FNAL Critical Vulnerability Product: Telnet server (telnetd) remote code execution (multiple vendors) Patch by: 1/17/2012 Platform: BSD, Linux, OSX (unconfirmed), MIT Kerberos, Heimdal Kerberos, other vendors using the telnet service daemon (telnetd) compiled to use encryption Host Remediation: Apply patches from your OS or product vendor when available. Use FNAL VPN to access the telnetd service. Use SSH instead of telnet. Use a local firewall (e.g., IP Tables) to prevent exposure of an unintended telnet service. SLF 4 and prior - NO PATCHES WILL BE AVAILABLE (SLF4 is end of life on 02-02/2012) SL 5/6 patches available in SL repos SLF 5/6 patches available on 12/28/2011 FreeBSD patches available on vendor web site MIT Kerberos source code patches available FNAL Site Actions: An inbound Internet block for the telnet service (tcp/23) is being implemented at the FNAL site boundary for the foreseeable future. CST is monitoring for exploits in the wild and are working up a detector to block vulnerable machines (after the advertised patch-by date). References: CVE-2011-4862 |
For
assistance contact servicedesk@fnal.gov.
Information compiled and maintained by Computer Security Team ; last modified on Nov 11, 2011. (Address comments about page to the Computer Security Team.) |