SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips
 

Vulnerability Note VU#881872

Sun Solaris telnet authentication bypass vulnerability

Overview

A vulnerability in the Sun Solaris telnet daemon (in.telnetd) could allow a remote attacker to log on to the system with elevated privileges.

I. Description

The Sun Solaris telnet daemon may accept authentication information via the USER environment variable. However, the daemon does not properly sanitize this information before passing it to the login program, and login makes unsafe assumptions about the information. This may allow a remote attacker to trivially bypass the telnet and login authentication mechanisms. In some default configurations of Solaris this vulnerability cannot be exploited to gain access to the root account, but it can be used to gain privileges of other accounts, such as adm and lp.

According to Sun, Solaris 10 (SunOS 5.10) and Solaris "Nevada" (SunOS 5.11) are affected by this issue. More information is available in Sun Alert Notification 102802 and in Alan Hargreaves' blog, here and here.

This vulnerability is being exploited by a worm, for more information see the Security Sun Alert Feed and Technical Alert TA07-059A.

II. Impact

A remote attacker could log on to a vulnerable system via telnet and gain elevated privileges.

III. Solution

Apply a patch

Apply the patches referenced in Sun Alert Notification 102802.

Disable telnet

Disable telnet if it's not needed. Telnet can be disabled by issuing the following command:

    # svcadm disable telnet
Restrict access

You may wish to block access to the vulnerable software from outside your network perimeter, specifically by blocking access to the ports used by Sun Solaris telnet (typically 23/tcp). This will limit your exposure to attacks.

Prefer SSH over telnet

SSH provides a comparatively more secure method for remotely logging into a system than telnet. As general advice, we recommend using SSH rather than telnet.

Systems Affected
VendorStatusDate Updated
Sun Microsystems, Inc.Vulnerable16-Feb-2007

References

http://www.us-cert.gov/cas/techalerts/TA07-059A.html
http://www.cert.org/advisories/CA-1994-09.html
http://www.cert.org/advisories/CA-1995-14.html
https://www.securecoding.cert.org/confluence/x/-AY
http://www.kb.cert.org/vuls/id/220816
http://www.ietf.org/rfc/rfc1572.txt
http://blogs.sun.com/tpenta/entry/the_in_telnetd_vulnerability_exploit
http://blogs.sun.com/tpenta/entry/more_on_the_in_telnetd
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102802-1
http://blogs.sun.com/security/entry/solaris_in_telnetd_worm_seen
http://secunia.com/advisories/24166/
http://securitytracker.com/alerts/2007/Feb/1017625.html
http://www.ciac.org/ciac/bulletins/r-139.shtml
http://riosec.com/solaris-telnet-0-day
http://www.computerdefense.org/?p=258
http://blog.ncircle.com/blogs/vert/archives/2007/02/whats_old_is_new_again.html
http://erratasec.blogspot.com/2007/02/trivial-remote-solaris-0day-disable.html
http://www.com-winner.com/0day_was_the_case_that_they_gave_me.pdf
http://asert.arbornetworks.com/2007/02/solaris-telnet-scanning-possible-worm/

Credit

This vulnerability was reported by Kingcope.

This document was written by Art Manion and Chris Taschner.

Other Information

Date Public02/10/2007
Date First Published02/12/2007 09:58:18 AM
Date Last Updated07/21/2008
CERT Advisory 
CVE-ID(s)CVE-2007-0882
NVD-ID(s)CVE-2007-0882
US-CERT Technical Alerts 
Metric67.50
Document Revision75

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Produced 2007 by US-CERT, a government organization
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader