FreeBSD eliminates 5 vulnerabilities, including the critical root vulnerability in telnetd

Released correction reports for five vulnerabilities affecting the base system of all supported FreeBSD branches (RELENG_7, RELENG_8, RELENG_9):

• The ability to remotely execute code through the telnetd daemon, which has been disabled in the default configuration since 2001. The problem is related to buffer overflow when receiving encryption keys via the TELNET protocol (a fixed buffer is allocated and the size of the incoming key is not checked, the tail of which can go beyond the buffer). As a result, an unauthenticated attacker can execute code on the server with the rights of a telnet daemon, which is usually run as root. Vulnerabilities affect all systems in which telnetd is active and the associated network port is not closed;
• The lack of checking the name of the service in pam_start () allows the local user to elevate their privileges in the system through the organization of loading their library with root privileges during the loading of PAM services. To successfully launch an attack, an attacker must be able to pass the server name to the “pam_start ()” function using non-core applications, for example, if you have access to the kcheckpass utility, which is part of the port kde4;
• Invalid access opening via PAM-module pam_ssh if the user has created unencrypted private SSH-keys. The pam_ssh module allows you to organize authentication when logging on to the system locally using the password used to encrypt user SSH keys located in the ~ / .ssh directory. By default, authentication is possible only if the SSH key has a passphrase, but the OpenSSL library ignores the argument with a password if the key is not encrypted, which allows you to log in to the system without a password under a user who has such unencrypted keys. The problem manifests itself only when pam_ssh is activated in the settings, which is not used by default;
• Ability to execute code with root rights inside the chroot environment in a situation where the user has the ability to log in via ftp using chroot in his home directory (using / etc / ftpchroot). Read more about the vulnerability here.
• Remote denial of service call for a DNS server running based on the named program (BIND 9) from the base distribution. An attacker can initiate a crash of the server process when forming a request to the controlled DNS server. At the same time, an attacker does not need to have access to the name rezvalving through the victim’s DNS server, you can indirectly access your DNS server, for example, if the user of the DNS server being attacked tries to open a link in the browser or the spam blocker checks .

Via OpenNet.ru

I recall that recently there was also a fix for critical vulnerabilities.