Note: This is an archival copy of Security Sun Alert 201106 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000826.1.
Sun Enterprise Authentication Mechanism 1.0
Date of Workaround Release
Date of Resolved Release
There is a buffer overflow in the unprivileged kerberized telnet(1) utility of Sun Enterprise Authentication Mechanism (SEAM) Software for Solaris. This is not a security vulnerability on its own. However, kerberized telnet(1) communicates with another host using the TELNET protocol and thus there is a small risk of a remote user successfully exploiting the overflow.
If a remote unprivileged user is able to cause a user to execute the kerberized telnet(1) utility on their client system, then that remote user may be able to execute arbitrary commands on the client system with the privileges of the user who executed kerberized telnet(1). The remote user may also be able to read the values of arbitrary shell environment variables of the user who executed telnet(1).
Sun acknowledges with thanks, iDEFENSE (http://www.idefense.com), for bringing these issues to our attention. These issues are also referenced in the following iDEFENSE documents:
IDEF0865 - Multiple Vendor Telnet Client Information Disclosure Vulnerability at http://www.idefense.com/application/poi/display?id=260
IDEF0866 - Multiple Telnet Client slc_add_reply() Buffer Overflow at http://www.idefense.com/application/poi/display?id=220
IDEF0867 - Multiple Telnet Client env_opt_add() Buffer Overflow at http://www.idefense.com/application/poi/display?id=221
These issues are also described in the following CAN documents:
CAN-2005-0468 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0468
CAN-2005-0469 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0469
CAN-2005-0488 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0488
These issues are also described in the following CERT Vulnerability Notes:
VU#291924 at http://www.kb.cert.org/vuls/id/291924
VU#341908 at http://www.kb.cert.org/vuls/id/341908
VU#800829 at http://www.kb.cert.org/vuls/id/800829
These issues can occur in the following releases:
There are no predictable symptoms that would indicate the described issues have been exploited.
To work around the described issues until patches can be installed, sites may consider removing the execute permissions from the kerberized telnet(1) utility. To accomplish this, the following command can be run (as "root"):
# chmod 000 /usr/krb5/bin/telnet
To restore the original permissions to the telnet(1) utility (after the patches have been applied) the following command can be run (as "root"):
# chmod 555 /usr/krb5/bin/telnet
These issues are addressed in the following releases:
This solution has no attachment