NULL Pointer Dereference in Telnet Service Leads to Potential Downtime for GNU Inetutils

CVE-2022-39028

What is CVE-2022-39028?

The telnetd component in GNU Inetutils, up to version 2.3, and MIT krb5-appl, up to version 1.0.3, is susceptible to a NULL pointer dereference triggered by specific byte sequences. When exploited, this vulnerability may lead to repeated crashes of the telnetd application. Initially, the application will crash without affecting the telnet service, which remains operational through inetd. However, if multiple crashes occur rapidly, inetd will halt the telnet service, logging a termination error. This issue is notable as some Linux distributions still package the affected version of MIT krb5-appl, a component that has not received upstream support for years, even though the faulty code was removed from the actively supported versions of MIT Kerberos.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch →

References