Skip Navigation

  • Home
  • Contact us
  • FAQ
  • Glossary
  • Public key
  • Sitemap
  • Cymraeg
  • What's new
CPNI - Centre for the Protection of National Infastructure

Advanced search

  • About CPNI
  • The threats
  • Security planning
  • Methods of attack
  • Protecting your assets
  • Products and services
    • CSIRTUK advisories
      • Advisories archive
    • General protective security publications
    • InfoSec briefings
    • InfoSec technical notes
    • InfoSec vulnerability disclosures
    • Good practice guidelines
    • Viewpoints
    • Information exchanges
    • Risk Management Delivery Group
  • Research
Home > Products and services > CSIRTUK advisories > Advisories archive > March 2007 > US-CERT - Authentication Bypass Vulnerability in Sun Solaris Telnet Daemon

March 2007

US-CERT - Authentication Bypass Vulnerability in Sun Solaris Telnet Daemon

ID: 68
Ref: 010/2007
Date: 07 March 2007:17:55:11
Version: 1
Title: US-CERT - Authentication Bypass Vulnerability in Sun Solaris Telnet Daemon
Abstract: Warning of an authentication bypass vulnerability in the Sun Solaris telnet daemon - in.telnetd. The Sun Solaris telnet daemon does not properly sanitize the USER Environment variable before passing it to the login process.
Vendors affected: Sun
Operating systems affected: Sun
Applications affected: Sun
US-CERT is aware of an authentication bypass vulnerability in the Sun Solaris telnet daemon - in.telnetd. The Sun Solaris telnet daemon does not properly sanitize the USER Environment variable before passing it to the login process.
By supplying a specially crafted USER Environment variable over telnet, a remote attacker may be able to bypass authentication to gain access to the system with elevated privileges. Public exploit code is available.

Note: An attacker must have knowledge of a user account other than root to exploit this vulnerability successfully. Additionally, in default Solaris configurations, this vulnerability cannot be used to gain root level access.

More information about this vulnerability is located in the following:

Vulnerability Note VU#881872 - Sun Solaris telnet authentication bypass vulnerability
http://www.kb.cert.org/vuls/id/881872

Note that Sun Solaris 8 and 9 are not affected by this issue.

Until Sun provides a security update, or more information becomes available,

US-CERT recommends the following actions to help mitigate the security
risks:

Disable Telnet daemon.
Restrict access to port 23/tcp to trusted hosts only.

References:
http://www.us-cert.gov/current/current_activity.html#sntlntbyp
http://www.cert.org/advisories/CA-1995-14.html
http://www.ietf.org/rfc/rfc1572.txt
http://isc.incidents.org/
http://www.securityfocus.com/bid/22512

CPNI Comment:

The CPNI is advised that systems are being probed for the vulnerability.
We will continue to monitor the situation and provide additional advice as it becomes available.
____________________________________________________________________________

CPNI values your feedback.

1. Which of the following most reflects the value of the advisory to you?
(Place an 'X' next to your choice)

Very useful:__ Useful:__ Not useful:__

2. If you did not find it useful, why not?


3. Any other comments? How could we improve our advisories?


Thank you for your contribution.
____________________________________________________________________________

CPNI wishes to acknowledge the contributions of US-CERT for the information contained in this advisory.
____________________________________________________________________________
  • Accessibility |
  • Terms and conditions |
  • Privacy statement |
  • Data protection act |
  • Freedom of information |