7.5 CVE-2022-39028

Exploit Patch

 

telnetd in GNU Inetutils through 2.3, MIT krb5-appl through 1.0.3, and derivative works has a NULL pointer dereference via 0xff 0xf7 or 0xff 0xf8. In a typical installation, the telnetd application would crash but the telnet service would remain available through inetd. However, if the telnetd application has many crashes within a short time interval, the telnet service would become unavailable after inetd logs a "telnet/tcp server failing (looping), service terminated" error. NOTE: MIT krb5-appl is not supported upstream but is shipped by a few Linux distributions. The affected code was removed from the supported MIT Kerberos 5 (aka krb5) product many years ago, at version 1.8.
https://nvd.nist.gov/vuln/detail/CVE-2022-39028

Categories

CWE-476 : NULL Pointer Dereference
NULL pointer dereference issues can occur through a number of flaws, including race conditions, and simple programming omissions.

References


 

CPE

cpe start end
Configuration 1
cpe:2.3:a:gnu:inetutils:*:*:*:*:*:*:*:* <= 2.3
Configuration 2
cpe:2.3:a:mit:kerberos_5:*:*:*:*:*:*:*:* <= 1.0.3
Configuration 3
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

Patch

Url
https://git.hadrons.org/cgit/debian/pkgs/inetutils.git/commit/?id=113da8021710d871c7dd72d2a4d5615d42d64289
https://pierrekim.github.io/blog/2022-08-24-2-byte-dos-freebsd-netbsd-telnetd-netkit-telnetd-inetutils-telnetd-kerberos-telnetd.html

Exploits

Exploit-db.com
id description date
No known exploits
Other (github, ...)
Url
https://pierrekim.github.io/blog/2022-08-24-2-byte-dos-freebsd-netbsd-telnetd-netkit-telnetd-inetutils-telnetd-kerberos-telnetd.html

CAPEC

id description severity
No entry

Sherlock® flash

Take a picture of your computer network in a few clicks !

The Sherlock® flash audit solution allows you to perform an audit to strengthen the security of your IT assets. Vulnerability analysis of your physical and virtual equipment. Patch planning by priority level and time available. Detailed and intuitive reporting.

Discover this offer

Sherlock® flash: 1st instant cybersecurity audit solution