A zero-day exploit affecting Telnet in Solaris 10 and 11 has emerged, which makes us wonder just who in the world is running Telnet as a public service these days.
The eEye zero-day tracker delivered another reminder of why SSH has largely replaced Telnet on servers that require a secure remote login.
This high severity flaw could permit an attacker to login as root. That's about as bad as it gets on Solaris:
This vulnerability allows an attacker to remotely login as a privileged user (i.e. 'root') if the telnet daemon is running with root privileges on the targeted host.
The vulnerability exists because the Solaris Telnet service does not scrub the switches before passing the login name to the login process. Login will then auto-login the user specified following the '-f' switch, as demonstrated by the referenced proof of concept.
Disabling Telnet and replacing it with SSH will be the best option for system administrators. Unlike the plaintext traffic sent across Telnet connections, SSH encrypts its traffic, providing a much more secure option for remote access.
OpenSSH from the OpenBSD project may be obtained for Solaris and several other operating systems.
iEntry 10th Anniversary
RSS
Archive
Del.icio.us
Digg
Reddit
Furl
