• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Multiple Vendor System V Derived 'login' Buffer Overflow Vulnerability

Severity: CRITICAL

Description:

The 'login' program is used in UNIX systems to authenticate users with a username and password. The utility is typically invoked at the console, by 'telnetd', 'rlogind', and if configured to do so, SSH.

Versions of 'login' descended from System V UNIX contain a buffer overflow when handling environment variables. Several operating systems such as Solaris/SunOS, HP-UX, AIX, IRIX, and Unixware contain vulnerable versions of 'login'.

Unauthenticated clients can exploit this issue to execute arbitrary code remotely through the remote access services that use 'login'. These services, namely telnet and rlogin, are often enabled on systems by default. Versions of SSH can be configured to use 'login' for authentication. Vulnerable hosts with such a configuration may be exploitable remotely through SSH.

Successful remote exploits could grant root access to an unauthenticated, anonymous attacker connecting from an external network. On systems where 'login' is installed setuid root, local attackers can elevate privileges.

Affected Products:

• Cisco Billing and Management Server 0.0.0
• Cisco PGW2200 PSTN Gateway 0.0.0
• Cisco Secure IDS Network Sensor 3.0.0
• Cisco Secure IDS Network Sensor 3.0.0 (2)S6
• Cisco Signaling Controller 2200 0.0.0
• Cisco Voice Services Provisioning Tool 0.0.0
• HP HP-UX (VVOS) 10.24.0
• HP HP-UX (VVOS) 11.0.4
• HP HP-UX 10.0.0
• HP HP-UX 10.0.01
• HP HP-UX 10.10.0
• HP HP-UX 10.20.0
• HP HP-UX 11.0.0
• HP HP-UX 11.11.0
• IBM AIX 4.3.0
• IBM AIX 4.3.1
• IBM AIX 4.3.2
• IBM AIX 4.3.3
• IBM AIX 5.1.0
• SCO Open Server 5.0.0
• SCO Open Server 5.0.1
• SCO Open Server 5.0.2
• SCO Open Server 5.0.3
• SCO Open Server 5.0.4
• SCO Open Server 5.0.5
• SCO Open Server 5.0.6
• SCO Open Server 5.0.6 a
• SGI IRIX 3.2.0
• SGI IRIX 3.3.0
• SGI IRIX 3.3.1
• SGI IRIX 3.3.2
• SGI IRIX 3.3.3
• Sun Solaris 2.0.0
• Sun Solaris 2.1.0
• Sun Solaris 2.2.0
• Sun Solaris 2.3.0
• Sun Solaris 2.4.0
• Sun Solaris 2.4.0_x86
• Sun Solaris 2.5.0
• Sun Solaris 2.5.0_x86
• Sun Solaris 2.5.1
• Sun Solaris 2.5.1_ppc
• Sun Solaris 2.5.1_x86
• Sun Solaris 2.6
• Sun Solaris 2.6_x86
• Sun Solaris 7.0
• Sun Solaris 7.0_x86
• Sun Solaris 8
• Sun Solaris 8_x86

References:

• CORE Security: System V login exploit
• CORE Security: telnetd-login exploit
• Caldera Systems: Caldera Security Advisories Page
• HP IT Resource Center: HP IT Resource Center (for Europe)
• HP IT Resource Center: HP IT Resource Center (for US, Canada, Asia-Pacific, & Latin-America)
• IBM: IBM Emergency Response Service
• Silicon Graphics Inc.: SGI Support
• Sun Microsystems: Sunsolve Online(tm)

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.