Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Buffer overflow vulnerability in telnetd



Article ID: JSA10293 SECURITY_ADVISORIES Last Updated: 09 May 2013Version: 2.0
Legacy Advisory Id:
Product Affected:
All domestic and export versions of JUNOS software released prior to July 24, 2001
Because of incorrect bounds checking of data buffered for output to the remote client, an attacker can cause the telnetd process that is included in the JUNOS software to overflow a buffer and crash, or to execute arbitrary code as the root user. All that is required is the ability to connect to the telnetd server. A valid user account and password are not required to exploit this vulnerability. The complete text describing this vulnerability can be found at:

This vulnerability only affects the telnet service, and only if the service has been enabled in the Juniper router’s configuration. All other services, including ssh, are unaffected.
Replace the telnet daemon with a corrected version of the daemon. Use the procedure below to implement the patch for currently shipping versions of the JUNOS software. The fixed code will be included in all future versions of the JUNOS software.
A corrected version of the telnet daemon is available on the Juniper Networks FTP site:

To download and install the corrected software, follow these steps (commands to be typed by the user are in bold):

  1. Log in to the Juniper Networks router.
  2. From the CLI, exit to the shell: user@lab> start shell
  3. Gain root privileges: % su root@lab%
  4. Restart the JUNOS CLI: root@lab% cli root@lab>
  5. Copy the corrected code from the Juniper Networks FTP site: root@lab> file copy telnetd This command places the corrected code in the root userýs login directory.
  6. Exit the CLI and return to the shell prompt: root@lab> quit root@lab%
  7. Verify that your new code is correct: root@lab% md5 ./telnetd The output from the md5 command should look like this: root@lab% md5 telnetd.4x MD5 (telnetd.4x) = ef1273bde9a1bde7541d57d6316eb86d
  8. Rename the existing telnet daemon: root@lab% mv /usr/libexec/telnetd /usr/libexec/telnetd.old
  9. Copy the new telnet daemon into the system directory: root@lab% cp ./telnetd /usr/libexec/telnetd
  10. Set the correct ownership and permissions on the new file: root@lab% chown bin.bin /usr/libexec/telnetd root@lab% chmod 555 /usr/libexec/telnetd
  11. Exit the shell and return to your login CLI process: root@lab% exit % exit user@lab>
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search