-----BEGIN PGP SIGNED MESSAGE----- ______________________________________________________________________________ Caldera Systems, Inc. Security Advisory Subject: Security problem in telnetd Advisory number: CSSA-2000-008.0 Issue date: 2000 March, 13 Cross reference: ______________________________________________________________________________ 1. Problem Description The telnet daemon from the Linux netkit supports a command line option -L that lets the administrator specify a login program other than /bin/login. An unintended interaction with some other piece of code in telnetd has the effect that the memory location holding the name is overwritten with information obtained from the client host. This bug can be abused by an attacker to bypass authentication completely. However, in almost all cases, this will just cause telnetd to not work at all, which makes it unlikely that this feature has been used widely. If you have installed the netkit-telnet RPM as shipped by Caldera, you are not vulnerable because the default configuration does not use the -L flag. 2. Vulnerable Versions System Package ----------------------------------------------------------- OpenLinux Desktop 2.3 All packages previous to netkit-telnet-0.16 OpenLinux eServer 2.3 All packages previous to netkit-telnet-0.16 3. Solution We urge our customers to verify whether their configuration is secure. Using the following command grep ^telnet /etc/inetd.conf should either yield no output at all (meaning that telnet service is disabled on your machine) or telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd If neither of this is the case, you can fix the configuration using the following command: lisa --inetd install telnet stream tcp nowait root \ /usr/sbin/tcpd in.telnetd The proper solution is to upgrade to the fixed packages. 4. OpenLinux Desktop 2.3 4.1 Location of Fixed Packages The upgrade packages can be found on Caldera's FTP site at: ftp://ftp.calderasystems.com/pub/openlinux/updates/2.3/current/RPMS/ The corresponding source code package can be found at: ftp://ftp.calderaystems.com/pub/openlinux/updates/2.3/current/SRPMS 4.2 Verification 5320b50c2c694edcb899021f279a6fb9 RPMS/netkit-telnet-0.16-1.i386.rpm 8e4edd9c49a1ef7c4de467150609a9e3 SRPMS/netkit-telnet-0.16-1.src.rpm 4.3 Installing Fixed Packages Upgrade the affected packages with the following commands: rpm -F netkit-telnet-0.16-1.i386.rpm 5. OpenLinux eServer 2.3 4.1 Location of Fixed Packages The upgrade packages can be found on Caldera's FTP site at: ftp://ftp.calderasystems.com/pub/eServer/updates/2.3/current/RPMS/ The corresponding source code package can be found at: ftp://ftp.calderaystems.com/pub/eServer/updates/2.3/current/SRPMS 4.2 Verification d9e66b4d9cf37551b8e6bbb6003d76bf RPMS/netkit-telnet-0.16-1.i386.rpm fe6df64c3a20c0bcebe65143d766ddc0 SRPMS/netkit-telnet-0.16-1.src.rpm 4.3 Installing Fixed Packages Upgrade the affected packages with the following commands: rpm -F netkit-telnet-0.16-1.i386.rpm 6. References This and other Caldera security resources are located at: http://www.calderasystems.com/support/security/index.html 7. Disclaimer Caldera Systems, Inc. is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of Caldera OpenLinux. 8. Credits Caldera Systems wishes to thank netkit maintainer David Holland for reporting the problem. ______________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQCVAwUBOMzV6+n+9R4958LpAQFEdAQAhtUjp7HtgKCao6XhKmfxMGiUdhNFWo8g 0DOWHYnl405H/qbseUwuxDi5K+b4WF2AuOwKxmNCG3efZM2og5rv67MKsmvIO4PJ gSzZpOPLUyUjEu9jidsWhs9I6s31nRNJHjWfbepBCNkcj0PeWL4rmJM0RCiv/sGn ry1sRIcQ16I= =6lUM -----END PGP SIGNATURE-----