Detections
Analytics

Kerberos telnet Crafted Username Remote Authentication Bypass

high Nessus Plugin ID 24998

Language:

Synopsis

It is possible to log into the remote host using telnet without supplying any credentials.

Description

An authentication bypass vulnerability exists in the MIT krb5 telnet daemon due to a failure to sanitize malformed usernames. This allows usernames beginning with '-e' to be interpreted as a command-line flag by the login.krb5 program. A remote attacker can exploit this, via a crafted username, to cause login.krb5 to execute part of the BSD rlogin protocol, which in turn allows the attacker to login with an arbitrary username without a password or any further authentication.

Solution

Apply the fixes described in MIT krb5 Security Advisory 2007-001, or contact your vendor for a patch.

See Also

http://www.nessus.org/u?0ed21002

Plugin Details

Severity: High

ID: 24998

File Name: krb_telnet_env.nasl

Version: 1.29

Type: remote

Published: 4/5/2007

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: High

Base Score: 7.6

Temporal Score: 6.3

Vector: CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 8.2

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:mit:kerberos

Excluded KB Items: global_settings/supplied_logins_only

Exploit Available: true

Exploit Ease: Exploits are available

Exploited by Nessus: true

Vulnerability Publication Date: 4/3/2007

Exploitable With

CANVAS (D2ExploitPack)

Reference Information

CVE: CVE-2007-0956

BID: 23281

CERT: 220816