Bug 1811673 (CVE-2020-10188) - CVE-2020-10188 telnet-server: no bounds checks in nextitem() function allows to remotely execute arbitrary code
Summary: CVE-2020-10188 telnet-server: no bounds checks in nextitem() function allows ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-10188
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1814472 1814473 1814474 1814475 1814476 1814478 1814774 1814775
Blocks: 1811678
TreeView+ depends on / blocked
 
Reported: 2020-03-09 14:14 UTC by Pedro Sampaio
Modified: 2020-05-22 08:06 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found where incorrect bounds checks in the telnet server’s (telnetd) handling of short writes and urgent data, could lead to information disclosure and corruption of heap data. An unauthenticated remote attacker could exploit these bugs by sending specially crafted telnet packets to achieve arbitrary code execution in the telnet server.
Clone Of:
Environment:
Last Closed: 2020-04-06 10:32:19 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:1318 None None None 2020-04-06 08:24:35 UTC
Red Hat Product Errata RHSA-2020:1334 None None None 2020-04-06 16:00:41 UTC
Red Hat Product Errata RHSA-2020:1335 None None None 2020-04-06 15:29:19 UTC
Red Hat Product Errata RHSA-2020:1342 None None None 2020-04-07 07:38:32 UTC
Red Hat Product Errata RHSA-2020:1349 None None None 2020-04-07 10:38:27 UTC

Description Pedro Sampaio 2020-03-09 14:14:20 UTC
utility.c in telnetd in netkit telnet through 0.17 allows remote attackers to execute arbitrary code via short writes or urgent data, because of a buffer overflow involving the netclear and nextitem functions.

Comment 2 Doran Moppert 2020-03-18 01:20:43 UTC
Statement:

This vulnerability exists in the `telnet-server` package, not in the `telnet` client-side package. For a Red Hat Enterprise Linux host to be vulnerable, it must have telnet-server installed and the telnetd service enabled.  Use of telnetd is not recommended, as it is an un-encrypted protocol with cleartext transmission of passwords; alternatives such as openssh are preferred.

Comment 4 Doran Moppert 2020-03-18 01:25:51 UTC
Created telnet tracking bugs for this issue:

Affects: fedora-all [bug 1814478]

Comment 13 Riccardo Schirone 2020-03-19 18:30:28 UTC
Function nextitem() in utility.c does not check the bounds of the current pointer before reading data, so it could read data that should not be read (e.g. bytes after the netobuf buffer or simply after the nbackp pointer, which indicates the first byte that needs to be sent to the client). This flaw can be used to trick nextitem() into reading escape characters carefully constructed by an attacker, allowing him to leak data and execute arbitrary code on the system. As the flaw allows to leak memory bytes from the telnet server it is possible to bypass protections as ASLR/PIE.

Comment 14 Riccardo Schirone 2020-03-20 14:41:34 UTC
Mitigation:

When in enforcing mode, SELinux as configured in Red Hat Enterprise Linux provides some mitigation against an exploit for telnet-server, because it limits the kind of operations it can perform and programs that can be run from the telnet-server's context.

Comment 28 Riccardo Schirone 2020-03-27 11:22:40 UTC
This flaw can be exploited by an unauthenticated remote attacker to execute code on the telnet server's machine.

Comment 29 errata-xmlrpc 2020-04-06 08:24:32 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:1318 https://access.redhat.com/errata/RHSA-2020:1318

Comment 30 Product Security DevOps Team 2020-04-06 10:32:19 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-10188

Comment 31 errata-xmlrpc 2020-04-06 15:29:18 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2020:1335 https://access.redhat.com/errata/RHSA-2020:1335

Comment 32 errata-xmlrpc 2020-04-06 16:00:40 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:1334 https://access.redhat.com/errata/RHSA-2020:1334

Comment 33 errata-xmlrpc 2020-04-07 07:38:31 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:1342 https://access.redhat.com/errata/RHSA-2020:1342

Comment 34 errata-xmlrpc 2020-04-07 10:38:25 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2020:1349 https://access.redhat.com/errata/RHSA-2020:1349


Note You need to log in before you can comment on or make changes to this bug.