CVE-2011-4862

FreeBSD - Telnet Service Encryption Key ID Buffer Overflow

Severity Score

9.8

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Buffer overflow in libtelnet/encrypt.c in telnetd in FreeBSD 7.3 through 9.0, MIT Kerberos Version 5 Applications (aka krb5-appl) 1.0.2 and earlier, Heimdal 1.5.1 and earlier, GNU inetutils, and possibly other products allows remote attackers to execute arbitrary code via a long encryption key, as exploited in the wild in December 2011.

Desbordamiento de búfer basado en pila en libtelnet/encrypt.c en telnetd en FreeBSD v7.3 hasta v9.0, MIT Kerberos Version v5 Applications (también conocido como krb5-appl) v1.0.2 y anteriores, y Heimdal v1.5.1 y anteriores, permite a atacantes remotos ejecutar código de su elección a través de una clave de cifrado larga, como fue explotado en Diciembre 2011.

The Cisco Ironport WSA virtual appliances are vulnerable to an old FreeBSD telnetd encryption Key ID buffer overflow which allows remote attackers to execute arbitrary code. Cisco WSA Virtual appliances have the vulnerable telnetd daemon enabled by default.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

Attack Vector

Adjacent

Attack Complexity

Low

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2011-12-19 CVE Reserved
2011-12-25 CVE Published
2011-12-26 First Exploit
2024-08-07 CVE Updated
2025-03-18 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

CAPEC

References (52)

URL	Tag	Source
http://archives.neohapsis.com/archives/bugtraq/2011-12/0172.html	Broken Link
http://osvdb.org/78020	Broken Link
http://secunia.com/advisories/46239	Third Party Advisory
http://secunia.com/advisories/47341	Third Party Advisory
http://secunia.com/advisories/47348	Third Party Advisory
http://secunia.com/advisories/47357	Third Party Advisory
http://secunia.com/advisories/47359	Third Party Advisory
http://secunia.com/advisories/47373	Third Party Advisory
http://secunia.com/advisories/47374	Third Party Advisory
http://secunia.com/advisories/47397	Third Party Advisory
http://secunia.com/advisories/47399	Third Party Advisory
http://secunia.com/advisories/47441	Third Party Advisory
http://www.securitytracker.com/id?1026460	Third Party Advisory
http://www.securitytracker.com/id?1026463	Third Party Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/71970	Third Party Advisory
https://www.rapid7.com/blog/post/2011/12/28/more-fun-with-bsd-derived-telnet-daemons

URL	Date	SRC
https://packetstorm.news/files/id/180955	2024-08-31
https://www.exploit-db.com/exploits/18369	2012-01-14
https://www.exploit-db.com/exploits/18368	2012-01-14
https://www.exploit-db.com/exploits/18280	2011-12-26
https://github.com/hdbreaker/GO-CVE-2011-4862	2017-02-02
https://github.com/kpawar2410/CVE-2011-4862	2020-02-12
https://github.com/lol-fi/cve-2011-4862	2018-12-04
http://www.exploit-db.com/exploits/18280	2024-08-07

URL	Date	SRC
http://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=665f1e73cdd9b38e2d2e11b8db9958a315935592	2021-02-09
http://security.freebsd.org/patches/SA-11:08/telnetd.patch	2021-02-09
http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2011-008.txt	2021-02-09

URL	Date	SRC
http://lists.fedoraproject.org/pipermail/package-announce/2012-January/071627.html	2021-02-09
http://lists.fedoraproject.org/pipermail/package-announce/2012-January/071640.html	2021-02-09
http://lists.freebsd.org/pipermail/freebsd-security/2011-December/006117.html	2021-02-09
http://lists.freebsd.org/pipermail/freebsd-security/2011-December/006118.html	2021-02-09
http://lists.freebsd.org/pipermail/freebsd-security/2011-December/006119.html	2021-02-09
http://lists.freebsd.org/pipermail/freebsd-security/2011-December/006120.html	2021-02-09
http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00002.html	2021-02-09
http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00004.html	2021-02-09
http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00005.html	2021-02-09
http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00007.html	2021-02-09
http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00010.html	2021-02-09
http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00011.html	2021-02-09
http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00014.html	2021-02-09
http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00015.html	2021-02-09
http://security.freebsd.org/advisories/FreeBSD-SA-11:08.telnetd.asc	2021-02-09
http://www.debian.org/security/2011/dsa-2372	2021-02-09
http://www.debian.org/security/2011/dsa-2373	2021-02-09
http://www.debian.org/security/2011/dsa-2375	2021-02-09
http://www.mandriva.com/security/advisories?name=MDVSA-2011:195	2021-02-09
http://www.redhat.com/support/errata/RHSA-2011-1851.html	2021-02-09
http://www.redhat.com/support/errata/RHSA-2011-1852.html	2021-02-09
http://www.redhat.com/support/errata/RHSA-2011-1853.html	2021-02-09
http://www.redhat.com/support/errata/RHSA-2011-1854.html	2021-02-09
https://access.redhat.com/security/cve/CVE-2011-4862	2011-12-28
https://bugzilla.redhat.com/show_bug.cgi?id=770325	2011-12-28

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Gnu Search vendor "Gnu"		Inetutils Search vendor "Gnu" for product "Inetutils"				< 1.9 Search vendor "Gnu" for product "Inetutils" and version " < 1.9"		-		Affected
Heimdal Project Search vendor "Heimdal Project"		Heimdal Search vendor "Heimdal Project" for product "Heimdal"				<= 1.5.1 Search vendor "Heimdal Project" for product "Heimdal" and version " <= 1.5.1"		-		Affected
Mit Search vendor "Mit"		Krb5-appl Search vendor "Mit" for product "Krb5-appl"				<= 1.0.2 Search vendor "Mit" for product "Krb5-appl" and version " <= 1.0.2"		-		Affected
Freebsd Search vendor "Freebsd"		Freebsd Search vendor "Freebsd" for product "Freebsd"				>= 7.3 <= 9.0 Search vendor "Freebsd" for product "Freebsd" and version " >= 7.3 <= 9.0"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				15 Search vendor "Fedoraproject" for product "Fedora" and version "15"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				16 Search vendor "Fedoraproject" for product "Fedora" and version "16"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				5.0 Search vendor "Debian" for product "Debian Linux" and version "5.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				6.0 Search vendor "Debian" for product "Debian Linux" and version "6.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				7.0 Search vendor "Debian" for product "Debian Linux" and version "7.0"		-		Affected
Opensuse Search vendor "Opensuse"		Opensuse Search vendor "Opensuse" for product "Opensuse"				11.3 Search vendor "Opensuse" for product "Opensuse" and version "11.3"		-		Affected
Opensuse Search vendor "Opensuse"		Opensuse Search vendor "Opensuse" for product "Opensuse"				11.4 Search vendor "Opensuse" for product "Opensuse" and version "11.4"		-		Affected
Suse Search vendor "Suse"		Linux Enterprise Desktop Search vendor "Suse" for product "Linux Enterprise Desktop"				10 Search vendor "Suse" for product "Linux Enterprise Desktop" and version "10"		sp4		Affected
Suse Search vendor "Suse"		Linux Enterprise Desktop Search vendor "Suse" for product "Linux Enterprise Desktop"				11 Search vendor "Suse" for product "Linux Enterprise Desktop" and version "11"		sp1		Affected
Suse Search vendor "Suse"		Linux Enterprise Server Search vendor "Suse" for product "Linux Enterprise Server"				9 Search vendor "Suse" for product "Linux Enterprise Server" and version "9"		-		Affected
Suse Search vendor "Suse"		Linux Enterprise Server Search vendor "Suse" for product "Linux Enterprise Server"				10 Search vendor "Suse" for product "Linux Enterprise Server" and version "10"		sp2		Affected
Suse Search vendor "Suse"		Linux Enterprise Server Search vendor "Suse" for product "Linux Enterprise Server"				10 Search vendor "Suse" for product "Linux Enterprise Server" and version "10"		sp3, ltss		Affected
Suse Search vendor "Suse"		Linux Enterprise Server Search vendor "Suse" for product "Linux Enterprise Server"				10 Search vendor "Suse" for product "Linux Enterprise Server" and version "10"		sp4		Affected
Suse Search vendor "Suse"		Linux Enterprise Server Search vendor "Suse" for product "Linux Enterprise Server"				11 Search vendor "Suse" for product "Linux Enterprise Server" and version "11"		sp1		Affected
Suse Search vendor "Suse"		Linux Enterprise Server Search vendor "Suse" for product "Linux Enterprise Server"				11 Search vendor "Suse" for product "Linux Enterprise Server" and version "11"		sp1, vmware		Affected
Suse Search vendor "Suse"		Linux Enterprise Software Development Kit Search vendor "Suse" for product "Linux Enterprise Software Development Kit"				10 Search vendor "Suse" for product "Linux Enterprise Software Development Kit" and version "10"		sp4		Affected
Suse Search vendor "Suse"		Linux Enterprise Software Development Kit Search vendor "Suse" for product "Linux Enterprise Software Development Kit"				11 Search vendor "Suse" for product "Linux Enterprise Software Development Kit" and version "11"		sp1		Affected