Vulnerability Note VU#881872
Sun Solaris telnet authentication bypass vulnerability
A vulnerability in the Sun Solaris telnet daemon (in.telnetd) could allow a remote attacker to log on to the system with elevated privileges.
The Sun Solaris telnet daemon may accept authentication information via the USER environment variable. However, the daemon does not properly sanitize this information before passing it to the login program, and login makes unsafe assumptions about the information. This may allow a remote attacker to trivially bypass the telnet and login authentication mechanisms. In some default configurations of Solaris this vulnerability cannot be exploited to gain access to the root account, but it can be used to gain privileges of other accounts, such as adm and lp.
According to Sun, Solaris 10 (SunOS 5.10) and Solaris "Nevada" (SunOS 5.11) are affected by this issue. More information is available in Sun Alert Notification 102802 and in Alan Hargreaves' blog, here and here.
A remote attacker could log on to a vulnerable system via telnet and gain elevated privileges.
Apply a patch
You may wish to block access to the vulnerable software from outside your network perimeter, specifically by blocking access to the ports used by Sun Solaris telnet (typically 23/tcp). This will limit your exposure to attacks.
Prefer SSH over telnet
SSH provides a comparatively more secure method for remotely logging into a system than telnet. As general advice, we recommend using SSH rather than telnet.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Sun Microsystems, Inc.||Affected||12 Feb 2007||16 Feb 2007|
CVSS Metrics (Learn More)
This vulnerability was reported by Kingcope.
This document was written by Art Manion and Chris Taschner.
- CVE IDs: CVE-2007-0882
- Date Public: 10 Feb 2007
- Date First Published: 12 Feb 2007
- Date Last Updated: 21 Jul 2008
- Severity Metric: 67.50
- Document Revision: 75
If you have feedback, comments, or additional information about this vulnerability, please send us email.