Bug 1811673 (CVE-2020-10188)

Summary: CVE-2020-10188 telnet-server: no bounds checks in nextitem() function allows to remotely execute arbitrary code
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: carnil, luhliari, mruprich, msekleta, nalin, pkis, rharwood, rschiron, tvainio, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found where incorrect bounds checks in the telnet server’s (telnetd) handling of short writes and urgent data, could lead to information disclosure and corruption of heap data. An unauthenticated remote attacker could exploit these bugs by sending specially crafted telnet packets to achieve arbitrary code execution in the telnet server.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-06 10:32:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1814472, 1814473, 1814474, 1814475, 1814476, 1814478, 1814774, 1814775, 2027472, 2027473    
Bug Blocks: 1811678    

Description Pedro Sampaio 2020-03-09 14:14:20 UTC 
utility.c in telnetd in netkit telnet through 0.17 allows remote attackers to execute arbitrary code via short writes or urgent data, because of a buffer overflow involving the netclear and nextitem functions.
Comment 2 Doran Moppert 2020-03-18 01:20:43 UTC 
Statement:

This vulnerability exists in the `telnet-server` package, not in the `telnet` client-side package. For a Red Hat Enterprise Linux host to be vulnerable, it must have telnet-server installed and the telnetd service enabled.  Use of telnetd is not recommended, as it is an un-encrypted protocol with cleartext transmission of passwords; alternatives such as openssh are preferred.
Comment 4 Doran Moppert 2020-03-18 01:25:51 UTC 
Created telnet tracking bugs for this issue:

Affects: fedora-all [bug 1814478]
Comment 13 Riccardo Schirone 2020-03-19 18:30:28 UTC 
Function nextitem() in utility.c does not check the bounds of the current pointer before reading data, so it could read data that should not be read (e.g. bytes after the netobuf buffer or simply after the nbackp pointer, which indicates the first byte that needs to be sent to the client). This flaw can be used to trick nextitem() into reading escape characters carefully constructed by an attacker, allowing him to leak data and execute arbitrary code on the system. As the flaw allows to leak memory bytes from the telnet server it is possible to bypass protections as ASLR/PIE.
Comment 14 Riccardo Schirone 2020-03-20 14:41:34 UTC 
Mitigation:

When in enforcing mode, SELinux as configured in Red Hat Enterprise Linux provides some mitigation against an exploit for telnet-server, because it limits the kind of operations it can perform and programs that can be run from the telnet-server's context.
Comment 28 Riccardo Schirone 2020-03-27 11:22:40 UTC 
This flaw can be exploited by an unauthenticated remote attacker to execute code on the telnet server's machine.
Comment 29 errata-xmlrpc 2020-04-06 08:24:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:1318 https://access.redhat.com/errata/RHSA-2020:1318
Comment 30 Product Security DevOps Team 2020-04-06 10:32:19 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-10188
Comment 31 errata-xmlrpc 2020-04-06 15:29:18 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2020:1335 https://access.redhat.com/errata/RHSA-2020:1335
Comment 32 errata-xmlrpc 2020-04-06 16:00:40 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:1334 https://access.redhat.com/errata/RHSA-2020:1334
Comment 33 errata-xmlrpc 2020-04-07 07:38:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:1342 https://access.redhat.com/errata/RHSA-2020:1342
Comment 34 errata-xmlrpc 2020-04-07 10:38:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2020:1349 https://access.redhat.com/errata/RHSA-2020:1349
Comment 36 errata-xmlrpc 2022-01-04 08:32:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Advanced Update Support
  Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.6 Telco Extended Update Support

Via RHSA-2022:0011 https://access.redhat.com/errata/RHSA-2022:0011
Comment 37 errata-xmlrpc 2022-01-18 09:09:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Advanced Update Support
  Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.7 Telco Extended Update Support

Via RHSA-2022:0158 https://access.redhat.com/errata/RHSA-2022:0158