Login Sign Up

CVE-2018-20764

9.8 CRITICAL
Buffer Overflow

📋 TL;DR

A buffer overflow vulnerability in HelpSystems tcpcrypt on Linux allows attackers to execute arbitrary code with elevated privileges. Since tcpcrypt runs with setuid permissions, successful exploitation leads to privilege escalation from unprivileged user to root. This affects systems running BoKS encrypted telnet through BoKS version 6.7.1.

💻 Affected Systems

Products:
  • HelpSystems BoKS
  • HelpSystems tcpcrypt
Versions: BoKS versions up to and including 6.7.1
Operating Systems: Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems where BoKS encrypted telnet is configured and tcpcrypt is installed with setuid permissions.

📦 What is this software?

Boks by Helpsystems

View all CVEs affecting Boks →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with root access, allowing complete control over the affected system, data theft, and lateral movement within the network.

🟠

Likely Case

Privilege escalation from any local user to root, enabling installation of persistent backdoors, credential harvesting, and further system exploitation.

🟢

If Mitigated

Limited impact if proper access controls restrict local user accounts and tcpcrypt usage is minimized.

🌐 Internet-Facing: LOW with brief explanation
🏢 Internal Only: HIGH with brief explanation

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires local access to the system and knowledge of buffer overflow techniques. The setuid nature makes privilege escalation straightforward once the overflow is triggered.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: BoKS version 6.7.1 with Hotfix 515 or later

Vendor Advisory: https://community.helpsystems.com/knowledge-base/fox-technologies/hotfix/515/

Restart Required: Yes

Instructions:

1. Download Hotfix 515 from HelpSystems support portal. 2. Apply the hotfix according to vendor instructions. 3. Restart affected services or the entire system as required.

🔧 Temporary Workarounds

Remove setuid from tcpcrypt

linux

Remove the setuid bit from the tcpcrypt binary to prevent privilege escalation.

chmod u-s /path/to/tcpcrypt

Disable BoKS encrypted telnet

linux

Disable the vulnerable service if not required for operations.

systemctl disable boks-telnet
systemctl stop boks-telnet

🧯 If You Can't Patch

  • Restrict local user access to systems running vulnerable BoKS versions.
  • Implement strict network segmentation to isolate vulnerable systems from critical assets.

🔍 How to Verify

Check if Vulnerable:

Check if tcpcrypt binary has setuid permissions and BoKS version is 6.7.1 or earlier: ls -l /path/to/tcpcrypt and check BoKS version via vendor tools.

Check Version:

boksadmin version or check BoKS administration console for version information.

Verify Fix Applied:

Verify tcpcrypt no longer has setuid bit and Hotfix 515 is applied: ls -l /path/to/tcpcrypt and check hotfix status in BoKS administration.

📡 Detection & Monitoring

Log Indicators:

  • Unusual process execution from tcpcrypt
  • Failed privilege escalation attempts in system logs
  • Abnormal telnet connection patterns

Network Indicators:

  • Unexpected encrypted telnet traffic to/from BoKS systems
  • Anomalous network connections following local exploitation

SIEM Query:

source="*boks*" AND (event="privilege_escalation" OR process="tcpcrypt")

📊 Metadata

CVE ID: CVE-2018-20764
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: February 8, 2019
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON