COMMAND
	    telnetd
SYSTEMS AFFECTED
	    FreeBSD 3.x  (all releases),  FreeBSD 4.x  (all releases  prior to
	    4.2), FreeBSD  3.5.1-STABLE prior  to 2000-11-01  and 4.1.1-STABLE
	    prior to 2000-10-30
PROBLEM
	    Following is based on a FreeBSD-SA-00:69 Security Advisory.  This
	    was originally found by Jouko Pynnonen.
	    telnetd is the server for  the telnet remote login protocol.   The
	    telnet protocol allows for UNIX environment variables to be passed
	    from the client to the user login session on the server.  However,
	    some of these  environment variables have  special meaning to  the
	    telnetd  child  process  itself  and  may  be  used  to affect its
	    operation.
	    Of particular relevance is the  ability for remote users to  cause
	    an arbitrary file  on the system  to be searched  for termcap data
	    by passing the  TERMCAP environment variable.   Although any  file
	    on the local system can be  read since the telnetd server runs  as
	    root, the contents of the file will not be reported in any way  to
	    the  remote  user  unless  it  contains  a valid termcap entry, in
	    which case  the corresponding  termcap sequences  will be  used to
	    format the output sent to the client.  It is believed there is  no
	    risk of data disclosure through this vulnerability.
	    However, an  attacker who  forces the  server to  search through a
	    large file  or to  read from  a device  can cause  resources to be
	    spent by the server, including CPU cycles and disk read bandwidth,
	    which  can  increase  the  server  load  and  may  prevent it from
	    servicing  legitimate  user  requests.   Since  the  vulnerability
	    occurs  before  the  login(1)  utility  is  spawned,  it  does not
	    require authentication to a valid  account on the server in  order
	    to exploit.
	    Remote users without a valid login account on the server can cause
	    resources such  as CPU  and disk  read bandwidth  to be  consumed,
	    causing  increased  server  load  and  possibly denying service to
	    legitimate users.
SOLUTION
	    Disable the telnet service, which  is usually run out of  inetd or
	    impose access restrictions using TCP wrappers  (/etc/hosts.allow),
	    or a network-level packet filter such as ipfw(8) or ipf(8) on  the
	    perimeter firewall or  the local machine,  to limit access  to the
	    telnet service to trusted machines.
	    Patch:
	
	        ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:69/telnetd.patch.v1.1
	        ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:69/telnetd.patch.v1.1.asc