FreeBSD Security Advisory (telnetd)

The FreeBSD Security Team has issued the following security warning:

FreeBSD-SA-09:05.telnetd – telnetd code execution vulnerability

I Background

The FreeBSD telnet daemon, telnetd(8), implements the server side of the TELNET virtual terminal protocol. It has been disabled by default in FreeBSD since August 2001, and due to the lack of cryptographic security in the TELNET protocol, it is strongly recommended that the SSH protocol be used instead. The FreeBSD telnet daemon can b enabled via the /etc/inetd.conf configuration file and the inetd(8) daemon.

The TELNET protocol allows a connecting client to specify environment variables which should be set in any created login session; this is used, for example, to specify terminal settings.

II. Problem Description

In order to prevent environment variable based attacks, telnetd(8) “scrubs” its environment; however, recent changes in FreeBSD’s environment-handling code rendered telnetd’s scrubbing inoperative, thereby allowing potentially harmful environment variables to be set.

For a workaround, solution and patch etc go here

Related posts:

1. FreeBSD Security Advisory (ktimer)
2. FreeBSD Security Advisory (bind)
3. FreeBSD 7.x & 8.x Root Exploit Patched!
4. FreeBSD Security Advisories (ftpd & protosw)
5. FreeBSD Security Advisories (openssl & lukemftpd)