December 27, 2011 at 23:15

5 vulnerabilities fixed in FreeBSD, including telnetd critical root vulnerability

    Five vulnerability reports have been issued that affect the base system of all supported FreeBSD branches (RELENG_7, RELENG_8, RELENG_9):

    • The ability to remotely execute code through the telnetd daemon, which has been disabled in the default configuration since 2001. The problem is related to buffer overflow when receiving encryption keys using the TELNET protocol (a fixed buffer is allocated and the size of the incoming key is not checked, the tail of which may go beyond the buffer). As a result, an unauthenticated attacker can execute code on a server with the rights of a telnet daemon, which usually runs as root. Vulnerabilities are affected by all systems in which telnetd is active and the associated network port is not closed;
    • The absence of a service name check in pam_start () makes it possible for a local user to elevate their privileges in the system by organizing the loading of their library with root privileges during the loading of PAM services. For a successful attack, the attacker must be able to pass the server name to the pam_start () function using third-party applications that are not included in the base system, for example, if you have access to the kcheckpass utility, which is part of the kde4 port;
    • Incorrect opening of access via the pam_ssh PAM module if the user has created unencrypted private SSH keys. The pam_ssh module allows authentication at local login using the password used to encrypt the user's SSH keys located in the ~ / .ssh directory. By default, authentication is possible only if the SSH key has a passphrase, but the OpenSSL library ignores the password argument if the key is not in encrypted form, which allows you to enter the system without a password under a user with such unencrypted keys. The problem appears only when pam_ssh is activated in the settings, which is not used by default;
    • Ability to execute code with root privileges inside a chroot environment in a situation where a user has the ability to log in via ftp using chroot in his home directory (using / etc / ftpchroot). Read more about the vulnerability here.
    • Remote denial of service call for a DNS server running the named program (BIND 9) from the base delivery. An attacker can initiate a server process crash when generating a request to a controlled DNS server. At the same time, to carry out an attack, an attacker does not have to have access to resolving names through the victim's DNS server; you can access your DNS server by indirect methods, for example, if a user of the attacked DNS server tries to open a link in a browser or the spam blocking system checks the name .


    Via OpenNet.ru

    Let me remind you that recently there was also a fix for a critical vulnerability.
    Tags:

    Also popular now: