A blog post was published on February 28 detailing the exploit: https://appgateresearch.blogspot.com/2020/02/bravestarr-fedora-31-netkit-telnetd_28.html I don't see anything about a fix for the issue. Given that we have two other telnet implementations packaged (in krb5-appl and heimdal), I don't see a purpose in retaining this insecure and unmaintained software. It should be dropped from Cauldron. Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
> I don't see a purpose in retaining this insecure and unmaintained software Pretty damning. If it it easy enough to drop from Cauldron, who decides & does that? And what do we do about M7 - how do we alert users (if any)? And to whom can this be assigned?
CC: (none) => lewyssmith
Status comment: (none) => Package should be droppedAssignee: bugsquad => pkg-bugs
See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=26451
There may be a fix for this (see Bug 26451).
Summary: netkit-telnetd is remotely exploitable => netkit-telnetd is remotely exploitable (CVE-2020-10188)
CC: lewyssmith => (none)
Done for both Cauldron and mga7!
CC: (none) => geiger.david68210
Advisory: ======================== Updated netkit-telnetd packages fix security vulnerability: A vulnerability was found where incorrect bounds checks in the telnet server’s (telnetd) handling of short writes and urgent data, could lead to information disclosure and corruption of heap data. An unauthenticated remote attacker could exploit these bugs by sending specially crafted telnet packets to achieve arbitrary code execution in the telnet server (CVE-2020-10188). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10188 https://access.redhat.com/errata/RHSA-2020:1349 ======================== Updated packages in core/updates_testing: ======================== netkit-telnet-0.17-18.1.mga7 netkit-telnet-server-0.17-18.1.mga7 from netkit-telnet-0.17-18.1.mga7.src.rpm
Whiteboard: MGA7TOO => (none)Version: Cauldron => 7Assignee: pkg-bugs => qa-bugsStatus comment: Package should be dropped => (none)
MGA7-64 Plasma on Lenovo B50. When selecting the updates in MCC I get "The following package has to be removed for others to be upgraded: krb5-appl-clients-1.0.3-10.mga7.x86_64 (due to conflicts with netkit-telnet). Continuing after accepting this.
CC: (none) => herman.viaene
Installation completes OK. Trying the telnet command: $ telnet <desktop> Trying 192.168.2.1... telnet: connect to address 192.168.2.1: Connection timed out Which is expected as this one has firewall active. Running httpd this laptop and then. $ telnet <laptop> 80 Trying 192.168.2.5... Connected to mach5. Escape character is '^]'. So that one works. But the server side has a telnetd command (unknown service after installation). Tried to run it as command, but got lost in its parrameters. Googled, but what I found is beyond me.
Interesting, looks like netkit-telnet-server doesn't ship a way to run it. You can probably steal /etc/xinetd.d/krb5-telnet from krb5-appl-servers and use it to run /usr/sbin/telnetd from netkit-telnet-server through xinetd.
Keywords: (none) => advisoryCC: (none) => tmb
@David Checked, there is no such thing as /etc/xinetd.d/krb5-telnet on my system, and xinetd is untrodden territory for me right now. I don(t fancy installing krb5-appl-servers just for the case here and nt really knwing what I am doing.
Just push it then.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Whiteboard: (none) => MGA7-64-OK
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0211.html
Status: NEW => RESOLVEDResolution: (none) => FIXED