COMMAND

    telnetd

SYSTEMS AFFECTED

    FreeBSD 3.x  (all releases),  FreeBSD 4.x  (all releases  prior to
    4.2), FreeBSD  3.5.1-STABLE prior  to 2000-11-01  and 4.1.1-STABLE
    prior to 2000-10-30

PROBLEM

    Following is based on a FreeBSD-SA-00:69 Security Advisory.  This
    was originally found by Jouko Pynnonen.

    telnetd is the server for  the telnet remote login protocol.   The
    telnet protocol allows for UNIX environment variables to be passed
    from the client to the user login session on the server.  However,
    some of these  environment variables have  special meaning to  the
    telnetd  child  process  itself  and  may  be  used  to affect its
    operation.

    Of particular relevance is the  ability for remote users to  cause
    an arbitrary file  on the system  to be searched  for termcap data
    by passing the  TERMCAP environment variable.   Although any  file
    on the local system can be  read since the telnetd server runs  as
    root, the contents of the file will not be reported in any way  to
    the  remote  user  unless  it  contains  a valid termcap entry, in
    which case  the corresponding  termcap sequences  will be  used to
    format the output sent to the client.  It is believed there is  no
    risk of data disclosure through this vulnerability.

    However, an  attacker who  forces the  server to  search through a
    large file  or to  read from  a device  can cause  resources to be
    spent by the server, including CPU cycles and disk read bandwidth,
    which  can  increase  the  server  load  and  may  prevent it from
    servicing  legitimate  user  requests.   Since  the  vulnerability
    occurs  before  the  login(1)  utility  is  spawned,  it  does not
    require authentication to a valid  account on the server in  order
    to exploit.

    Remote users without a valid login account on the server can cause
    resources such  as CPU  and disk  read bandwidth  to be  consumed,
    causing  increased  server  load  and  possibly denying service to
    legitimate users.

SOLUTION

    Disable the telnet service, which  is usually run out of  inetd or
    impose access restrictions using TCP wrappers  (/etc/hosts.allow),
    or a network-level packet filter such as ipfw(8) or ipf(8) on  the
    perimeter firewall or  the local machine,  to limit access  to the
    telnet service to trusted machines.

    Patch:

        ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:69/telnetd.patch.v1.1
        ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:69/telnetd.patch.v1.1.asc