“The SLC response is inbuilt a set 108-byte buffer, slcbuf, with solely 104 bytes used for knowledge after a 4-byte header. The perform add_slc() (strains 162-175) appends 3 bytes per SLC triplet however by no means checks whether or not the buffer is full. The pointer slcptr is simply incremented every time,” the corporate instructed the maintainers, in keeping with a message to a GNU mailing list.
“After about 35 triplets […], the 104-byte area is exceeded and the code writes previous the tip of slcbuf. That corrupts no matter lies after it in BSS (together with the slcptr pointer). Later, end_slc() makes use of the corrupted slcptr to write down the suboption finish marker, which provides the attacker an arbitrary write in reminiscence. So the bug is a basic buffer overflow with no bounds examine,” the message continued.
The maintainers ready a patch the subsequent day, planning to launch it by April 1, in keeping with a timeline in Dream’s advisory.
Susceptible programs embrace embedded programs and IoT units with an uncovered Telnet interface; servers and home equipment that pay attention on TCP port 23 and use the susceptible codebase, and Linux distributions that ship inetutils and go away telnetd enabled or installable, together with Debian, Ubutnu, RHEL and SUSE, Dream mentioned.
“A single community connection to port 23 is enough to set off the vulnerability. No credentials, no person interplay, and no particular community place are required,” it mentioned.
Dream suggested numerous rapid workarounds till the software program may be patched, together with migrating to safe alternate options reminiscent of SSH and disabling telnetd or operating it with out root privileges. The place that’s not doable, it suggested blocking port 23 on the community perimeter and proscribing its use to trusted hosts.
