Detections
Analytics

Debian dla-4527 : inetutils-ftp - security update

high Nessus Plugin ID 307667

Synopsis

The remote Debian host is missing one or more security-related updates.

Description

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-4527 advisory.

 ------------------------------------------------------------------------- Debian LTS Advisory DLA-4527-1 [email protected] https://www.debian.org/lts/security/ Andreas Henriksson April 11, 2026 https://wiki.debian.org/LTS
 -------------------------------------------------------------------------

 Package : inetutils Version : 2:2.0-1+deb11u4 CVE ID : CVE-2026-28372 CVE-2026-32746 CVE-2026-32772 Debian Bug : 1130741 1130742

 Several vulnerabilities were discovered in the inetutils implementation of telnetd and telnet, which may result in privilege escalation or information disclosure.

 CVE-2026-28372

 Ron Ben Yizhak from SafeBreach found that the fix for CVE-2026-24061 was not complete and can be exploited by abusing systemd service credentials support added to the login(1) implementation of util-linux in release 2.40.

 While Debian bullseye does not include util-linux 2.40 this problem does thus not affect it, but was still addressed in case someone manually updates util-linux and thus exposes this vulnerability.

 CVE-2026-32746

 Adiel Sol, Arad Inbar, Erez Cohen, Nir Somech, Ben Grinberg, Daniel Lubel of DREAM Security Research Team found that the telnetd server has a buffer overflow in the LINEMODE SLC (Set Local Characters) suboption handler.
 This can lead to potential pre-login remote code execution.

 CVE-2026-32772

 Justin Swartz discovered that telnet allows servers to read arbitrary environment variables from clients via NEW_ENVIRON SEND USERVAR.
 This can lead to information disclosure.

 For Debian 11 bullseye, these problems have been fixed in version 2:2.0-1+deb11u4.

 We recommend that you upgrade your inetutils packages.

 For the detailed security status of inetutils please refer to its security tracker page at:
 https://security-tracker.debian.org/tracker/inetutils

 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS Attachment:
 signature.asc Description: PGP signature

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade the inetutils-ftp packages.

See Also

https://security-tracker.debian.org/tracker/source-package/inetutils

https://security-tracker.debian.org/tracker/CVE-2026-24061

https://security-tracker.debian.org/tracker/CVE-2026-28372

https://security-tracker.debian.org/tracker/CVE-2026-32746

https://security-tracker.debian.org/tracker/CVE-2026-32772

https://packages.debian.org/source/bullseye/inetutils

Plugin Details

Severity: High

ID: 307667

File Name: debian_DLA-4527.nasl

Version: 1.2

Type: Local

Agent: unix

Published: 4/21/2026

Updated: 4/21/2026

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Critical

Score: 9.5

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.6

Vector: CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2026-28372

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 7.2

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:debian:debian_linux:11.0, p-cpe:/a:debian:debian_linux:inetutils-ftp, p-cpe:/a:debian:debian_linux:inetutils-ftpd, p-cpe:/a:debian:debian_linux:inetutils-inetd, p-cpe:/a:debian:debian_linux:inetutils-ping, p-cpe:/a:debian:debian_linux:inetutils-syslogd, p-cpe:/a:debian:debian_linux:inetutils-talk, p-cpe:/a:debian:debian_linux:inetutils-talkd, p-cpe:/a:debian:debian_linux:inetutils-telnet, p-cpe:/a:debian:debian_linux:inetutils-telnetd, p-cpe:/a:debian:debian_linux:inetutils-tools, p-cpe:/a:debian:debian_linux:inetutils-traceroute

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 4/11/2026

Vulnerability Publication Date: 1/21/2026

CISA Known Exploited Vulnerability Due Dates: 2/16/2026

Reference Information

CVE: CVE-2026-24061, CVE-2026-28372, CVE-2026-32746, CVE-2026-32772