Vulnerability CVE-2001-0554 - CERT Civis.Net

Vulnerability Name:

CVE-2001-0554 (CCN-6875)

Assigned:

2001-07-18

Published:

2001-07-18

Updated:

2022-01-21

Summary:

Buffer overflow in BSD-based telnetd telnet daemon on various operating systems allows remote attackers to execute arbitrary commands via a set of options including AYT (Are You There), which is not properly handled by the telrcv function.

CVSS v3 Severity:

10.0 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Changed
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

CVSS v2 Severity:

10.0 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

10.0 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

Vulnerability Type:

Vulnerability Consequences:

Gain Access

References:

Source: CCN
Type: FreeBSD Security Advisory FreeBSD-SA-01:49
telnetd contains remote buffer overflow

Source: FREEBSD
Type: Broken Link, Patch, Vendor Advisory
FreeBSD-SA-01:49

Source: NETBSD
Type: Broken Link
NetBSD-SA2001-012

Source: CCN
Type: Caldera International, Inc. Security Advisory CSSA-2001-030.0
Linux - Telnet AYT remote exploit

Source: CCN
Type: SGI Security Advisory 20010801-01-P
IRIX Telnet protocol options

Source: SGI
Type: Broken Link
20010801-01-P

Source: CALDERA
Type: Broken Link
CSSA-2001-SCO.10

Source: CCN
Type: Caldera International, Inc. Security Advisory CSSA-2001-SCO.10
telnetd buffer overflow

Source: CCN
Type: BugTraq Mailing List, Wed Jul 18 2001 - 15:15:10 CDT
multiple vendor telnet daemon vulnerability

Source: CCN
Type: BugTraq Mailing List, Tue Jul 24 2001 - 16:51:24 CDT
Re: multiple vendor telnet daemon vulnerability

Source: CCN
Type: BugTraq Mailing List, Tue Jul 24 2001 - 18:11:36 CDT
Re: multiple vendor telnet daemon vulnerability

Source: CCN
Type: BugTraq Mailing List, Wed Jul 25 2001 - 02:44:46 CDT
SCO - Telnetd AYT overflow ?

Source: CCN
Type: BugTraq Mailing List, Wed Jul 25 2001 - 17:51:28 CDT
Vulnerability in Windows 2000 TELNET service

Source: CCN
Type: BugTraq Mailing List, Thu Jul 26 2001 - 17:29:02 CDT
RE: Vulnerability in Windows 2000 TELNET service

Source: CCN
Type: IBM Managed Security Services Outside Advisory Redistribution MSS-OAR-E01-2001:298.1
Buffer overflow vulnerability in telnet daemon

Source: HP
Type: Broken Link
HPSBUX0110-172

Source: MITRE
Type: CNA
CVE-2001-0554

Source: CONECTIVA
Type: Broken Link
CLA-2001:413

Source: CCN
Type: Conectiva Linux Announcement CLSA-2001:413
telnet

Source: CCN
Type: Compaq Services Software Patches SSRT0745U
potential telnetd option handling vulnerability

Source: COMPAQ
Type: Broken Link
SSRT0745U

Source: IBM
Type: Broken Link, Third Party Advisory, VDB Entry
MSS-OAR-E01-2001:298

Source: CCN
Type: Hewlett-Packard Company Security Bulletin HPSBUX0110-172
Sec. Vulnerability in telnetd

Source: BUGTRAQ
Type: Broken Link, Third Party Advisory, VDB Entry
20010725 Telnetd AYT overflow scanner

Source: BUGTRAQ
Type: Broken Link, Third Party Advisory, VDB Entry
20010725 SCO - Telnetd AYT overflow ?

Source: BUGTRAQ
Type: Broken Link, Third Party Advisory, VDB Entry
20010810 ADV/EXP: netkit <=0.17 in.telnetd remote buffer overflow

Source: CCN
Type: RHSA-2001-099
New telnet packages available to fix buffer overflow vulnerabilities

Source: CCN
Type: RHSA-2001-100
Updated Kerberos 5 packages now available

Source: CCN
Type: Kerberos Security Advisory 2001-07-31
KRB5 TELNETD BUFFER OVERFLOWS

Source: CCN
Type: Apple Computer, Inc. Product Security Incident Response
Mac OS X v10.1 telnetd

Source: CALDERA
Type: Broken Link
CSSA-2001-030.0

Source: CCN
Type: CERT Advisory CA-2001-21
Buffer Overflow in telnetd

Source: CERT
Type: Patch, Third Party Advisory, US Government Resource
CA-2001-21

Source: CCN
Type: CIAC Information Bulletin L-124
Remote Buffer Overflow in telnetd

Source: CCN
Type: CIAC Information Bulletin L-128
MIT Kerberos 5 telnetd Buffer Overflows

Source: CCN
Type: CIAC Information Bulletin L-131
IBM AIX telnetd Buffer Overflow

Source: CIAC
Type: Broken Link
L-131

Source: CCN
Type: CIAC Information Bulletin M-006
HP-UX telnetd Security Vulnerability

Source: CCN
Type: CIAC Information Bulletin M-043
Hewlett-Packard Buffer Overflow in Telnet Server Vulnerability

Source: CCN
Type: CIAC Information Bulletin M-119
Cisco VPN Concentrators and VPN 3002 Client Multiple Vulnerabilities

Source: CCN
Type: Cisco Systems Inc. Security Advisory, 2002 January 29 1500 UTC
Cisco CatOS Telnet Buffer Vulnerability

Source: CISCO
Type: Third Party Advisory
20020129 Cisco CatOS Telnet Buffer Vulnerability

Source: CCN
Type: vpn3k-multiple-vuln-pub
Cisco Security Advisory: Cisco VPN 3000 Concentrator Multiple Vulnerabilities

Source: DEBIAN
Type: Third Party Advisory
DSA-070

Source: DEBIAN
Type: Third Party Advisory
DSA-075

Source: DEBIAN
Type: DSA-070
netkit-telnet -- remote exploit

Source: DEBIAN
Type: DSA-075
netkit-telnet-ssl -- remote exploit

Source: CCN
Type: GLSA-200410-03
NetKit-telnetd: buffer overflows in telnet and telnetd

Source: CCN
Type: US-CERT VU#745371
Multiple vendor telnet daemons vulnerable to buffer overflow via crafted protocol options

Source: CCN
Type: Cray Service Bulletin, September/October 2001, Volume 3, Number 5
Security Issues Reported, CERT Advisory CA-2001-21

Source: MANDRAKE
Type: Broken Link
MDKSA-2001:068

Source: SUSE
Type: Broken Link
SuSE-SA:2001:029

Source: OSVDB
Type: Broken Link
809

Source: CCN
Type: OSVDB ID: 809
Multiple BSD Telnet telrcv Functin Remote Command Execution

Source: REDHAT
Type: Third Party Advisory
RHSA-2001:099

Source: REDHAT
Type: Third Party Advisory
RHSA-2001:100

Source: BUGTRAQ
Type: Exploit, Third Party Advisory, VDB Entry, Vendor Advisory
20010718 multiple vendor telnet daemon vulnerability

Source: BID
Type: Exploit, Patch, Third Party Advisory, VDB Entry, Vendor Advisory
3064

Source: CCN
Type: BID-3064
Multiple Vendor Telnetd Buffer Overflow Vulnerability

Source: CCN
Type: SuSE Security Announcement SuSE-SA:2001:029
nkitb/nkitserv/telnetd

Source: CCN
Type: FedCIRC Advisory FA-2001-21
Buffer Overflow in telnetd

Source: XF
Type: Third Party Advisory, VDB Entry
telnetd-option-telrcv-bo(6875)

Source: XF
Type: UNKNOWN
telnetd-option-telrcv-bo(6875)

Vulnerable Configuration:

Configuration 1:

cpe:/a:netkit:linux_netkit:0.10:*:*:*:*:*:*:*

OR cpe:/a:netkit:linux_netkit:0.11:*:*:*:*:*:*:*

OR cpe:/a:mit:kerberos:1.0:*:*:*:*:*:*:*

OR cpe:/a:netkit:linux_netkit:0.12:*:*:*:*:*:*:*

OR cpe:/o:sgi:irix:6.5:*:*:*:*:*:*:*

OR cpe:/a:mit:kerberos_5:1.2:-:*:*:*:*:*:*

OR cpe:/a:mit:kerberos_5:1.2.1:*:*:*:*:*:*:*

OR cpe:/a:mit:kerberos_5:1.2.2:*:*:*:*:*:*:*

OR cpe:/a:mit:kerberos_5:1.1:*:*:*:*:*:*:*

OR cpe:/a:mit:kerberos_5:1.1.1:*:*:*:*:*:*:*

Configuration 2:

cpe:/o:freebsd:freebsd:2.0:*:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:2.0.1:*:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:2.0.5:*:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:2.1:stable:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:2.1.0:*:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:2.1.5:*:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:2.1.6:*:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:2.1.6.1:*:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:2.1.7:*:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:2.1.7.1:*:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:2.2:*:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:2.2:current:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:2.2.1:*:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:2.2.2:*:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:2.2.3:*:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:2.2.4:*:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:2.2.5:*:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:2.2.6:*:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:2.2.7:*:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:2.2.8:*:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:3.0:*:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:3.0:releng:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:3.1:*:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:3.2:*:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:3.3:-:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:3.4:*:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:3.5:*:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:3.5:stable:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:3.5.1:*:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:3.5.1:release:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:3.5.1:stable:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:4.0:*:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:4.0:alpha:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:4.0:releng:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:4.1:*:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:4.1.1:*:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:4.2:*:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:4.3:-:*:*:*:*:*:*

OR cpe:/o:ibm:aix:4.3:*:*:*:*:*:*:*

OR cpe:/o:ibm:aix:4.3.1:*:*:*:*:*:*:*

OR cpe:/o:ibm:aix:4.3.2:*:*:*:*:*:*:*

OR cpe:/o:ibm:aix:4.3.3:*:*:*:*:*:*:*

OR cpe:/o:ibm:aix:5.1:*:*:*:*:*:*:*

OR cpe:/o:netbsd:netbsd:1.0:*:*:*:*:*:*:*

OR cpe:/o:netbsd:netbsd:1.1:*:*:*:*:*:*:*

OR cpe:/o:netbsd:netbsd:1.2:*:*:*:*:*:*:*

OR cpe:/o:netbsd:netbsd:1.2.1:*:*:*:*:*:*:*

OR cpe:/o:netbsd:netbsd:1.3:*:*:*:*:*:*:*

OR cpe:/o:netbsd:netbsd:1.3.1:*:*:*:*:*:*:*

OR cpe:/o:netbsd:netbsd:1.3.2:*:*:*:*:*:*:*

OR cpe:/o:netbsd:netbsd:1.3.3:*:*:*:*:*:*:*

OR cpe:/o:netbsd:netbsd:1.4:*:*:*:*:*:*:*

OR cpe:/o:netbsd:netbsd:1.4.1:*:*:*:*:*:*:*

OR cpe:/o:netbsd:netbsd:1.4.2:*:*:*:*:*:*:*

OR cpe:/o:netbsd:netbsd:1.4.3:*:*:*:*:*:*:*

OR cpe:/o:netbsd:netbsd:1.5:*:*:*:*:*:*:*

OR cpe:/o:netbsd:netbsd:1.5.1:*:*:*:*:*:*:*

OR cpe:/o:openbsd:openbsd:2.0:*:*:*:*:*:*:*

OR cpe:/o:openbsd:openbsd:2.1:*:*:*:*:*:*:*

OR cpe:/o:openbsd:openbsd:2.2:*:*:*:*:*:*:*

OR cpe:/o:openbsd:openbsd:2.3:*:*:*:*:*:*:*

OR cpe:/o:openbsd:openbsd:2.4:*:*:*:*:*:*:*

OR cpe:/o:openbsd:openbsd:2.5:*:*:*:*:*:*:*

OR cpe:/o:openbsd:openbsd:2.6:*:*:*:*:*:*:*

OR cpe:/o:openbsd:openbsd:2.7:*:*:*:*:*:*:*

OR cpe:/o:openbsd:openbsd:2.8:*:*:*:*:*:*:*

OR cpe:/o:sun:sunos:5.6:*:*:*:*:*:*:*

OR cpe:/o:sun:sunos:5.0:*:*:*:*:*:*:*

OR cpe:/o:sun:sunos:5.1:*:*:*:*:*:*:*

OR cpe:/o:sun:sunos:5.2:*:*:*:*:*:*:*

OR cpe:/o:sun:sunos:5.3:*:*:*:*:*:*:*

OR cpe:/o:sun:sunos:5.4:*:*:*:*:*:*:*

OR cpe:/o:sun:sunos:5.5:*:*:*:*:*:*:*

OR cpe:/o:sun:sunos:5.5.1:*:*:*:*:*:*:*

OR cpe:/o:sun:sunos:5.7:*:*:*:*:*:*:*

OR cpe:/o:sun:sunos:5.8:*:*:*:*:*:*:*

Configuration 3:

cpe:/o:debian:debian_linux:2.2:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/o:sun:solaris:*:*:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:3.0:*:*:*:*:*:*:*

OR cpe:/o:sgi:irix:6.5:*:*:*:*:*:*:*

OR cpe:/o:cray:unicos:*:*:*:*:*:*:*:*

OR cpe:/o:redhat:linux:5.2:*:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:3.1:*:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:3.2:*:*:*:*:*:*:*

OR cpe:/o:suse:suse_linux:6.2:*:*:*:*:*:*:*

OR cpe:/o:ibm:aix:4.3:*:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:3.3:-:*:*:*:*:*:*

OR cpe:/o:ibm:aix:4.3.2:*:*:*:*:*:*:*

OR cpe:/o:redhat:linux:6.2:*:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:3.4:*:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:4.0:*:*:*:*:*:*:*

OR cpe:/o:suse:suse_linux:6.3:*:*:*:*:*:*:*

OR cpe:/o:suse:suse_linux:6.4:*:*:*:*:*:*:*

OR cpe:/o:debian:debian_linux:2.2:*:*:*:*:*:*:*

OR cpe:/o:suse:suse_linux:6.1:*:*:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux:7.1:*:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:3.5:*:*:*:*:*:*:*

OR cpe:/a:connectiva:linux:-:*:*:*:*:*:*:*

OR cpe:/o:redhat:linux:7:*:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:4.1:*:*:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux:7.2:*:*:*:*:*:*:*

OR cpe:/o:netbsd:netbsd:1.5:*:*:*:*:*:*:*

OR cpe:/o:suse:suse_linux:7.0:*:*:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:1.0.1:*:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:4.2:*:*:*:*:*:*:*

OR cpe:/o:suse:suse_linux:7.1:*:*:*:*:*:*:*

OR cpe:/h:cisco:catalyst_5000:*:*:*:*:*:*:*:*

OR cpe:/o:ibm:aix:5.1:*:*:*:*:*:*:*

OR cpe:/o:redhat:linux:7.1:*:*:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux:8.0:*:*:*:*:*:*:*

OR cpe:/a:mandrakesoft:mandrake_single_network_firewall:7.2:*:*:*:*:*:*:*

OR cpe:/o:suse:suse_linux:7.2:*:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:4.3:-:*:*:*:*:*:*

OR cpe:/o:windriver:bsdos:4.2:*:*:*:*:*:*:*

OR cpe:/o:ibm:aix:4.3.3:*:*:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux:8.1:*:*:*:*:*:*:*

OR cpe:/o:redhat:linux:7.2:*:*:*:*:*:*:*

OR cpe:/h:cisco:catalyst_4000:*:*:*:*:*:*:*:*

OR cpe:/h:cisco:catalyst_6000:*:*:*:*:*:*:*:*

OR cpe:/h:cisco:catalyst_2948g:*:*:*:*:*:*:*:*

OR cpe:/h:cisco:catalyst_2900:*:*:*:*:*:*:*:*

OR cpe:/o:redhat:linux:7.3:*:*:*:*:*:*:*

OR cpe:/o:debian:debian_linux:3.0:*:*:*:*:*:*:*

OR cpe:/o:gentoo:linux:*:*:*:*:*:*:*:*

OR cpe:/o:ibm:aix:4.3.1:*:*:*:*:*:*:*

OR cpe:/a:mit:kerberos:*:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.mitre.oval:def:1828	V	Buffer Overflow in "in.telnetd"or "telnetd"Process	2007-07-18
oval:org.debian:def:75	V	remote exploit	2001-08-14
oval:org.debian:def:70	V	remote exploit	2001-08-10