.4 FreeBSD 7.3-STABLE Freebsd 7.3-RELEASE-p6 FreeBSD 7.3-RELEASE-p1 Freebsd 7.3 - RELEASE - p7 Freebsd 7.3 厂商解决方案 ---- freebsd 用户可参考如下供应商提供的安全公告获得补丁: http://security.freebsd.org/advisories/FreeBSD-SA-11:08.telnetd.asc
idSSV:26112
last seen2017-11-19
modified2011-12-26
published2011-12-26
reporterRoot
titleFreeBSD 'telnetd'守护进程远程缓冲区溢出漏洞

References