CVE-2022-39028
https://notcve.org/view.php?id=CVE-2022-39028
telnetd in GNU Inetutils through 2.3, MIT krb5-appl through 1.0.3, and derivative works has a NULL pointer dereference via 0xff 0xf7 or 0xff 0xf8. In a typical installation, the telnetd application would crash but the telnet service would remain available through inetd. However, if the telnetd application has many crashes within a short time interval, the telnet service would become unavailable after inetd logs a "telnet/tcp server failing (looping), service terminated" error. NOTE: MIT krb5-appl is not supported upstream but is shipped by a few Linux distributions. The affected code was removed from the supported MIT Kerberos 5 (aka krb5) product many years ago, at version 1.8. telnetd en GNU Inetutils versiones hasta 2.3, MIT krb5-appl versiones hasta 1.0.3, y trabajos derivados presenta una desreferencia de puntero NULL por medio de 0xff 0xf7 o 0xff 0xf8. • https://git.hadrons.org/cgit/debian/pkgs/inetutils.git/commit/?id=113da8021710d871c7dd72d2a4d5615d42d64289 https://lists.debian.org/debian-lts-announce/2022/11/msg00033.html https://lists.gnu.org/archive/html/bug-inetutils/2022-08/msg00002.html https://pierrekim.github.io/blog/2022-08-24-2-byte-dos-freebsd-netbsd-telnetd-netkit-telnetd-inetutils-telnetd-kerberos-telnetd.html • CWE-476: NULL Pointer Dereference •
CVE-2020-10188 – telnet-server: no bounds checks in nextitem() function allows to remotely execute arbitrary code
https://notcve.org/view.php?id=CVE-2020-10188
utility.c in telnetd in netkit telnet through 0.17 allows remote attackers to execute arbitrary code via short writes or urgent data, because of a buffer overflow involving the netclear and nextitem functions. El archivo utility.c en telnetd en netkit telnet versiones hasta 0.17, permite a atacantes remotos ejecutar código arbitrario por medio de escrituras cortas o datos urgentes, debido a un desbordamiento del búfer que involucra a las funciones netclear y nextitem. A vulnerability was found where incorrect bounds checks in the telnet server’s (telnetd) handling of short writes and urgent data, could lead to information disclosure and corruption of heap data. An unauthenticated remote attacker could exploit these bugs by sending specially crafted telnet packets to achieve arbitrary code execution in the telnet server. • https://appgateresearch.blogspot.com/2020/02/bravestarr-fedora-31-netkit-telnetd_28.html https://github.com/krb5/krb5-appl/blob/d00cd671dfe945791b33d4f1f6a5c57ae1667ef8/telnet/telnetd/utility.c#L205-L216 https://lists.debian.org/debian-lts-announce/2020/05/msg00012.html https://lists.debian.org/debian-lts-announce/2020/08/msg00038.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7FMTRRQTYKWZD2GMXX3GLZV46OLPCLVK https://lists.fedoraproject.org/archives/list/package-announce%40l • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •