Bug 1811673 (CVE-2020-10188)
Summary: | CVE-2020-10188 telnet-server: no bounds checks in nextitem() function allows to remotely execute arbitrary code | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | carnil, luhliari, mruprich, msekleta, nalin, pkis, rharwood, rschiron, tvainio, yozone |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: |
A vulnerability was found where incorrect bounds checks in the telnet server’s (telnetd) handling of short writes and urgent data, could lead to information disclosure and corruption of heap data. An unauthenticated remote attacker could exploit these bugs by sending specially crafted telnet packets to achieve arbitrary code execution in the telnet server.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2020-04-06 10:32:19 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1814472, 1814473, 1814474, 1814475, 1814476, 1814478, 1814774, 1814775, 2027472, 2027473 | ||
Bug Blocks: | 1811678 |
Description
Pedro Sampaio
2020-03-09 14:14:20 UTC
Statement: This vulnerability exists in the `telnet-server` package, not in the `telnet` client-side package. For a Red Hat Enterprise Linux host to be vulnerable, it must have telnet-server installed and the telnetd service enabled. Use of telnetd is not recommended, as it is an un-encrypted protocol with cleartext transmission of passwords; alternatives such as openssh are preferred. Created telnet tracking bugs for this issue: Affects: fedora-all [bug 1814478] Function nextitem() in utility.c does not check the bounds of the current pointer before reading data, so it could read data that should not be read (e.g. bytes after the netobuf buffer or simply after the nbackp pointer, which indicates the first byte that needs to be sent to the client). This flaw can be used to trick nextitem() into reading escape characters carefully constructed by an attacker, allowing him to leak data and execute arbitrary code on the system. As the flaw allows to leak memory bytes from the telnet server it is possible to bypass protections as ASLR/PIE. Mitigation: When in enforcing mode, SELinux as configured in Red Hat Enterprise Linux provides some mitigation against an exploit for telnet-server, because it limits the kind of operations it can perform and programs that can be run from the telnet-server's context. This flaw can be exploited by an unauthenticated remote attacker to execute code on the telnet server's machine. This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:1318 https://access.redhat.com/errata/RHSA-2020:1318 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-10188 This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2020:1335 https://access.redhat.com/errata/RHSA-2020:1335 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:1334 https://access.redhat.com/errata/RHSA-2020:1334 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions Via RHSA-2020:1342 https://access.redhat.com/errata/RHSA-2020:1342 This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2020:1349 https://access.redhat.com/errata/RHSA-2020:1349 This issue has been addressed in the following products: Red Hat Enterprise Linux 7.6 Advanced Update Support Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions Red Hat Enterprise Linux 7.6 Telco Extended Update Support Via RHSA-2022:0011 https://access.redhat.com/errata/RHSA-2022:0011 This issue has been addressed in the following products: Red Hat Enterprise Linux 7.7 Advanced Update Support Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions Red Hat Enterprise Linux 7.7 Telco Extended Update Support Via RHSA-2022:0158 https://access.redhat.com/errata/RHSA-2022:0158 |