Computer Emergency Response Team officials are warning of a serious vulnerability for those using the Telnet terminal-emulation protocol to upload files to servers running the Berkeley Software Design operating system.

The vulnerability, discovered by Teso, an international group of young computer programmers and security enthusiasts, is a remotely exploitable buffer overflow that can crash the server or even be used to gain root access to the server.

A working exploit has been posted to the BugTraq mailing list. The CERT advisory is available at http://www.cert.org/ advisories/ CA-2001-21.html.

CERT advises Telnet daemon users to apply their vendors' patch, if one is available. Vulnerable systems include BSDI, FreeBSD, SGI, Linux, NetBSD, OpenBSD, Sun Microsystems, Caldera, and IBM. It's still not determined if Hewlett-Packard or Nokia Corp. systems are affected. Cisco's Internetworking Operating System does not appear to be affected by this vulnerability.