The telnet daemon (telnetd) in MIT krb5 before 1.6.1 allows remote attackers to bypass authentication and gain system access via a username beginning with a '-' character, a similar issue to CVE-2007-0882.

The remote Oracle Linux 5 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2007-0095 advisory.

    [1.3.4-46]
     - fix bug ID in changelog

     [1.3.4-45]
     - add preliminary patch to fix buffer overflow in krb5kdc and kadmind        (#231528, CVE-2007-0957)
     - add preliminary patch to fix double-free in kadmind (#231537, CVE-2007-1216)

     [1.3.4-44]
     - temporarily disable bug fixes for #143289, #179062, #180671, #202191, #223669        for security update
     - add preliminary patch to correct unauthorized access via krb5-aware telnet        daemon (#229782, CVE-2007-0956)

     [1.3.4-43]
     - re-enable fixes for #143289, #223669 and rebuild

     [1.3.4-42]
     - temporarily back out fixes for #143289, #223669 and rebuild

     [1.3.4-41]
     - update rcp non-fatal error patch to fix hangs on write errors, too (Jose        Plans, #223669)

     [1.3.4-40]
     - report a non-fatal error to the remote rcp when the client fails to open a        file for writing (#223669)

     [1.3.4-39]
     - refrain from killing any lingering members of our child's process group when        logging that the child process has exited (Jose Plans, #143289)

     [1.3.4-38]
     - correct syntax error in krb5-config.sh

     [1.3.4-37]
     - update to revised upstream patches for CVE-2006-3083 and CVE-2006-3084        (MITKRB5-SA-2006-001) to avoid unnecessary error messages from ksu (#209512)

     [1.3.4-36]
     - add missing shebang headers to krsh and krlogin wrapper scripts (#209238)

     [1.3.4-35]
     - backport changes to make krb5-devel multilib-safe (#202191, prereq for

     [1.3.4-34]
     - reapply changes for #198633, #179062, #180671

     [1.3.4-33]
     - temporarily revert changes for #198633

     [ 1.3.4-32]
     - rebuild

     [1.3.4-31]
     - temporarily revert changes for #179062
     - temporarily revert changes for #180671
     - apply patch to fix unchecked calls to setuid() (CVE-2006-3083) and        seteuid() (CVE-2006-3084) (#197818)

     [1.3.4-30]
     - incorporate fixes for hangs in the rsh client and server (#198633)

     [1.3.4-29]
     - if we fail to determine the name of a master KDC in        krb5_get_init_creds_keytab(), return the error we got from the non-master        rather than the can't-determine-the-name error, which isn't so useful,        matching the current release's behavior (#180671)

     [1.3.4-28]
     - reenable the fix for #179062

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

When using the krb5 telnet daemon it was possible for remote attackers to override authentication mechanisms and gain root access to the machine by supplying a special username. 

This is tracked by the Mitre CVE ID CVE-2007-0956.

The krb5 telnet service did not appropriately verify user names. A remote attacker could log in as the root user by requesting a specially crafted user name. (CVE-2007-0956)

The krb5 syslog library did not correctly verify the size of log messages. A remote attacker could send a specially crafted message and execute arbitrary code with root privileges. (CVE-2007-0957)

The krb5 administration service was vulnerable to a double-free in the GSS RPC library. A remote attacker could send a specially crafted request and execute arbitrary code with root privileges.
(CVE-2007-1216).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several remote vulnerabilities have been discovered in the MIT reference implementation of the Kerberos network authentication protocol suite, which may lead to the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2007-0956     It was discovered that the krb5 telnet daemon performs     insufficient validation of usernames, which might allow     unauthorized logins or privilege escalation.

  - CVE-2007-0957     iDefense discovered that a buffer overflow in the     logging code of the KDC and the administration daemon     might lead to arbitrary code execution.

  - CVE-2007-1216     It was discovered that a double free in the RPCSEC_GSS     part of the GSS library code might lead to arbitrary     code execution.

An authentication bypass vulnerability exists in the MIT krb5 telnet daemon due to a failure to sanitize malformed usernames. This allows usernames beginning with '-e' to be interpreted as a command-line flag by the login.krb5 program. A remote attacker can exploit this, via a crafted username, to cause login.krb5 to execute part of the BSD rlogin protocol, which in turn allows the attacker to login with an arbitrary username without a password or any further authentication.

Updated krb5 packages that fix a number of issues are now available.

This update has been rated as having critical security impact by the Red Hat Security Response Team.

Kerberos is a network authentication system which allows clients and servers to authenticate to each other through use of symmetric encryption and a trusted third party, the KDC.

A flaw was found in the username handling of the MIT krb5 telnet daemon (telnetd). A remote attacker who can access the telnet port of a target machine could log in as root without requiring a password.
(CVE-2007-0956)

Note that the krb5 telnet daemon is not enabled by default in any version of Red Hat Enterprise Linux. In addition, the default firewall rules block remote access to the telnet port. This flaw does not affect the telnet daemon distributed in the telnet-server package.

For users who have enabled the krb5 telnet daemon and have it accessible remotely, this update should be applied immediately.

Whilst we are not aware at this time that the flaw is being actively exploited, we have confirmed that the flaw is very easily exploitable.

This update also fixes two additional security issues :

Buffer overflows were found which affect the Kerberos KDC and the kadmin server daemon. A remote attacker who can access the KDC could exploit this bug to run arbitrary code with the privileges of the KDC or kadmin server processes. (CVE-2007-0957)

A double-free flaw was found in the GSSAPI library used by the kadmin server daemon. Red Hat Enterprise Linux 4 and 5 contain checks within glibc that detect double-free flaws. Therefore, on Red Hat Enterprise Linux 4 and 5 successful exploitation of this issue can only lead to a denial of service. Applications which use this library in earlier releases of Red Hat Enterprise Linux may also be affected.
(CVE-2007-1216)

All users are advised to update to these erratum packages which contain a backported fix to correct these issues.

Red Hat would like to thank MIT and iDefense for reporting these vulnerabilities.

A vulnerability was found in the username handling of the MIT krb5 telnet daemon. A remote attacker that could access the telnet port of a target machine could login as root without requiring a password (CVE-2007-0956).

Buffer overflows in the kadmin server daemon were discovered that could be exploited by a remote attacker able to access the KDC.
Successful exploitation could allow for the execution of arbitrary code with the privileges of the KDC or kadmin server processes (CVE-2007-0957).

Finally, a double-free flaw was discovered in the GSSAPI library used by the kadmin server daemon, which could lead to a denial of service condition or the execution of arbitrary code with the privileges of the KDC or kadmin server processes (CVE-2007-1216).

Updated packages have been patched to address this issue.

Update :

Packages for Mandriva Linux 2007.1 are now available.

The remote host is affected by the vulnerability described in GLSA-200704-02 (MIT Kerberos 5: Arbitrary remote code execution)

    The Kerberos telnet daemon fails to properly handle usernames allowing     unauthorized access to any account (CVE-2007-0956). The Kerberos     administration daemon, the KDC and possibly other applications using     the MIT Kerberos libraries are vulnerable to the following issues. The     krb5_klog_syslog function from the kadm5 library fails to properly     validate input leading to a stack overflow (CVE-2007-0957). The GSS-API     library is vulnerable to a double-free attack (CVE-2007-1216).
  Impact :

    By exploiting the telnet vulnerability a remote attacker may obtain     access with root privileges. The remaining vulnerabilities may allow an     authenticated remote attacker to execute arbitrary code with root     privileges.
  Workaround :

    There is no known workaround at this time.

SEAM 1.0.2: patch for Solaris 9.
Date this patch was last updated by Sun : Apr/03/07

ID	Name	Product	Family	Severity
67458	Oracle Linux 5 : Critical: / krb5 (ELSA-2007-0095)	Nessus	Oracle Linux Local Security Checks	critical
29497	SuSE 10 Security Update : krb5-apps-servers (ZYPP Patch Number 3022)	Nessus	SuSE Local Security Checks	high
28046	Ubuntu 5.10 / 6.06 LTS / 6.10 : krb5 vulnerabilities (USN-449-1)	Nessus	Ubuntu Local Security Checks	high
27313	openSUSE 10 Security Update : krb5-apps-servers (krb5-apps-servers-3021)	Nessus	SuSE Local Security Checks	high
25010	Debian DSA-1276-1 : krb5 - several vulnerabilities	Nessus	Debian Local Security Checks	high
24998	Kerberos telnet Crafted Username Remote Authentication Bypass	Nessus	Gain a shell remotely	high
24948	RHEL 2.1 / 3 / 4 / 5 : krb5 (RHSA-2007:0095)	Nessus	Red Hat Local Security Checks	high
24943	Mandrake Linux Security Advisory : krb5 (MDKSA-2007:077-1)	Nessus	Mandriva Local Security Checks	high
24935	GLSA-200704-02 : MIT Kerberos 5: Arbitrary remote code execution	Nessus	Gentoo Local Security Checks	high
24919	CentOS 3 / 4 : krb5 (CESA-2007:0095)	Nessus	CentOS Local Security Checks	high
23517	Solaris 9 (sparc) : 116462-06	Nessus	Solaris Local Security Checks	high

Detections

Analytics

CVE-2007-0956

critical

Tenable Plugins

critical

high

high

high

high

high

high

high

high

high

high