VN-2020-454 – Vulnerability in netkit-telnetd
- Article Type:
- Vulnerability Notice
- Article Number:
- Last Modified:
Extreme Networks is reviewing and evaluating product and software exposure to CVE-2020-10188 which affects the netkit-telnetd package (versions 0.17 and prior).
This vulnerability is rated as “critical” according to the CVSS score (9.8), and successful exploitation can result in remote code execution (RCE) against a target from an unauthenticated attacker. Any operating system that utilizes utility.c in telnetd in netkit telnet through 0.17 is potentially affected.
Products Potentially Affected
Currently shipping versions of SLX-OS and Network OS (NOS) are affected:
Exploitation of a buffer overflow targetable via the netclear() and nextitem() functions in the utility.c file in netkit-telnetd 0.17 (and prior) can result in remote code execution being granted to an unauthenticated attacker.
Because telnetd listens on a privileged port it runs as root, and therefore successful exploitation allows the attacker to also achieve root level access.
Extreme recommends using SSH instead of telnet for device access generally as this is significantly more secure. Disabling telnet access and utilizing SSH will prevent malicious users from taking advantage of this exploit.
The vulnerability itself will be patched in the following releases:
This advisory notice is provided on an “as is” basis and Extreme Networks makes no representations or warranties of any kind, expressly disclaiming the warranties of merchantability or fitness for a particular use. Use of the information provided herein or materials linked from this advisory notice is at your own risk. Extreme Networks reserves the right to change or update this document at any time, and expects to update this document as new information becomes available. The information provided herein is applicable to current Extreme Networks products identified herein and is not intended to be any representation of future functionality or compatibility with any third-party technologies referenced herein. This notice shall not change any contract or agreement that you have entered into with Extreme Networks.