SuSE: nkitb/nkitserv/telnetd vulnerabilities

posted onSeptember 4, 2001
by hitbsecnews

The telnet server which is shipped with SuSE distributions contains a remotely exploitable buffer-overflow within its telnet option negotiation code. This bug is wide-spread on UN*X systems and affects almost all implementations of telnet daemons available.

L33tdawg: I've attached the advisory in the read more.

SuSE Security Announcement

Package: nkitb/nkitserv/telnetd
Announcement-ID: SuSE-SA:2001:029
Date: Mon Sep 3 12:55:58 MEST 2001
Affected SuSE versions: [6.1, 6.2,] 6.3, 6.4, 7.0, 7.1, 7.2
Vulnerability Type: remote code execution
Severity (1-10): 8
SuSE default package: yes
Other affected systems: All UN*X Systems shipping BSD derived telnetd

Content of this advisory:
1) security vulnerability resolved: Buffer overflow in in.telnetd
problem description, discussion, solution and upgrade information
2) pending vulnerabilities, solutions, workarounds
3) standard appendix (further information)

______________________________________________________________________________

1) problem description, brief discussion, solution, upgrade information

The telnet server which is shipped with SuSE distributions contains a
remotely exploitable buffer-overflow within its telnet option
negotiation code.
This bug is wide-spread on UN*X systems and affects almost
all implementations of telnet daemons available.
SuSE 7.2 distribution ships the telnet-server package which
contains the vulnerable telnet daemon. This package has been fixed.

The SuSE Linux distributions 6.3 and 6.4 contain versions and
implementations of the telnet-daemon that are vulnerable, but the
complexity of the code requires a full source code audit of the
software. In order not to further delay the release of the packages
for the SuSE Linux 7.x distributions, we recommend to disable the
telnet daemon on the 6.x distributions. This can be done by
commenting out the line in /etc/inetd.conf that starts with
"telnet", and then reloading the inetd configuration using the
command "killall -1 inetd". Another option is to not start the inetd
in the first place if you do not need any of the services provided
by the inetd daemon. Disabling inetd permanently involves killing
the running inetd process ("killall -TERM inetd") and setting the
variable START_INETD in /etc/rc.config to "no" (as opposed to
"yes").
Disabling the telnet service is the preliminary solution/workaround
against the problems with the telnetd daemon. We hope to be able to
provide a better solution.

The SuSE Linux distributions 7.0, 7.1 and 7.2 have similar
implementations of in.telnetd, and for all of these distributions
there are update packages available. Please note that the package
that contains the /usr/sbin/in.telnetd program (the server
program) has changed over the different releases of the SuSE Linux
distribution. In the 7.0 and 7.1 distributions the package is called
"nkitserv". The 7.2 distribution lists the telnet server in the
package "telnet-server".

Please download the packages and verify them as described in section 3.
After successfull authentication you can update your packages with
the command `rpm -Uhv file.rpm'.
Further action should not be necessary to activate the update since
the in.telnetd daemon is started from a new by inetd upon every
accepted connection from the network.

Regardless of the availiability of fixed packages of the
telnet-daemon, SuSE Security strongly recommend to disable the
telnet service if you do not use it. In addition to that, only
cryptographically protected protocols such as secure shell (ssh,
package openssh) can be an efficient countermeasure against sniffing
and spoofing type attacks. Due to significantly more comfort (such
as X11-forwarding, multiple authentication methods, ...), the
transition to ssh should be worth the effort in any case.

i386 Intel Platform:

SuSE-7.2
ftp://ftp.suse.com/pub/suse/i386/update/7.2/n1/telnet-server-1.0-69.i386.rpm
0adc05af9762bd4c63eee464ca3131d1
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/telnet-1.0-69.src.rpm
fe313553d1a6f022c7eb2f87ccd6772f

SuSE-7.1
ftp://ftp.suse.com/pub/suse/i386/update/7.1/n1/nkitserv-2001.8.14-0.i386.rpm
e0636eec04ccf2129b0e2ea0ee40c231
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/7.1/zq1/nkitb-2001.8.14-0.src.rpm
57760fcd8e064e89591203f7ba9adefc

SuSE-7.0
ftp://ftp.suse.com/pub/suse/i386/update/7.0/n1/nkitserv-2001.8.16-0.i386.rpm
e8a859d5a648a572fc08628247c1e2d6
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/7.0/zq1/nkitb-2001.8.16-0.src.rpm
33d4abc52926ac957f21b8c8aae7adce

Sparc Platform:

SuSE-7.1
ftp://ftp.suse.com/pub/suse/sparc/update/7.1/n1/nkitserv-2001.8.14-0.sparc.rpm
3ef64d1cae35be51c9eff9bebcf4cf79
source rpm:
ftp://ftp.suse.com/pub/suse/sparc/update/7.1/zq1/nkitb-2001.8.14-0.src.rpm
4cb76a16bd2f53c37a7cee728ea21c81

SuSE-7.0
ftp://ftp.suse.com/pub/suse/sparc/update/7.0/n1/nkitserv-2001.8.16-0.sparc.rpm
f4901a4a271657d0379aff114d30b912
source rpm:
ftp://ftp.suse.com/pub/suse/sparc/update/7.0/zq1/nkitb-2001.8.16-0.src.rpm
ad909d8e3d2d0a617a5a9f6e3d7cd74d

AXP Alpha Platform:

SuSE-7.1
ftp://ftp.suse.com/pub/suse/axp/update/7.1/n1/nkitserv-2001.8.14-0.alpha.rpm
efad3412a8d333947bcf74695c023ea8
source rpm:
ftp://ftp.suse.com/pub/suse/axp/update/7.1/zq1/nkitb-2001.8.14-0.src.rpm
94d0dba0396e41b4afbd3ef61c4fd8aa

SuSE-7.0
ftp://ftp.suse.com/pub/suse/axp/update/7.0/n1/nkitserv-2001.8.16-0.alpha.rpm
934525486e72a5cc98736f4cb1217f93
source rpm:
ftp://ftp.suse.com/pub/suse/axp/update/7.0/zq1/nkitb-2001.8.16-0.src.rpm
a6623ff6d9439dea40f24ff35acefe99

Power PC Platform:

SuSE-7.1
ftp://ftp.suse.com/pub/suse/ppc/update/7.1/n1/nkitserv-2001.8.14-0.ppc.rpm
4da51d1a38095e81ee389094b0f21160
source rpm:
ftp://ftp.suse.com/pub/suse/ppc/update/7.1/zq1/nkitb-2001.8.14-0.src.rpm
499b282f614835fe7a7b1a9ab039c56d

SuSE-7.0
ftp://ftp.suse.com/pub/suse/ppc/update/7.0/n1/nkitserv-2001.8.16-0.ppc.rpm
262f3fc3653042976c8cc36a2cd7e44d
source rpm:
ftp://ftp.suse.com/pub/suse/ppc/update/7.0/zq1/nkitb-2001.8.16-0.src.rpm
7cba8393bb8a71cf4d39fb480a71b42e

______________________________________________________________________________

2) Pending vulnerabilities in SuSE Distributions and Workarounds:

- w3m

The w3m browser contains a buffer-overflow which allows remote-attackers
to execute arbitrary code or to crash the w3m web-client when viewing
special crafted sites. Please update to the newest w3m packages available
on the ftp-server.

- dip

The dip program is executable as setuid root program for users in the
"dialout" group, a privilege that has been issued by the administrator for
a trusted user group. This bug will be corrected in future releases of the
SuSE Linux distribution.

______________________________________________________________________________

3) standard appendix: authenticity verification, additional information

- Package authenticity verification:

SuSE update packages are available on many mirror ftp servers all over
the world. While this service is being considered valuable and important
to the free and open source software community, many users wish to be
sure about the origin of the package and its content before installing
the package. There are two verification methods that can be used
independently from each other to prove the authenticity of a downloaded
file or rpm package:
1) md5sums as provided in the (cryptographically signed) announcement.
2) using the internal gpg signatures of the rpm package.

1) execute the command
md5sum
after you downloaded the file from a SuSE ftp server or its mirrors.
Then, compare the resulting md5sum with the one that is listed in the
announcement. Since the announcement containing the checksums is
cryptographically signed (usually using the key security@suse.de),
the checksums show proof of the authenticity of the package.
We disrecommend to subscribe to security lists which cause the
email message containing the announcement to be modified so that
the signature does not match after transport through the mailing
list software.
Downsides: You must be able to verify the authenticity of the
announcement in the first place. If RPM packages are being rebuilt
and a new version of a package is published on the ftp server, all
md5 sums for the files are useless.

2) rpm package signatures provide an easy way to verify the authenticity
of an rpm package. Use the command
rpm -v --checksig
to verify the signature of the package, where is the
filename of the rpm package that you have downloaded. Of course,
package authenticity verification can only target an uninstalled rpm
package file.
Prerequisites:
a) gpg is installed
b) The package is signed using a certain key. The public part of this
key must be installed by the gpg program in the directory
~/.gnupg/ under the user's home directory who performs the
signature verification (usually root). You can import the key
that is used by SuSE in rpm packages for SuSE Linux by saving
this announcement to a file ("announcement.txt") and
running the command (do "su -" to be root):
gpg --batch; gpg < announcement.txt | gpg --import
SuSE Linux distributions version 7.1 and thereafter install the
key "build@suse.de" upon installation or upgrade, provided that
the package gpg is installed. The file containing the public key
is placed at the toplevel directory of the first CD (pubring.gpg)
and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de .

- SuSE runs two security mailing lists to which any interested party may
subscribe:

suse-security@suse.com
- general/linux/SuSE security discussion.
All SuSE security announcements are sent to this list.
To subscribe, send an email to
.

suse-security-announce@suse.com
- SuSE's announce-only mailing list.
Only SuSE's security annoucements are sent to this list.
To subscribe, send an email to
.

For general information or the frequently asked questions (faq)
send mail to:
or
respectively.

===================================================
SuSE's security contact is .
The public key is listed below.
===================================================
______________________________________________________________________________

The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way. In particular,
it is desired that the cleartext signature shows proof of the
authenticity of the text.
SuSE GmbH makes no warranties of any kind whatsoever with respect
to the information contained in this security advisory.

Type Bits/KeyID Date User ID
pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team
pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key

Source

Tags

Networking

You May Also Like

Other Articles In This Section

Recent News

Tuesday, July 9th

China's APT40 gang is ready to attack vulns within hours or days of public release
AI-Powered Super Soldiers Are More Than Just a Pipe Dream
The president ordered a board to probe a massive Russian cyberattack. It never did.
Massive car dealer ransom attack is mostly over after 2 weeks of work-arounds

Wednesday, July 3rd

“RegreSSHion” vulnerability in OpenSSH gives attackers root on Linux
Two of the German military’s new spy satellites appear to have failed in orbit

Friday, June 28th

Indonesian Airports, Data Centres Hit By Worst Cyberattack in Years
Cisco Talos warns of wider security implications following Snowflake breach

Thursday, June 27th

I Wore Meta Ray-Bans in Montreal to Test Their AI Translation Skills. It Did Not Go Well
Researchers upend AI status quo by eliminating matrix multiplication in LLMs
YouTube tries convincing record labels to license music for AI song generator
Critical MOVEit vulnerability puts huge swaths of the Internet at severe risk
Julian Assange to plead guilty but is going home after long extradition fight

Thursday, June 13th

Hackers show off jailbroken checkm8-vulnerable iPad and Apple TV running iPadOS 18 & tvOS 18 respectively
One of the major sellers of detailed driver behavioral data is shutting down
Turkish student creates custom AI device for cheating university exam, gets arrested

Wednesday, June 12th

Chinese-Made Biometric Access System Has 24 Vulnerabilities
Apple and OpenAI currently have the most misunderstood partnership in tech
Adobe to update vague AI terms after users threaten to cancel subscriptions
China state hackers infected 20,000 Fortinet VPNs

Tuesday, June 11th

Russia Is Targeting Germany With Fake Information as Europe Votes
Apple announces macOS 15 Sequoia with window tiling, iPhone mirroring, and more
Apple integrates ChatGPT into Siri, iOS, and macOS
British police to scan 480,000 Formula 1 fans’ faces at Silverstone
Hackers steal “significant volume” of data from hundreds of Snowflake customers

Friday, June 7th

7,000 LockBit decryption keys now in the hands of the FBI, offering victims hope
FCC pushes ISPs to fix security flaws in Internet routing
Can a technology called RAG keep AI models from making stuff up?
How to Lead an Army of Digital Sleuths in the Age of AI

Thursday, June 6th

Mystery object waits nearly an hour between radio bursts
Apple refused to pay bug bounty to Russian cybersecurity firm Kaspersky Lab
Ex-Microsoft security expert torches Windows' new 'Recall' feature
The Age of the Drone Police Is Here

Wednesday, June 5th

Ukrainian Systems Hit by Cobalt Strike Via a Malicious Excel File
TikTok Hack Targets ‘High-Profile’ Users via DMs