March 2007

ID: 81
Ref: 023/2007
Date: 07 March 2007:18:57:35
Version: 1

---

Title: Sun Security Advisory
Abstract: Security vulnerability in the in.telnetd Daemon may allow unauthorized remote users to gain access to a Solaris host.
Vendors affected: Sun
Operating systems affected: Sun
Applications affected: Sun

---

Sun Security Advisory: Security Vulnerability in the in.telnetd(1M) Daemon May Allow Unauthorized Remote Users to Gain Access to a Solaris Host

Detail
======

CPNI comment: CPNI has received reports of increased activity targeting TCP port 23 (Telnet) which corresponds with reports of a worm that exploits the vulnerability detailed in the following Sun advisory.

Related Links:
Sun: http://blogs.sun.com/security/entry/solaris_in_telnetd_worm_seen
ISC: http://isc.sans.org/diary.html?storyid=2316&rss
Arbor Networks: http://asert.arbornetworks.com/2007/02/solaris-telnet-scanning-possible-worm/
US-CERT: http://www.kb.cert.org/vuls/id/881872

Original Advisory:
Sun: http://sunsolve.sun.com/search/document.do?assetkey=1-26-102802-1

---

Sun Alert ID: 102802
Product: Solaris 10 Operating System
BugIDs: 6523815
Avoidance: Patch, Workaround
State: Resolved
Date Released: 12-Feb-2007, 13-Feb-2007, 28-Feb-2007

1. Impact

A security vulnerability in the in.telnetd(1M) daemon shipped with Solaris 10 may allow a local or remote unprivileged user who is able to connect to a host using the telnet(1) service to gain unauthorized access to that host by connecting as any user on the system, allowing them to execute arbitrary commands with the privileges of that user. This would include the root user (uid 0) if the host is configured to accept telnet logins as the root user.

Note: There is at least one WORM in existence that is making use of this exploit to compromise system integrity.

This issue is described in the following documents:

CERT VU#881872 at http://www.kb.cert.org/vuls/id/881872

CVE-2007-0882 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0882

2. Contributing Factors

This issue can occur in the following releases:

SPARC Platform

Solaris 10 without patch 120068-02
x86 Platform

Solaris 10 without patch 120069-02
Notes:

Solaris 8 and 9 are not affected by this issue.
This issue only affects systems which have the telnet(1) service enabled.
The following command can be used to determine if the service is enabled, which will output 'online' for the service state if the system is affected by this issue:

$ svcs telnet
STATE STIME FMRI
online Jan_30 svc:/network/telnet:default

If remote root logins are disabled, the impact of this issue will be limited to users other than root.

Remote root logins are disabled if the file "/etc/default/login" contains a line that begins with 'CONSOLE'. This can be seen using the grep command as shown
below:

$ grep CONSOLE /etc/default/login
CONSOLE=/dev/console

If this line has been commented out by inserting a '#' at the beginning, as in the following example:

#CONSOLE=/dev/console
or if there is no line containing the word 'CONSOLE', then this issue will also apply to the root user.

See login(1) for more information about the /etc/default/login file.

3. Symptoms

Depending on the manner in which this issue has been exploited, the output from commands such as last(1) (which display information about login and logout activity), may show unexpected logins to the system. Using the '-a' flag with the
last(1) command will show the hostname associated with these logins.

4. Relief/Workaround

To workaround this issue, the telnet service can be disabled as in the following example (Note that this will remove the functionality of the in.telnetd daemon on that host):

# svcadm disable svc:/network/telnet:default

Note: If instead of disabling the service, removal of the service is being considered, then please first read Sun Alert 102799:

"Synopsis: svc.startd(1M) May Core Dump While Removing a Service, Causing patchrm(1M) to Terminate and Leave the System Unbootable"

In addition, it is also possible to uncomment (or add) the 'CONSOLE' line in the "/etc/default/login" file so that it looks similar to the following:

CONSOLE=/dev/console

However, this will only prevent unauthorized access to the root account; other user accounts will still be affected by this issue.

5. Resolution

This issue is addressed in the following releases:

SPARC Platform

Solaris 10 with patch 120068-02 or later
x86 Platform

Solaris 10 with patch 120069-02 or later
Note: These patches have been created with a tag that says that a reboot is required after installation. However, this is incorrect (see Bug 6524404). Future Solaris 10
telnetd(1M) patch revisions have had this tag removed.

______________________________________________________________________________

CPNI values your feedback.

1. Which of the following most reflects the value of the advisory to you?
(Place an 'X' next to your choice)

Very useful:__ Useful:__ Not useful:__

2. If you did not find it useful, why not?


3. Any other comments? How could we improve our advisories?


Thank you for your contribution.
______________________________________________________________________________

CPNI wishes to acknowledge the contributions of Sun for the information contained in this advisory.
______________________________________________________________________________