Alerts
Alerts
Zero-Day Tracker
Common Name:
Sun Solaris Telnet Bypass
Date Disclosed:
2/12/2007
Date Patched:
2/14/2007
Vendor:
Sun
Application:
Solaris 10
Solaris 11
Description:
A login bypass vulnerability exists within the Telnet daemon of Sun Solaris 10 and 11. This vulnerability allows an attacker to remotely login as a privileged user (i.e. 'root') if the telnet daemon is running with root privileges on the targeted host. The vulnerability exists because the Solaris Telnet service does not scrub the switches before passing the login name to the login process. Login will then auto-login the user specified following the '-f' switch, as demonstrated by the referenced proof of concept.
Severity:
High
Code Execution:
Yes
Impact:
Anonymous Login as Privileged User
This vulnerability allows for a remote attacker to anonymously login as any privileged user (including root) into a Solaris 10/11 host running the telnet daemon as root. This allows for rapid system compromise without any user interaction.
Mitigation:
eEye Research suggests that customers disable Telnet on all Solaris 10/11 hosts and switch to SSH instead.
Command to disable telnet: svcadm disable telnet
Another mitigation technique is to restrict telnet access to only those users who can provide valid authentication information.
Command: inetadm -m svc:/network/telnet:default exec="usr/sbin/in.telnetd -a user"
Protection:
Sun Alert ID: 102802
Links:
ISC Diary - "Another Good Reason to Stop Using Telnet"
First Public PoC Code Disclosure (Remote Bypass)
Status:
2/12/2007: Advisory Posted
2/14/2007: Patch Released
Common Name:
Sun Solaris Telnet Bypass
Date Disclosed:
2/12/2007
Date Patched:
2/14/2007
Vendor:
Sun
Application:
Solaris 10
Solaris 11
Description:
A login bypass vulnerability exists within the Telnet daemon of Sun Solaris 10 and 11. This vulnerability allows an attacker to remotely login as a privileged user (i.e. 'root') if the telnet daemon is running with root privileges on the targeted host. The vulnerability exists because the Solaris Telnet service does not scrub the switches before passing the login name to the login process. Login will then auto-login the user specified following the '-f' switch, as demonstrated by the referenced proof of concept.
Severity:
High
Code Execution:
Yes
Impact:
Anonymous Login as Privileged User
This vulnerability allows for a remote attacker to anonymously login as any privileged user (including root) into a Solaris 10/11 host running the telnet daemon as root. This allows for rapid system compromise without any user interaction.
Mitigation:
eEye Research suggests that customers disable Telnet on all Solaris 10/11 hosts and switch to SSH instead.
Command to disable telnet: svcadm disable telnet
Another mitigation technique is to restrict telnet access to only those users who can provide valid authentication information.
Command: inetadm -m svc:/network/telnet:default exec="usr/sbin/in.telnetd -a user"
Protection:
- eEye's Retina® Network Security Scanner scans devices to detect for this vulnerability.
Sun Alert ID: 102802
Links:
ISC Diary - "Another Good Reason to Stop Using Telnet"
First Public PoC Code Disclosure (Remote Bypass)
Status:
2/12/2007: Advisory Posted
2/14/2007: Patch Released
