Threat Level: green Handler on Duty: Russ McRee

SANS ISC Internet Storm Center

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

telnetd rulez: Cisco Ironport WSA Telnetd Remote Code Execution Vulnerability

Published: 2014-10-22
Last Updated: 2014-10-22 22:09:28 UTC
by Russ McRee (Version: 1)
0 comment(s)

Glafkos sent us his vulnerability advisory for a remote code execution vuln he'd identified and reported in Cisco's Ironport WSA Telnetd.

Vendor: Cisco
Product web page:
Affected version: Cisco Ironport WSA - AsyncOS 8.0.5 for Web build 075
Date: 22/05/2014
Credits: Glafkos Charalambous
CVE: CVE-2011-4862
CVSS Score: 7.6
Impact: Unauthenticated Remote Code Execution with elevated privileges
Description: The Cisco Ironport WSA virtual appliances are vulnerable to an old FreeBSD telnetd encryption Key ID buffer overflow which allows remote attackers to execute arbitrary code (CVE-2011-4862).
Cisco WSA Virtual appliances have the vulnerable telnetd daemon enabled by default.


Nice work by Glafkos but what you can't see is me shaking my head. *sigh*
I'll repeat the facepalm-inspiring statement again: "Cisco WSA Virtual appliances have the vulnerable telnetd daemon enabled by default."
Still, with the telnets? And on by default?
From the related FreeBSD advisory:
"The FreeBSD telnet daemon, telnetd(8), implements the server side of the
TELNET virtual terminal protocol.  It has been disabled by default in
FreeBSD since August 2001, and due to the lack of cryptographic security
in the TELNET protocol, it is strongly recommended that the SSH protocol
be used instead."

See if this sums up for you, courtesy of Glafkos:
Connected to
Escape character is '^]'.

[+] Exploiting, telnetd rulez!
[+] Target OS - FreeBSD 8.2 amd64
[*] Enjoy your shell

Disable telnetd!

0 comment(s)
CVE-2014-6352 - Microsoft posts bulletin and quick "fix-it" . Look for a permanent fix in a future patch.
ISC StormCast for Wednesday, October 22nd 2014

If you have more information or corrections regarding our diary, please share.

Recent Diaries

CSAM Month of False Positives: Ghosts in the Pentest Report
published 1 day ago by Rob VandenBrink (1 comment)

Apple Multiple Security Updates
published 2 days ago by Guy (0 comments)

Microsoft MSRT October Update
published 3 days ago by Guy (0 comments)

Logging SSL
published 6 days ago by Dr. J. (4 comments)

POODLE: Turning off SSLv3 for various servers and client.
published 1 week ago by Dr. J. (3 comments)

OpenSSL Releases OpenSSL 1.0.1j, 1.0.0o and 0.9.8zc
published 1 week ago by Dr. J. (0 comments)

October 2014 Critical Patch Update Released
published 1 week ago by Basil (0 comments)

Multiple Vulnerabilities in Cisco TelePresence Video Communication Server and Cisco Expressway Software
published 4 decades ago by Basil (0 comments)

Cisco Security Advisory: SSL Padding Oracle On Downgraded Legacy Encryption (POODLE) Vulnerability
published 4 decades ago by Basil (0 comments)

Apple Updates (not just Yosemite)
published 4 decades ago by Dr. J. (2 comments)

View All Diaries →

Latest Discussions

SSH Bruteforce Uptick Anyone?
created 3 weeks ago by Philip (0 replies)

XSS vulnerability in opencms v9.0.1 workplace
created 1 month ago by Murali (0 replies)

RSS feeds broken in Sage
created 1 month ago by Madmanguruman (0 replies)

Brown Breach.. . UPS
created 1 month ago by ICI2Eye (0 replies)

So, how dead is antivirus exactly?
created 2 months ago by Safensoft (4 replies)

View All Forums →

Latest News

View All News →