Cisco has warned of a vulnerability in the telnet server used in its IronPort Email Security Appliances (ESA) and IronPort Security Management Appliances (SMA) monitoring solutions. The vulnerability could be exploited by an attacker to remotely execute code on a system by sending a specially crafted command to the telnet daemon (telnetd).

A buffer overflow in the encrypt_keyid() function causes the server to execute the injected code with system privileges. Cisco has yet to provide its customers with a patch. Users who wish to prevent their systems from being compromised need to deactivate the Telnet server – instructions for doing so can be found in the advisory.

The vulnerability in telnetd was first described in mid-December of last year in connection with FreeBSD. Shortly thereafter it became clear that the vulnerability could also be exploited under Linux. Few systems are likely to still be running telnet servers, however.

Updates are available for many distributions, including Red Hat and Debian. Kerberos 5 (krb5-appl) up to and including version 1.0.2 and Heimdal up to and including version 1.5.1 are also affected. The vulnerability is already being actively exploited and an exploit for the vulnerability is freely available.

See also:

Cisco IronPort Appliances Telnet Remote Code Execution Vulnerability, a Cisco advisory.

(ehe)