FreeBSD Security Advisories
2016-Dec-06 19:17 UTC
[FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-16:36.telnetd
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================FreeBSD-SA-16:36.telnetd Security Advisory The FreeBSD Project Topic: Possible login(1) argument injection in telnetd(8) Category: core Module: telnetd Announced: 2016-12-06 Credits: Brooks Davis (sponsored by: DARPA, AFRL) Affects: All supported versions of FreeBSD. Corrected: 2016-12-06 18:52:02 UTC (stable/11, 11.0-STABLE) 2016-12-06 18:49:38 UTC (releng/11.0, 11.0-RELEASE-p4) 2016-12-06 18:52:18 UTC (stable/10, 10.3-STABLE) 2016-12-06 18:49:48 UTC (releng/10.3, 10.3-RELEASE-p13) 2016-12-06 18:49:54 UTC (releng/10.2, 10.2-RELEASE-p26) 2016-12-06 18:49:59 UTC (releng/10.1, 10.1-RELEASE-p43) 2016-12-06 18:52:33 UTC (stable/9, 9.3-STABLE) 2016-12-06 18:50:06 UTC (releng/9.3, 9.3-RELEASE-p51) CVE Name: CVE-2016-1888 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. I. Background The FreeBSD telnet daemon, telnetd(8), implements the server side of the TELNET virtual terminal protocol. It has been disabled by default in FreeBSD since August 2001, and due to the lack of cryptographic security in the TELNET protocol, it is strongly recommended that the SSH protocol be used instead. The FreeBSD telnet daemon can be enabled via the /etc/inetd.conf configuration file and the inetd(8) daemon. After a user is connected, telnetd executes the login(1) program or a similar program specified by the -p <loginprog> argument. In order to do so, it constructs an array of command line arguments which are passed to execv(3). II. Problem Description An unexpected sequence of memory allocation failures combined with insufficient error checking could result in the construction and execution of an argument sequence that was not intended. III. Impact An attacker who controls the sequence of memory allocation failures and success may cause login(1) to run without authentication and may be able to cause misbehavior of login(1) replacements. No practical way of controlling these memory allocation failures is known at this time. IV. Workaround No workaround is available, but systems not running the telnet daemon are not vulnerable. Note that the telnet daemon is usually run via inetd, and consequently will not show up in a process listing unless a connection is currently active; to determine if it is enabled, run $ ps ax | grep telnetd | grep -v grep $ grep telnetd /etc/inetd.conf | grep -vE '^#' If any output is produced, your system may be vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-16:36/telnetd.patch # fetch https://security.FreeBSD.org/patches/SA-16:36/telnetd.patch.asc # gpg --verify telnetd.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. Kill any running telnetd processes, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/9/ r309643 releng/9.3/ r309637 stable/10/ r309642 releng/10.1/ r309636 releng/10.2/ r309635 releng/10.3/ r309634 stable/11/ r309641 releng/11.0/ r309633 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: <URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> VII. References <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1888> The latest revision of this advisory is available at <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:36.telnetd.asc> -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJYRw1uAAoJEO1n7NZdz2rnUC0P/3R7UoeNFknnYEXs25NnTS3h oDZnGEbLloqQC4mAtPsC2v9WdSRh318J7UMOpko+uYlvxwsJe9TXRgUwP24atdtJ a0Al8BvbmIHckIxG7cFJ6Xsw5NDXBgHo2JWBgdU2xvRafZYvFmjlGyxGrvg6Ok0s LCz+cnOwni+J4R0CUHTb7eyoeW4HYsg5bVBnzmDwdqQTiig4PsIBVSu+VbOM8kTT u7JCzxibzwm9TE0orxDBsY60//hbJRMm12SXj+tVJS3w+qK2iY+Aq02llyTqlGHd Tpz4++d9UlS5QSPnu42ev/wzfPDZoxhbb5yciEUDSZA7vG5RD0pCfxfOf+8zORXA PLp8XRrl76DJonULUjtNPo8xE3gFOztbUZyTFpxChXUPzZGp0oPRQgTIBTMEPejH jC7O5ic0q7aA8UcQk5tqn6lNS6eK6z2UoKGYN4qCjTlC18s1u9dPwHzeSAzjg5YF fHX0t/MB8zJ5ts0pUs6OTMOu6umrP4SUJF9hpACFG16vzjJ1S573tuPr9L4HMNCv XTX9kjcFwmHqpbrFYW38Fk90x14TT3tigi+xYvCruS1XQeLQM48ThgYAdEboGJvT 8LGVI8rbwjaglrEk670RlnWVKQInqtPBmbV/GXL9AtE4zzsTHXDT/7iJ30pb4RJq rA+cnK1Bog6FHCWGTxjF =uYUg -----END PGP SIGNATURE-----