CVE-2022-39028

Name of the Vulnerable Software and Affected Versions GNU Inetutils versions through 2.3 MIT krb5-appl versions through 1.0.3

Description The issue is related to a NULL pointer dereference in the telnetd application, which can occur via specific byte sequences, such as 0xff 0xf7 or 0xff 0xf8. In a typical installation, the telnetd application would crash, but the telnet service would remain available through inetd. However, if the telnetd application experiences many crashes within a short time interval, the telnet service would become unavailable after inetd logs a "telnet/tcp server failing (looping), service terminated" error.

Recommendations For GNU Inetutils versions through 2.3, consider disabling the telnetd application until a patch is available to prevent potential denial-of-service attacks. For MIT krb5-appl versions through 1.0.3, restrict access to the telnet service to minimize the risk of exploitation, as the affected code was removed from the supported MIT Kerberos 5 product many years ago. At the moment, there is no information about a newer version that contains a fix for this vulnerability.