Bug 26451

Summary: krb5-appl new security issue CVE-2020-10188
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: andrewsfarm, davidwhodgins, geiger.david68210, sysadmin-bugs, tmb
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
See Also: https://bugs.mageia.org/show_bug.cgi?id=26296
Whiteboard: MGA7-64-OK
Source RPM: krb5-appl-1.0.3-11.mga8.src.rpm CVE:
Status comment:

Description David Walser 2020-04-07 15:54:26 CEST 
+++ This bug was initially created as a clone of Bug #26296 +++

A blog post was published on February 28 detailing the exploit:
https://appgateresearch.blogspot.com/2020/02/bravestarr-fedora-31-netkit-telnetd_28.html

I don't see anything about a fix for the issue.

Given that we have two other telnet implementations packaged (in krb5-appl and heimdal), I don't see a purpose in retaining this insecure and unmaintained software.  It should be dropped from Cauldron.

Mageia 7 is also affected.

EDIT: So it turns out this has a CVE and krb5-appl is also affected by it.

RedHat has issued an advisory for this today (April 7):
https://access.redhat.com/errata/RHSA-2020:1349

So we should be able to pull a fix from them for krb5-appl, and maybe there will be a way to apply it to netkit-telnetd too (although the latter should still be dropped in Cauldron).
David Walser 2020-04-07 15:54:54 CEST

Status comment: (none) => Patch available from RedHat
Whiteboard: (none) => MGA7TOO

Comment 1 Lewis Smith 2020-04-08 09:36:30 CEST 
The remarks above about dropping a package refer to *netkit-telnetd* Bug #26296.

For this bug, 'krb5-appl' shows no obvious maintainer, so assigning it globally.

Assignee: bugsquad => pkg-bugs

Comment 2 David GEIGER 2020-04-08 10:57:17 CEST 
Done for both Cauldron and mga7!

CC: (none) => geiger.david68210

Comment 3 David Walser 2020-04-08 16:55:16 CEST 
Advisory:
========================

Updated krb5-appl packages fix security vulnerability:

A vulnerability was found where incorrect bounds checks in the telnet server’s
(telnetd) handling of short writes and urgent data, could lead to information
disclosure and corruption of heap data. An unauthenticated remote attacker
could exploit these bugs by sending specially crafted telnet packets to achieve
arbitrary code execution in the telnet server (CVE-2020-10188).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10188
https://access.redhat.com/errata/RHSA-2020:1349
========================

Updated packages in core/updates_testing:
========================
krb5-appl-servers-1.0.3-10.1.mga7
krb5-appl-clients-1.0.3-10.1.mga7

from krb5-appl-1.0.3-10.1.mga7.src.rpm

Assignee: pkg-bugs => qa-bugs
Whiteboard: MGA7TOO => (none)
Status comment: Patch available from RedHat => (none)
Version: Cauldron => 7

Comment 4 Thomas Andrews 2020-04-09 20:03:02 CEST 
It's been a very long time since I used telnet, and I've forgotten most of what I knew. I never did know anything about the server side of things. But...

Installed both packages, then used telnet to check my own router for open ports. The connection was refused at closed ports, but made at open ones, as it should.

Updated both packages. Both installed cleanly. Tried the test again, with the same results. 

I'm going to give this an OK on the basis of a clean install, and because the simple test I did didn't turn up any regressions. 

Validating. Advisory in Comment 3. If my tests are inadequate, please feel free to un-validate.

CC: (none) => andrewsfarm, sysadmin-bugs
Whiteboard: (none) => MGA7-64-OK
Keywords: (none) => validated_update

Comment 5 Dave Hodgins 2020-04-10 02:26:54 CEST 
Just tested basic kerberos functionality as per
https://wiki.mageia.org/en/QA_procedure:Krb5

[dave@i7v ~]$ kinit
Password for dave@I7V.HODGINS.HOMEIP.NET: 
[dave@i7v ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_2000
Default principal: dave@I7V.HODGINS.HOMEIP.NET

Valid starting       Expires              Service principal
2020-04-09 20:18:40  2020-04-10 20:18:40  krbtgt/I7V.HODGINS.HOMEIP.NET@I7V.HODGINS.HOMEIP.NET
        renew until 2020-04-09 20:18:40
[dave@i7v ~]$ krlogin $(hostname)
This rlogin session is encrypting all data transmissions.
Last login: Thu Apr  9 20:18:12 on :0

No regressions found.

CC: (none) => davidwhodgins

Thomas Backlund 2020-04-15 10:32:45 CEST

CC: (none) => tmb
Keywords: (none) => advisory

Comment 6 Mageia Robot 2020-04-15 12:13:52 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0169.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED