Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

* Another good reason to stop using telnet

Published: 2007-02-12
Last Updated: 2007-02-13 21:43:31 UTC
by donald smith (Version: 6)
0 comment(s)
There is a major zero day bug announced in solaris 10 and 11 with the telnet and login combination.
It has been verified. In my opinion NOBODY be should running telnet open to the internet.
Versions of Solaris 9 and lower do not appear to have this vulnerability.

The issue:
The telnet daemon passes switches directly to the login process which looks for a switch that allows root to login to any account without a password. If your telnet daemon is running as root it allows unauthenticated remote logins.

Telnet should be disabled. Since 1994 the cert.org team has recommended using something other then plain text authentication due to potential network monitoring attacks. http://www.cert.org/advisories/CA-1994-01.html
“We recognize that the only effective long-term solution to prevent these attacks is by not transmitting reusable clear-text passwords on the network.“

If remote shell access is required ssh is a better choice then telnet. We have done articles about securing ssh in the past. http://isc.sans.org/diary.html?storyid=1541

The FIX:
To disable telnet in solaris 10 or 11 this command should work.
svcadm disable telnet

The Mitigations:
Limit your exposure if you must run telnet on your solaris system it is recommend that you use firewall(s) to limit what IP can connect to your telnet services.

Change
/etc/default/login add CONSOLE=/dev/console
to limit where root can login from. This only prevents direct access to the root account other accounts can still be compromised.

Another mitigation that works in most cases is this:
inetadm -m svc:/network/telnet:default exec="/usr/sbin/in.telnetd -a user"
We have had one report of someone locking themselves out with this so use at your own risk.

- The Snort signature has been removed at the request of the author.

I am not going to include the site with the exploit. No special tools are required to exploit this vulnerability.

Sun response
Sun has issued a note at http://sunsolve.sun.com/search/document.do?assetkey=1-26-102802-1
pointing to a partial workaround that limits root login from the console only.

Thanks to Chris and Thomas who notified us of this issue and all the fellow handlers that helped verify, mitigate and review this report.
Keywords:
0 comment(s)
Diary Archives