Vulnerabilities > CVE-2011-4862 - Classic Buffer Overflow vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE network
low complexity
gnu
heimdal-project
mit
freebsd
fedoraproject
debian
opensuse
suse
CWE-120
critical
nessus
exploit available
metasploit
Summary
Buffer overflow in libtelnet/encrypt.c in telnetd in FreeBSD 7.3 through 9.0, MIT Kerberos Version 5 Applications (aka krb5-appl) 1.0.2 and earlier, Heimdal 1.5.1 and earlier, GNU inetutils, and possibly other products allows remote attackers to execute arbitrary code via a long encryption key, as exploited in the wild in December 2011.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- Client-side Injection-induced Buffer Overflow This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
- Filter Failure through Buffer Overflow In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
- MIME Conversion An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
Exploit-Db
description FreeBSD Telnet Service Encryption Key ID Buffer Overflow. CVE-2011-4862. Remote exploit for bsd platform id EDB-ID:18369 last seen 2016-02-02 modified 2012-01-14 published 2012-01-14 reporter metasploit source https://www.exploit-db.com/download/18369/ title FreeBSD Telnet Service Encryption Key ID Buffer Overflow description Linux BSD-derived Telnet Service Encryption Key ID Buffer Overflow. CVE-2011-4862. Remote exploit for linux platform id EDB-ID:18368 last seen 2016-02-02 modified 2012-01-14 published 2012-01-14 reporter metasploit source https://www.exploit-db.com/download/18368/ title Linux BSD-derived Telnet Service Encryption Key ID Buffer Overflow description Telnetd encrypt_keyid - Remote Root Function Pointer Overwrite. CVE-2011-4862. Remote exploit for linux platform file exploits/linux/remote/18280.c id EDB-ID:18280 last seen 2016-02-02 modified 2011-12-26 platform linux port published 2011-12-26 reporter NighterMan and BatchDrake source https://www.exploit-db.com/download/18280/ title Telnetd encrypt_keyid - Remote Root Function Pointer Overwrite type remote
Metasploit
description Detect telnet services vulnerable to the encrypt option Key ID overflow (BSD-derived telnetd) id MSF:AUXILIARY/SCANNER/TELNET/TELNET_ENCRYPT_OVERFLOW last seen 2020-02-23 modified 2020-02-18 published 2011-12-27 references reporter Rapid7 source https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/telnet/telnet_encrypt_overflow.rb title Telnet Service Encryption Key ID Overflow Detection description This module exploits a buffer overflow in the encryption option handler of the Linux BSD-derived telnet service (inetutils or krb5-telnet). Most Linux distributions use NetKit-derived telnet daemons, so this flaw only applies to a small subset of Linux systems running telnetd. id MSF:EXPLOIT/LINUX/TELNET/TELNET_ENCRYPT_KEYID last seen 2020-06-02 modified 2017-07-24 published 2011-12-28 references https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4862 reporter Rapid7 source https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/telnet/telnet_encrypt_keyid.rb title Linux BSD-derived Telnet Service Encryption Key ID Buffer Overflow description This module exploits a buffer overflow in the encryption option handler of the FreeBSD telnet service. id MSF:EXPLOIT/FREEBSD/TELNET/TELNET_ENCRYPT_KEYID last seen 2020-06-10 modified 2017-07-24 published 2011-12-28 references https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4862 reporter Rapid7 source https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/freebsd/telnet/telnet_encrypt_keyid.rb title FreeBSD Telnet Service Encryption Key ID Buffer Overflow
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-2375.NASL description It was discovered that the encryption support for BSD telnetd contains a pre-authentication buffer overflow, which may enable remote attackers who can connect to the Telnet port to execute arbitrary code with root privileges. last seen 2020-03-17 modified 2012-01-12 plugin id 57515 published 2012-01-12 reporter This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/57515 title Debian DSA-2375-1 : krb5, krb5-appl - buffer overflow code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-2375. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(57515); script_version("1.13"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2011-4862"); script_xref(name:"DSA", value:"2375"); script_name(english:"Debian DSA-2375-1 : krb5, krb5-appl - buffer overflow"); script_summary(english:"Checks dpkg output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "It was discovered that the encryption support for BSD telnetd contains a pre-authentication buffer overflow, which may enable remote attackers who can connect to the Telnet port to execute arbitrary code with root privileges." ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/squeeze/krb5-appl" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2011/dsa-2375" ); script_set_attribute( attribute:"solution", value: "Upgrade the krb5 and krb5-appl packages. For the oldstable distribution (lenny), this problem has been fixed in version 1.6.dfsg.4~beta1-5lenny7 of krb5. For the stable distribution (squeeze), this problem has been fixed in version 1:1.0.1-1.2 of krb5-appl." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploithub_sku", value:"EH-11-760"); script_set_attribute(attribute:"exploit_framework_exploithub", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Linux BSD-derived Telnet Service Encryption Key ID Buffer Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:krb5"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:krb5-appl"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:5.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:6.0"); script_set_attribute(attribute:"patch_publication_date", value:"2011/12/26"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/01/12"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"5.0", prefix:"krb5", reference:"1.6.dfsg.4~beta1-5lenny7")) flag++; if (deb_check(release:"6.0", prefix:"krb5-clients", reference:"1:1.0.1-1.2")) flag++; if (deb_check(release:"6.0", prefix:"krb5-ftpd", reference:"1:1.0.1-1.2")) flag++; if (deb_check(release:"6.0", prefix:"krb5-rsh-server", reference:"1:1.0.1-1.2")) flag++; if (deb_check(release:"6.0", prefix:"krb5-telnetd", reference:"1:1.0.1-1.2")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2011-1851.NASL description Updated krb5 packages that fix one security issue are now available for Red Hat Enterprise Linux 4 and 5. The Red Hat Security Response Team has rated this update as having Critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third- party, the Key Distribution Center (KDC). A buffer overflow flaw was found in the MIT krb5 telnet daemon (telnetd). A remote attacker who can access the telnet port of a target machine could use this flaw to execute arbitrary code as root. (CVE-2011-4862) Note that the krb5 telnet daemon is not enabled by default in any version of Red Hat Enterprise Linux. In addition, the default firewall rules block remote access to the telnet port. This flaw does not affect the telnet daemon distributed in the telnet-server package. For users who have installed the krb5-workstation package, have enabled the telnet daemon, and have it accessible remotely, this update should be applied immediately. All krb5-workstation users should upgrade to these updated packages, which contain a backported patch to correct this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 57405 published 2011-12-28 reporter This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/57405 title CentOS 4 / 5 : krb5 (CESA-2011:1851) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2011:1851 and # CentOS Errata and Security Advisory 2011:1851 respectively. # include("compat.inc"); if (description) { script_id(57405); script_version("1.12"); script_cvs_date("Date: 2019/10/25 13:36:06"); script_cve_id("CVE-2011-4862"); script_bugtraq_id(51182); script_xref(name:"RHSA", value:"2011:1851"); script_name(english:"CentOS 4 / 5 : krb5 (CESA-2011:1851)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote CentOS host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated krb5 packages that fix one security issue are now available for Red Hat Enterprise Linux 4 and 5. The Red Hat Security Response Team has rated this update as having Critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third- party, the Key Distribution Center (KDC). A buffer overflow flaw was found in the MIT krb5 telnet daemon (telnetd). A remote attacker who can access the telnet port of a target machine could use this flaw to execute arbitrary code as root. (CVE-2011-4862) Note that the krb5 telnet daemon is not enabled by default in any version of Red Hat Enterprise Linux. In addition, the default firewall rules block remote access to the telnet port. This flaw does not affect the telnet daemon distributed in the telnet-server package. For users who have installed the krb5-workstation package, have enabled the telnet daemon, and have it accessible remotely, this update should be applied immediately. All krb5-workstation users should upgrade to these updated packages, which contain a backported patch to correct this issue." ); # https://lists.centos.org/pipermail/centos-announce/2011-December/018359.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?e44f57b9" ); # https://lists.centos.org/pipermail/centos-announce/2011-December/018360.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?e476e566" ); script_set_attribute(attribute:"solution", value:"Update the affected krb5 packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploithub_sku", value:"EH-11-760"); script_set_attribute(attribute:"exploit_framework_exploithub", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Linux BSD-derived Telnet Service Encryption Key ID Buffer Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:krb5-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:krb5-libs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:krb5-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:krb5-server-ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:krb5-workstation"); script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:4"); script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:5"); script_set_attribute(attribute:"vuln_publication_date", value:"2011/12/24"); script_set_attribute(attribute:"patch_publication_date", value:"2011/12/27"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/12/28"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"CentOS Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/CentOS/release"); if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS"); os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS"); os_ver = os_ver[1]; if (! preg(pattern:"^(4|5)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 4.x / 5.x", "CentOS " + os_ver); if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && "ia64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu); flag = 0; if (rpm_check(release:"CentOS-4", cpu:"i386", reference:"krb5-devel-1.3.4-65.el4")) flag++; if (rpm_check(release:"CentOS-4", cpu:"x86_64", reference:"krb5-devel-1.3.4-65.el4")) flag++; if (rpm_check(release:"CentOS-4", cpu:"i386", reference:"krb5-libs-1.3.4-65.el4")) flag++; if (rpm_check(release:"CentOS-4", cpu:"x86_64", reference:"krb5-libs-1.3.4-65.el4")) flag++; if (rpm_check(release:"CentOS-4", cpu:"i386", reference:"krb5-server-1.3.4-65.el4")) flag++; if (rpm_check(release:"CentOS-4", cpu:"x86_64", reference:"krb5-server-1.3.4-65.el4")) flag++; if (rpm_check(release:"CentOS-4", cpu:"i386", reference:"krb5-workstation-1.3.4-65.el4")) flag++; if (rpm_check(release:"CentOS-4", cpu:"x86_64", reference:"krb5-workstation-1.3.4-65.el4")) flag++; if (rpm_check(release:"CentOS-5", reference:"krb5-devel-1.6.1-63.el5_7")) flag++; if (rpm_check(release:"CentOS-5", reference:"krb5-libs-1.6.1-63.el5_7")) flag++; if (rpm_check(release:"CentOS-5", reference:"krb5-server-1.6.1-63.el5_7")) flag++; if (rpm_check(release:"CentOS-5", reference:"krb5-server-ldap-1.6.1-63.el5_7")) flag++; if (rpm_check(release:"CentOS-5", reference:"krb5-workstation-1.6.1-63.el5_7")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "krb5-devel / krb5-libs / krb5-server / krb5-server-ldap / etc"); }NASL family Misc. NASL id VMWARE_VMSA-2012-0006_REMOTE.NASL description The remote VMware ESX / ESXi host is missing a security-related patch. It is, therefore, affected by multiple vulnerabilities, including remote code execution vulnerabilities, in the following components : - Kernel - krb5 telnet daemon last seen 2020-06-01 modified 2020-06-02 plugin id 89107 published 2016-03-03 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/89107 title VMware ESX / ESXi Multiple Vulnerabilities (VMSA-2012-0006) (remote check) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(89107); script_version("1.8"); script_cvs_date("Date: 2019/09/24 15:02:54"); script_cve_id( "CVE-2011-2482", "CVE-2011-3191", "CVE-2011-4348", "CVE-2011-4862", "CVE-2012-1515" ); script_bugtraq_id( 49295, 49373, 51182, 51363, 52820 ); script_xref(name:"VMSA", value:"2012-0006"); script_xref(name:"EDB-ID", value:"18280"); script_xref(name:"EDB-ID", value:"18368"); script_xref(name:"EDB-ID", value:"18369"); script_name(english:"VMware ESX / ESXi Multiple Vulnerabilities (VMSA-2012-0006) (remote check)"); script_summary(english:"Checks the remote ESX/ESXi host's version and build number."); script_set_attribute(attribute:"synopsis", value: "The remote VMware ESXi / ESX host is missing a security-related patch."); script_set_attribute(attribute:"description", value: "The remote VMware ESX / ESXi host is missing a security-related patch. It is, therefore, affected by multiple vulnerabilities, including remote code execution vulnerabilities, in the following components : - Kernel - krb5 telnet daemon"); script_set_attribute(attribute:"see_also", value:"https://www.vmware.com/security/advisories/VMSA-2012-0006.html"); script_set_attribute(attribute:"solution", value: "Apply the appropriate patch according to the vendor advisory."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploithub_sku", value:"EH-11-760"); script_set_attribute(attribute:"exploit_framework_exploithub", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Linux BSD-derived Telnet Service Encryption Key ID Buffer Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2011/08/23"); script_set_attribute(attribute:"patch_publication_date", value:"2012/03/29"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/03/03"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Misc."); script_dependencies("vmware_vsphere_detect.nbin"); script_require_keys("Host/VMware/version", "Host/VMware/release"); script_require_ports("Host/VMware/vsphere"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); ver = get_kb_item_or_exit("Host/VMware/version"); rel = get_kb_item_or_exit("Host/VMware/release"); port = get_kb_item_or_exit("Host/VMware/vsphere"); esx = "ESX/ESXi"; extract = eregmatch(pattern:"^(ESXi?) (\d\.\d).*$", string:ver); if (isnull(extract)) audit(AUDIT_UNKNOWN_APP_VER, esx); else { esx = extract[1]; ver = extract[2]; } product = "VMware " + esx; # fixed builds fixes = make_array( "ESX 3.5", 604481, "ESXi 3.5", 604481, "ESX 4.0", 660575, "ESXi 4.0", 660575, "ESX 4.1", 348481, "ESXi 4.1", 348481 ); key = esx + ' ' + ver; fix = NULL; fix = fixes[key]; bmatch = eregmatch(pattern:'^VMware ESXi?.*build-([0-9]+)$', string:rel); if (empty_or_null(bmatch)) audit(AUDIT_UNKNOWN_BUILD, product, ver); build = int(bmatch[1]); if (!fix) audit(AUDIT_INST_VER_NOT_VULN, product, ver, build); if (build < fix) { # properly spaced label if ("ESXi" >< esx) ver_label = ' version : '; else ver_label = ' version : '; report = '\n ' + esx + ver_label + ver + '\n Installed build : ' + build + '\n Fixed build : ' + fix + '\n'; security_report_v4(port:port, extra:report, severity:SECURITY_HOLE); } else audit(AUDIT_INST_VER_NOT_VULN, product, ver, build);NASL family SuSE Local Security Checks NASL id SUSE_KRB5-7899.NASL description This update of krb5 fixes two security issues. - A remote code execution in the kerberized telnet daemon was fixed. (This only affects the ktelnetd from the krb5-appl RPM, not the regular telnetd supplied by SUSE.). (CVE-2011-4862) - / MITKRB5-SA-2011-005: Fixed krb5 ftpd unauthorized file access problems. (CVE-2011-1526) last seen 2020-06-01 modified 2020-06-02 plugin id 57431 published 2012-01-03 reporter This script is Copyright (C) 2012-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/57431 title SuSE 10 Security Update : Kerberos 5 (ZYPP Patch Number 7899) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The text description of this plugin is (C) Novell, Inc. # include("compat.inc"); if (description) { script_id(57431); script_version ("1.13"); script_cvs_date("Date: 2019/10/25 13:36:43"); script_cve_id("CVE-2011-1526", "CVE-2011-4862"); script_name(english:"SuSE 10 Security Update : Kerberos 5 (ZYPP Patch Number 7899)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote SuSE 10 host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "This update of krb5 fixes two security issues. - A remote code execution in the kerberized telnet daemon was fixed. (This only affects the ktelnetd from the krb5-appl RPM, not the regular telnetd supplied by SUSE.). (CVE-2011-4862) - / MITKRB5-SA-2011-005: Fixed krb5 ftpd unauthorized file access problems. (CVE-2011-1526)" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2011-1526.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2011-4862.html" ); script_set_attribute(attribute:"solution", value:"Apply ZYPP patch number 7899."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploithub_sku", value:"EH-11-760"); script_set_attribute(attribute:"exploit_framework_exploithub", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Linux BSD-derived Telnet Service Encryption Key ID Buffer Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:suse:suse_linux"); script_set_attribute(attribute:"patch_publication_date", value:"2011/12/29"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/01/03"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2012-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) exit(0, "Local checks are not enabled."); if (!get_kb_item("Host/SuSE/release")) exit(0, "The host is not running SuSE."); if (!get_kb_item("Host/SuSE/rpm-list")) exit(1, "Could not obtain the list of installed packages."); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) exit(1, "Failed to determine the architecture type."); if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") exit(1, "Local checks for SuSE 10 on the '"+cpu+"' architecture have not been implemented."); flag = 0; if (rpm_check(release:"SLED10", sp:4, reference:"krb5-1.4.3-19.49.49.1")) flag++; if (rpm_check(release:"SLED10", sp:4, reference:"krb5-client-1.4.3-19.49.49.1")) flag++; if (rpm_check(release:"SLED10", sp:4, reference:"krb5-devel-1.4.3-19.49.49.1")) flag++; if (rpm_check(release:"SLED10", sp:4, cpu:"x86_64", reference:"krb5-32bit-1.4.3-19.49.49.1")) flag++; if (rpm_check(release:"SLED10", sp:4, cpu:"x86_64", reference:"krb5-devel-32bit-1.4.3-19.49.49.1")) flag++; if (rpm_check(release:"SLES10", sp:4, reference:"krb5-1.4.3-19.49.49.1")) flag++; if (rpm_check(release:"SLES10", sp:4, reference:"krb5-apps-clients-1.4.3-19.49.49.1")) flag++; if (rpm_check(release:"SLES10", sp:4, reference:"krb5-apps-servers-1.4.3-19.49.49.1")) flag++; if (rpm_check(release:"SLES10", sp:4, reference:"krb5-client-1.4.3-19.49.49.1")) flag++; if (rpm_check(release:"SLES10", sp:4, reference:"krb5-devel-1.4.3-19.49.49.1")) flag++; if (rpm_check(release:"SLES10", sp:4, reference:"krb5-server-1.4.3-19.49.49.1")) flag++; if (rpm_check(release:"SLES10", sp:4, cpu:"x86_64", reference:"krb5-32bit-1.4.3-19.49.49.1")) flag++; if (rpm_check(release:"SLES10", sp:4, cpu:"x86_64", reference:"krb5-devel-32bit-1.4.3-19.49.49.1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else exit(0, "The host is not affected.");NASL family SuSE Local Security Checks NASL id SUSE_11_KRB5-111229.NASL description This update of krb5 fixes two security issues. - A remote code execution in the kerberized telnet daemon was fixed. (This only affects the ktelnetd from the krb5-appl RPM, not the regular telnetd supplied by SUSE.). (CVE-2011-4862) - / MITKRB5-SA-2011-005: Fixed krb5 ftpd unauthorized file access problems. (CVE-2011-1526) last seen 2020-06-01 modified 2020-06-02 plugin id 57430 published 2012-01-03 reporter This script is Copyright (C) 2012-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/57430 title SuSE 11.1 Security Update : Kerberos 5 (SAT Patch Number 5594) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SuSE 11 update information. The text itself is # copyright (C) Novell, Inc. # if (NASL_LEVEL < 3000) exit(0); include("compat.inc"); if (description) { script_id(57430); script_version("1.16"); script_cvs_date("Date: 2019/10/25 13:36:42"); script_cve_id("CVE-2011-1526", "CVE-2011-4862"); script_name(english:"SuSE 11.1 Security Update : Kerberos 5 (SAT Patch Number 5594)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote SuSE 11 host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "This update of krb5 fixes two security issues. - A remote code execution in the kerberized telnet daemon was fixed. (This only affects the ktelnetd from the krb5-appl RPM, not the regular telnetd supplied by SUSE.). (CVE-2011-4862) - / MITKRB5-SA-2011-005: Fixed krb5 ftpd unauthorized file access problems. (CVE-2011-1526)" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=698471" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=738632" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2011-1526.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2011-4862.html" ); script_set_attribute(attribute:"solution", value:"Apply SAT patch number 5594."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploithub_sku", value:"EH-11-760"); script_set_attribute(attribute:"exploit_framework_exploithub", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Linux BSD-derived Telnet Service Encryption Key ID Buffer Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:krb5"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:krb5-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:krb5-apps-clients"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:krb5-apps-servers"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:krb5-client"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:krb5-server"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:11"); script_set_attribute(attribute:"patch_publication_date", value:"2011/12/29"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/01/03"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2012-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release !~ "^(SLED|SLES)11") audit(AUDIT_OS_NOT, "SuSE 11"); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SuSE 11", cpu); pl = get_kb_item("Host/SuSE/patchlevel"); if (isnull(pl) || int(pl) != 1) audit(AUDIT_OS_NOT, "SuSE 11.1"); flag = 0; if (rpm_check(release:"SLED11", sp:1, cpu:"i586", reference:"krb5-1.6.3-133.48.48.1")) flag++; if (rpm_check(release:"SLED11", sp:1, cpu:"i586", reference:"krb5-client-1.6.3-133.48.48.1")) flag++; if (rpm_check(release:"SLED11", sp:1, cpu:"x86_64", reference:"krb5-1.6.3-133.48.48.1")) flag++; if (rpm_check(release:"SLED11", sp:1, cpu:"x86_64", reference:"krb5-32bit-1.6.3-133.48.48.1")) flag++; if (rpm_check(release:"SLED11", sp:1, cpu:"x86_64", reference:"krb5-client-1.6.3-133.48.48.1")) flag++; if (rpm_check(release:"SLES11", sp:1, reference:"krb5-1.6.3-133.48.48.1")) flag++; if (rpm_check(release:"SLES11", sp:1, reference:"krb5-apps-clients-1.6.3-133.48.48.1")) flag++; if (rpm_check(release:"SLES11", sp:1, reference:"krb5-apps-servers-1.6.3-133.48.48.1")) flag++; if (rpm_check(release:"SLES11", sp:1, reference:"krb5-client-1.6.3-133.48.48.1")) flag++; if (rpm_check(release:"SLES11", sp:1, reference:"krb5-server-1.6.3-133.48.48.1")) flag++; if (rpm_check(release:"SLES11", sp:1, cpu:"s390x", reference:"krb5-32bit-1.6.3-133.48.48.1")) flag++; if (rpm_check(release:"SLES11", sp:1, cpu:"x86_64", reference:"krb5-32bit-1.6.3-133.48.48.1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2011-1852.NASL description From Red Hat Security Advisory 2011:1852 : Updated krb5-appl packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having Critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The krb5-appl packages provide Kerberos-aware telnet, ftp, rcp, rsh, and rlogin clients and servers. Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third-party, the Key Distribution Center (KDC). A buffer overflow flaw was found in the MIT krb5 telnet daemon (telnetd). A remote attacker who can access the telnet port of a target machine could use this flaw to execute arbitrary code as root. (CVE-2011-4862) Note that the krb5 telnet daemon is not enabled by default in any version of Red Hat Enterprise Linux. In addition, the default firewall rules block remote access to the telnet port. This flaw does not affect the telnet daemon distributed in the telnet-server package. For users who have installed the krb5-appl-servers package, have enabled the krb5 telnet daemon, and have it accessible remotely, this update should be applied immediately. All krb5-appl-server users should upgrade to these updated packages, which contain a backported patch to correct this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 68413 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/68413 title Oracle Linux 6 : krb5-appl (ELSA-2011-1852) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2011:1852 and # Oracle Linux Security Advisory ELSA-2011-1852 respectively. # include("compat.inc"); if (description) { script_id(68413); script_version("1.9"); script_cvs_date("Date: 2019/10/25 13:36:09"); script_cve_id("CVE-2011-4862"); script_xref(name:"RHSA", value:"2011:1852"); script_name(english:"Oracle Linux 6 : krb5-appl (ELSA-2011-1852)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Oracle Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "From Red Hat Security Advisory 2011:1852 : Updated krb5-appl packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having Critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The krb5-appl packages provide Kerberos-aware telnet, ftp, rcp, rsh, and rlogin clients and servers. Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third-party, the Key Distribution Center (KDC). A buffer overflow flaw was found in the MIT krb5 telnet daemon (telnetd). A remote attacker who can access the telnet port of a target machine could use this flaw to execute arbitrary code as root. (CVE-2011-4862) Note that the krb5 telnet daemon is not enabled by default in any version of Red Hat Enterprise Linux. In addition, the default firewall rules block remote access to the telnet port. This flaw does not affect the telnet daemon distributed in the telnet-server package. For users who have installed the krb5-appl-servers package, have enabled the krb5 telnet daemon, and have it accessible remotely, this update should be applied immediately. All krb5-appl-server users should upgrade to these updated packages, which contain a backported patch to correct this issue." ); script_set_attribute( attribute:"see_also", value:"https://oss.oracle.com/pipermail/el-errata/2011-December/002538.html" ); script_set_attribute( attribute:"solution", value:"Update the affected krb5-appl packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploithub_sku", value:"EH-11-760"); script_set_attribute(attribute:"exploit_framework_exploithub", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Linux BSD-derived Telnet Service Encryption Key ID Buffer Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:krb5-appl-clients"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:krb5-appl-servers"); script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:6"); script_set_attribute(attribute:"vuln_publication_date", value:"2011/12/24"); script_set_attribute(attribute:"patch_publication_date", value:"2011/12/27"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/07/12"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Oracle Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux"); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux"); os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux"); os_ver = os_ver[1]; if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 6", "Oracle Linux " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu); flag = 0; if (rpm_check(release:"EL6", reference:"krb5-appl-clients-1.0.1-7.el6_2")) flag++; if (rpm_check(release:"EL6", reference:"krb5-appl-servers-1.0.1-7.el6_2")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "krb5-appl-clients / krb5-appl-servers"); }NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2011-1852.NASL description Updated krb5-appl packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having Critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The krb5-appl packages provide Kerberos-aware telnet, ftp, rcp, rsh, and rlogin clients and servers. Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third-party, the Key Distribution Center (KDC). A buffer overflow flaw was found in the MIT krb5 telnet daemon (telnetd). A remote attacker who can access the telnet port of a target machine could use this flaw to execute arbitrary code as root. (CVE-2011-4862) Note that the krb5 telnet daemon is not enabled by default in any version of Red Hat Enterprise Linux. In addition, the default firewall rules block remote access to the telnet port. This flaw does not affect the telnet daemon distributed in the telnet-server package. For users who have installed the krb5-appl-servers package, have enabled the krb5 telnet daemon, and have it accessible remotely, this update should be applied immediately. All krb5-appl-server users should upgrade to these updated packages, which contain a backported patch to correct this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 57409 published 2011-12-28 reporter This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/57409 title RHEL 6 : krb5-appl (RHSA-2011:1852) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2011:1852. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(57409); script_version ("1.20"); script_cvs_date("Date: 2019/10/25 13:36:16"); script_cve_id("CVE-2011-4862"); script_xref(name:"RHSA", value:"2011:1852"); script_name(english:"RHEL 6 : krb5-appl (RHSA-2011:1852)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated krb5-appl packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having Critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The krb5-appl packages provide Kerberos-aware telnet, ftp, rcp, rsh, and rlogin clients and servers. Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third-party, the Key Distribution Center (KDC). A buffer overflow flaw was found in the MIT krb5 telnet daemon (telnetd). A remote attacker who can access the telnet port of a target machine could use this flaw to execute arbitrary code as root. (CVE-2011-4862) Note that the krb5 telnet daemon is not enabled by default in any version of Red Hat Enterprise Linux. In addition, the default firewall rules block remote access to the telnet port. This flaw does not affect the telnet daemon distributed in the telnet-server package. For users who have installed the krb5-appl-servers package, have enabled the krb5 telnet daemon, and have it accessible remotely, this update should be applied immediately. All krb5-appl-server users should upgrade to these updated packages, which contain a backported patch to correct this issue." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2011-4862" ); script_set_attribute( attribute:"see_also", value:"http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-008.txt" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2011:1852" ); script_set_attribute( attribute:"solution", value: "Update the affected krb5-appl-clients, krb5-appl-debuginfo and / or krb5-appl-servers packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploithub_sku", value:"EH-11-760"); script_set_attribute(attribute:"exploit_framework_exploithub", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Linux BSD-derived Telnet Service Encryption Key ID Buffer Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:krb5-appl-clients"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:krb5-appl-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:krb5-appl-servers"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6.2"); script_set_attribute(attribute:"vuln_publication_date", value:"2011/12/24"); script_set_attribute(attribute:"patch_publication_date", value:"2011/12/27"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/12/28"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 6.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2011:1852"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL6", cpu:"i686", reference:"krb5-appl-clients-1.0.1-7.el6_2")) flag++; if (rpm_check(release:"RHEL6", cpu:"s390x", reference:"krb5-appl-clients-1.0.1-7.el6_2")) flag++; if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"krb5-appl-clients-1.0.1-7.el6_2")) flag++; if (rpm_check(release:"RHEL6", cpu:"i686", reference:"krb5-appl-debuginfo-1.0.1-7.el6_2")) flag++; if (rpm_check(release:"RHEL6", cpu:"s390x", reference:"krb5-appl-debuginfo-1.0.1-7.el6_2")) flag++; if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"krb5-appl-debuginfo-1.0.1-7.el6_2")) flag++; if (rpm_check(release:"RHEL6", cpu:"i686", reference:"krb5-appl-servers-1.0.1-7.el6_2")) flag++; if (rpm_check(release:"RHEL6", cpu:"s390x", reference:"krb5-appl-servers-1.0.1-7.el6_2")) flag++; if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"krb5-appl-servers-1.0.1-7.el6_2")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "krb5-appl-clients / krb5-appl-debuginfo / krb5-appl-servers"); } }NASL family Debian Local Security Checks NASL id DEBIAN_DSA-2372.NASL description It was discovered that the Kerberos support for telnetd contains a pre-authentication buffer overflow, which may enable remote attackers who can connect to TELNET to execute arbitrary code with root privileges. last seen 2020-03-17 modified 2012-01-12 plugin id 57512 published 2012-01-12 reporter This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/57512 title Debian DSA-2372-1 : heimdal - buffer overflow NASL family Solaris Local Security Checks NASL id SOLARIS11_TELNET_20120404.NASL description The remote Solaris system is missing necessary patches to address security updates : - Buffer overflow in libtelnet/encrypt.c in telnetd in FreeBSD 7.3 through 9.0, MIT Kerberos Version 5 Applications (aka krb5-appl) 1.0.2 and earlier, Heimdal 1.5.1 and earlier, GNU inetutils, and possibly other products allows remote attackers to execute arbitrary code via a long encryption key, as exploited in the wild in December 2011. (CVE-2011-4862) last seen 2020-06-01 modified 2020-06-02 plugin id 80781 published 2015-01-19 reporter This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/80781 title Oracle Solaris Third-Party Patch Update : telnet (cve_2011_4862_buffer_overflow) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201202-05.NASL description The remote host is affected by the vulnerability described in GLSA-201202-05 (Heimdal: Arbitrary code execution) A boundary error in the last seen 2020-06-01 modified 2020-06-02 plugin id 58101 published 2012-02-23 reporter This script is Copyright (C) 2012-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/58101 title GLSA-201202-05 : Heimdal: Arbitrary code execution NASL family CISCO NASL id CISCO-SA-20120126-ESA.NASL description According to its self-reported version, the version of AsyncOS running on the remote Cisco Email Security Appliance (ESA) is affected by a remote code execution vulnerability due to a buffer overflow condition in the telnet component. last seen 2020-06-01 modified 2020-06-02 plugin id 79271 published 2014-11-17 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/79271 title Cisco Email Security Appliance Telnet Remote Code Execution (cisco-sa-20120126-ironport) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2011-195.NASL description A vulnerability has been discovered and corrected in krb5-appl, heimdal and netkit-telnet : An unauthenticated remote attacker can cause a buffer overflow and probably execute arbitrary code with the privileges of the telnet daemon (CVE-2011-4862). In Mandriva the telnetd daemon from the netkit-telnet-server package does not have an initscript to start and stop the service, however one could rather easily craft an initscript or start the service by other means rendering the system vulnerable to this issue. The updated packages have been patched to correct this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 57412 published 2011-12-29 reporter This script is Copyright (C) 2011-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/57412 title Mandriva Linux Security Advisory : krb5-appl (MDVSA-2011:195) NASL family CISCO NASL id CISCO-SA-20120126-WSA.NASL description According to its self-reported version, the version of AsyncOS running on the remote Cisco Web Security Appliance (WSA) is affected by a remote code execution vulnerability due to a buffer overflow condition in the telnet component. last seen 2020-06-01 modified 2020-06-02 plugin id 79273 published 2014-11-17 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/79273 title Cisco Web Security Appliance Telnet Remote Code Execution (cisco-sa-20120126-ironport) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201201-14.NASL description The remote host is affected by the vulnerability described in GLSA-201201-14 (MIT Kerberos 5 Applications: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in MIT Kerberos 5 Applications: An error in the FTP daemon prevents it from dropping its initial effective group identifier (CVE-2011-1526). A boundary error in the telnet daemon and client could cause a buffer overflow (CVE-2011-4862). Impact : An unauthenticated remote attacker may be able to execute arbitrary code with the privileges of the user running the telnet daemon or client. Furthermore, an authenticated remote attacker may be able to read or write files owned by the same group as the effective group of the FTP daemon. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 57656 published 2012-01-24 reporter This script is Copyright (C) 2012-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/57656 title GLSA-201201-14 : MIT Kerberos 5 Applications: Multiple vulnerabilities NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2011-1853.NASL description Updated krb5 packages that fix one security issue are now available for Red Hat Enterprise Linux 3 Extended Life Cycle Support, 5.3 Long Life and 5.6 Extended Update Support The Red Hat Security Response Team has rated this update as having critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third-party, the Key Distribution Center (KDC). A buffer overflow flaw was found in the MIT krb5 telnet daemon (telnetd). A remote attacker who can access the telnet port of a target machine could use this flaw to execute arbitrary code as root. (CVE-2011-4862) Note that the krb5 telnet daemon is not enabled by default in any version of Red Hat Enterprise Linux. In addition, the default firewall rules block remote access to the telnet port. This flaw does not affect the telnet daemon distributed in the telnet-server package. For users who have installed the krb5-workstation package, have enabled the telnet daemon, and have it accessible remotely, this update should be applied immediately. All krb5-workstation users should upgrade to these updated packages, which contain a backported patch to correct this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 64017 published 2013-01-24 reporter This script is Copyright (C) 2013-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/64017 title RHEL 5 : krb5 (RHSA-2011:1853) NASL family SuSE Local Security Checks NASL id SUSE_11_4_KRB5-APPL-111229.NASL description This update of krb5 applications fixes two security issues. CVE-2011-4862: A remote code execution in the kerberized telnet daemon was fixed. (This only affects the ktelnetd from the krb5-appl RPM, not the regular telnetd supplied by SUSE.) CVE-2011-1526 / MITKRB5-SA-2011-005: Fixed krb5 ftpd unauthorized file access problems. last seen 2020-06-01 modified 2020-06-02 plugin id 75886 published 2014-06-13 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/75886 title openSUSE Security Update : krb5-appl (openSUSE-SU-2012:0019-1) NASL family Fedora Local Security Checks NASL id FEDORA_2011-17492.NASL description This update incorporates the upstream patch to fix a buffer overflow in the Kerberos-aware telnet server. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 57442 published 2012-01-06 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/57442 title Fedora 15 : krb5-appl-1.0.1-8.fc15 (2011-17492) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2011-1851.NASL description From Red Hat Security Advisory 2011:1851 : Updated krb5 packages that fix one security issue are now available for Red Hat Enterprise Linux 4 and 5. The Red Hat Security Response Team has rated this update as having Critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third- party, the Key Distribution Center (KDC). A buffer overflow flaw was found in the MIT krb5 telnet daemon (telnetd). A remote attacker who can access the telnet port of a target machine could use this flaw to execute arbitrary code as root. (CVE-2011-4862) Note that the krb5 telnet daemon is not enabled by default in any version of Red Hat Enterprise Linux. In addition, the default firewall rules block remote access to the telnet port. This flaw does not affect the telnet daemon distributed in the telnet-server package. For users who have installed the krb5-workstation package, have enabled the telnet daemon, and have it accessible remotely, this update should be applied immediately. All krb5-workstation users should upgrade to these updated packages, which contain a backported patch to correct this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 68412 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/68412 title Oracle Linux 4 / 5 : krb5 (ELSA-2011-1851) NASL family Fedora Local Security Checks NASL id FEDORA_2011-17493.NASL description This update incorporates the upstream patch to fix a buffer overflow in the Kerberos-aware telnet server. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 57443 published 2012-01-06 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/57443 title Fedora 16 : krb5-appl-1.0.2-2.fc16 (2011-17493) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2011-1854.NASL description Updated krb5-appl packages that fix one security issue are now available for Red Hat Enterprise Linux 6.0 and 6.1 Extended Update Support. The Red Hat Security Response Team has rated this update as having critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The krb5-appl packages provide Kerberos-aware telnet, ftp, rcp, rsh, and rlogin clients and servers. Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third-party, the Key Distribution Center (KDC). A buffer overflow flaw was found in the MIT krb5 telnet daemon (telnetd). A remote attacker who can access the telnet port of a target machine could use this flaw to execute arbitrary code as root. (CVE-2011-4862) Note that the krb5 telnet daemon is not enabled by default in any version of Red Hat Enterprise Linux. In addition, the default firewall rules block remote access to the telnet port. This flaw does not affect the telnet daemon distributed in the telnet-server package. For users who have installed the krb5-appl-servers package, have enabled the krb5 telnet daemon, and have it accessible remotely, this update should be applied immediately. All krb5-appl-server users should upgrade to these updated packages, which contain a backported patch to correct this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 64018 published 2013-01-24 reporter This script is Copyright (C) 2013-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/64018 title RHEL 6 : krb5-appl (RHSA-2011:1854) NASL family CISCO NASL id CISCO-SA-20120126-SMA.NASL description According to its self-reported version, the version of AsyncOS running on the remote Cisco Content Security Management Appliance (SMA) is affected by a remote code execution vulnerability due to a buffer overflow condition in the telnet component. last seen 2020-06-01 modified 2020-06-02 plugin id 79272 published 2014-11-17 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/79272 title Cisco Content Security Management Appliance Telnet Remote Code Execution (cisco-sa-20120126-ironport) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_4DDC78DC300A11E1A2AA0016CE01E285.NASL description The MIT Kerberos Team reports : When an encryption key is supplied via the TELNET protocol, its length is not validated before the key is copied into a fixed-size buffer. Also see MITKRB5-SA-2011-008. last seen 2020-06-01 modified 2020-06-02 plugin id 57403 published 2011-12-27 reporter This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/57403 title FreeBSD : krb5-appl -- telnetd code execution vulnerability (4ddc78dc-300a-11e1-a2aa-0016ce01e285) NASL family VMware ESX Local Security Checks NASL id VMWARE_VMSA-2012-0006.NASL description a. VMware ROM Overwrite Privilege Escalation A flaw in the way port-based I/O is handled allows for modifying Read-Only Memory that belongs to the Virtual DOS Machine. Exploitation of this issue may lead to privilege escalation on Guest Operating Systems that run Windows 2000, Windows XP 32-bit, Windows Server 2003 32-bit or Windows Server 2003 R2 32-bit. VMware would like to thank Derek Soeder of Ridgeway Internet Security, L.L.C. for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-1515 to this issue. b. ESX third-party update for Service Console kernel The ESX Service Console Operating System (COS) kernel is updated to kernel-400.2.6.18-238.4.11.591731 to fix multiple security issues in the COS kernel. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2011-2482, CVE-2011-3191 and CVE-2011-4348 to these issues. c. ESX third-party update for Service Console krb5 RPM This patch updates the krb5-libs and krb5-workstation RPMs to version 1.6.1-63.el5_7 to resolve a security issue. By default, the affected krb5-telnet and ekrb5-telnet services do not run. The krb5 telnet daemon is an xinetd service. You can run the following commands to check if krb5 telnetd is enabled : /sbin/chkconfig --list krb5-telnet /sbin/chkconfig --list ekrb5-telnet The output of these commands displays if krb5 telnet is enabled. You can run the following commands to disable krb5 telnet daemon : /sbin/chkconfig krb5-telnet off /sbin/chkconfig ekrb5-telnet off The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2011-4862 to this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 58535 published 2012-03-30 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/58535 title VMSA-2012-0006 : VMware Workstation, ESXi, and ESX address several security issues NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2011-1852.NASL description Updated krb5-appl packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having Critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The krb5-appl packages provide Kerberos-aware telnet, ftp, rcp, rsh, and rlogin clients and servers. Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third-party, the Key Distribution Center (KDC). A buffer overflow flaw was found in the MIT krb5 telnet daemon (telnetd). A remote attacker who can access the telnet port of a target machine could use this flaw to execute arbitrary code as root. (CVE-2011-4862) Note that the krb5 telnet daemon is not enabled by default in any version of Red Hat Enterprise Linux. In addition, the default firewall rules block remote access to the telnet port. This flaw does not affect the telnet daemon distributed in the telnet-server package. For users who have installed the krb5-appl-servers package, have enabled the krb5 telnet daemon, and have it accessible remotely, this update should be applied immediately. All krb5-appl-server users should upgrade to these updated packages, which contain a backported patch to correct this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 57406 published 2011-12-28 reporter This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/57406 title CentOS 6 : krb5-appl (CESA-2011:1852) NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2011-0015.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : - Fix for (CVE-2011-4862) - incorporate a fix to teach the file labeling bits about when replay caches are expunged (#712453) - rebuild - ftp: handle larger command inputs (#665833) - don last seen 2020-06-01 modified 2020-06-02 plugin id 79475 published 2014-11-26 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/79475 title OracleVM 2.2 : krb5 (OVMSA-2011-0015) NASL family SuSE Local Security Checks NASL id SUSE_11_3_KRB5-APPL-111229.NASL description This update of krb5 applications fixes two security issues. CVE-2011-4862: A remote code execution in the kerberized telnet daemon was fixed. (This only affects the ktelnetd from the krb5-appl RPM, not the regular telnetd supplied by SUSE.) CVE-2011-1526 / MITKRB5-SA-2011-005: Fixed krb5 ftpd unauthorized file access problems. last seen 2020-06-01 modified 2020-06-02 plugin id 75564 published 2014-06-13 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/75564 title openSUSE Security Update : krb5-appl (openSUSE-SU-2012:0019-1) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2011-1851.NASL description Updated krb5 packages that fix one security issue are now available for Red Hat Enterprise Linux 4 and 5. The Red Hat Security Response Team has rated this update as having Critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third- party, the Key Distribution Center (KDC). A buffer overflow flaw was found in the MIT krb5 telnet daemon (telnetd). A remote attacker who can access the telnet port of a target machine could use this flaw to execute arbitrary code as root. (CVE-2011-4862) Note that the krb5 telnet daemon is not enabled by default in any version of Red Hat Enterprise Linux. In addition, the default firewall rules block remote access to the telnet port. This flaw does not affect the telnet daemon distributed in the telnet-server package. For users who have installed the krb5-workstation package, have enabled the telnet daemon, and have it accessible remotely, this update should be applied immediately. All krb5-workstation users should upgrade to these updated packages, which contain a backported patch to correct this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 57408 published 2011-12-28 reporter This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/57408 title RHEL 4 / 5 : krb5 (RHSA-2011:1851) NASL family Scientific Linux Local Security Checks NASL id SL_20111227_KRB5_APPL_ON_SL6_X.NASL description The krb5-appl packages provide Kerberos-aware telnet, ftp, rcp, rsh, and rlogin clients and servers. Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third party, the Key Distribution Center (KDC). A buffer overflow flaw was found in the MIT krb5 telnet daemon (telnetd). A remote attacker who can access the telnet port of a target machine could use this flaw to execute arbitrary code as root. (CVE-2011-4862) Note that the krb5 telnet daemon is not enabled by default in any version of Scientific Linux. In addition, the default firewall rules block remote access to the telnet port. This flaw does not affect the telnet daemon distributed in the telnet-server package. For users who have installed the krb5-appl-servers package, have enabled the krb5 telnet daemon, and have it accessible remotely, this update should be applied immediately. All krb5-appl-server users should upgrade to these updated packages, which contain a backported patch to correct this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 61213 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/61213 title Scientific Linux Security Update : krb5-appl on SL6.x i386/x86_64 NASL family Debian Local Security Checks NASL id DEBIAN_DSA-2373.NASL description It was discovered that the Kerberos support for telnetd contains a pre-authentication buffer overflow, which may enable remote attackers who can connect to TELNET to execute arbitrary code with root privileges. last seen 2020-03-17 modified 2012-01-12 plugin id 57513 published 2012-01-12 reporter This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/57513 title Debian DSA-2373-1 : inetutils - buffer overflow NASL family Scientific Linux Local Security Checks NASL id SL_20111227_KRB5_ON_SL4_X.NASL description Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third- party, the Key Distribution Center (KDC). A buffer overflow flaw was found in the MIT krb5 telnet daemon (telnetd). A remote attacker who can access the telnet port of a target machine could use this flaw to execute arbitrary code as root. (CVE-2011-4862) Note that the krb5 telnet daemon is not enabled by default in any version of Scientific Linux. In addition, the default firewall rules block remote access to the telnet port. This flaw does not affect the telnet daemon distributed in the telnet-server package. For users who have installed the krb5-workstation package, have enabled the telnet daemon, and have it accessible remotely, this update should be applied immediately. All krb5-workstation users should upgrade to these updated packages, which contain a backported patch to correct this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 61214 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/61214 title Scientific Linux Security Update : krb5 on SL4.x, SL5.x i386/x86_64 NASL family SuSE Local Security Checks NASL id OPENSUSE-2012-17.NASL description - Fixed a remote code execution in ktelnetd (CVE-2011-4862 / bnc#738632) last seen 2020-06-05 modified 2014-06-13 plugin id 74578 published 2014-06-13 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/74578 title openSUSE Security Update : krb5-appl (openSUSE-2012-17)
Packetstorm
data source https://packetstormsecurity.com/files/download/108199/linux-telnet-telnet_encrypt_keyid.rb.txt id PACKETSTORM:108199 last seen 2016-12-05 published 2011-12-28 reporter metasploit.com source https://packetstormsecurity.com/files/108199/Linux-BSD-derived-Telnet-Service-Encyption-Key-ID-Buffer-Overflow.html title Linux BSD-derived Telnet Service Encyption Key ID Buffer Overflow data source https://packetstormsecurity.com/files/download/108539/telnet_encrypt_keyid_bruteforce.rb.txt id PACKETSTORM:108539 last seen 2016-12-05 published 2012-01-11 reporter metasploit.com source https://packetstormsecurity.com/files/108539/FreeBSD-based-telnetd-encrypt_key_id-brute-force.html title FreeBSD based telnetd encrypt_key_id brute force data source https://packetstormsecurity.com/files/download/108694/freebsdtelnetd.py.txt id PACKETSTORM:108694 last seen 2016-12-05 published 2012-01-16 reporter knull source https://packetstormsecurity.com/files/108694/FreeBSD-telnetd-Remote-Root.html title FreeBSD telnetd Remote Root data source https://packetstormsecurity.com/files/download/108198/freebsd-telnet-telnet_encrypt_keyid.rb.txt id PACKETSTORM:108198 last seen 2016-12-05 published 2011-12-28 reporter metasploit.com source https://packetstormsecurity.com/files/108198/FreeBSD-Telnet-Service-Encyption-Key-ID-Buffer-Overflow.html title FreeBSD Telnet Service Encyption Key ID Buffer Overflow
Redhat
| advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| rpms |
|
Saint
| bid | 51182 |
| description | Telnetd Encryption Key ID Code Execution |
| id | shell_telnet_freebsd |
| osvdb | 78020 |
| title | telnet_server_encrypt_keyid |
| type | remote |
Seebug
| bulletinFamily | exploit |
| description | Bugtraq ID: 51182 CVE ID:CVE-2011-4862 FreeBSD是一款基于BSD的操作系统。 FreeBSD Telnet协议有一个对数据流进行加密的机制(但其加密性不强,不能在任何关键性安全应用上使用) 当通过TELNET协议提供加密密钥时,在拷贝密钥到固定缓冲区时没有对其长度进行校验,可触发缓冲区溢出。能连接telnetd守护程序的攻击者可以以守护进程上下文执行任意代码 0 Freebsd 9.0-STABLE Freebsd 9.0-RELEASE Freebsd 9.0-RC3 Freebsd 9.0-RC1 Freebsd 8.2-STABLE Freebsd 8.2-STABLE Freebsd 8.2-RELEASE-p2 Freebsd 8.2-RELEASE-p1 Freebsd 8.2 - RELEASE -p3 Freebsd 8.2 Freebsd 8.1-RELEASE-p5 Freebsd 8.1-RELEASE-p4 FreeBSD 8.1-RELEASE FreeBSD 8.1-PRERELEASE Freebsd 8.1 Freebsd 7.4-STABLE Freebsd 7.4-RELEASE-p2 Freebsd 7.4 -RELEASE-p3 Freebsd 7.4 FreeBSD 7.3-STABLE Freebsd 7.3-RELEASE-p6 FreeBSD 7.3-RELEASE-p1 Freebsd 7.3 - RELEASE - p7 Freebsd 7.3 厂商解决方案 ---- freebsd 用户可参考如下供应商提供的安全公告获得补丁: http://security.freebsd.org/advisories/FreeBSD-SA-11:08.telnetd.asc |
| id | SSV:26112 |
| last seen | 2017-11-19 |
| modified | 2011-12-26 |
| published | 2011-12-26 |
| reporter | Root |
| title | FreeBSD 'telnetd'守护进程远程缓冲区溢出漏洞 |
References
- http://archives.neohapsis.com/archives/bugtraq/2011-12/0172.html
- http://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=665f1e73cdd9b38e2d2e11b8db9958a315935592
- http://lists.fedoraproject.org/pipermail/package-announce/2012-January/071627.html
- http://lists.fedoraproject.org/pipermail/package-announce/2012-January/071640.html
- http://lists.freebsd.org/pipermail/freebsd-security/2011-December/006117.html
- http://lists.freebsd.org/pipermail/freebsd-security/2011-December/006118.html
- http://lists.freebsd.org/pipermail/freebsd-security/2011-December/006119.html
- http://lists.freebsd.org/pipermail/freebsd-security/2011-December/006120.html
- http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00002.html
- http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00004.html
- http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00005.html
- http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00007.html
- http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00010.html
- http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00011.html
- http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00014.html
- http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00015.html
- http://osvdb.org/78020
- http://secunia.com/advisories/46239
- http://secunia.com/advisories/47341
- http://secunia.com/advisories/47348
- http://secunia.com/advisories/47357
- http://secunia.com/advisories/47359
- http://secunia.com/advisories/47373
- http://secunia.com/advisories/47374
- http://secunia.com/advisories/47397
- http://secunia.com/advisories/47399
- http://secunia.com/advisories/47441
- http://security.freebsd.org/advisories/FreeBSD-SA-11:08.telnetd.asc
- http://security.freebsd.org/patches/SA-11:08/telnetd.patch
- http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2011-008.txt
- http://www.debian.org/security/2011/dsa-2372
- http://www.debian.org/security/2011/dsa-2373
- http://www.debian.org/security/2011/dsa-2375
- http://www.exploit-db.com/exploits/18280/
- http://www.mandriva.com/security/advisories?name=MDVSA-2011:195
- http://www.redhat.com/support/errata/RHSA-2011-1851.html
- http://www.redhat.com/support/errata/RHSA-2011-1852.html
- http://www.redhat.com/support/errata/RHSA-2011-1853.html
- http://www.redhat.com/support/errata/RHSA-2011-1854.html
- http://www.securitytracker.com/id?1026460
- http://www.securitytracker.com/id?1026463
- https://exchange.xforce.ibmcloud.com/vulnerabilities/71970