Slashdot Mirror

← Back to Stories (view on slashdot.org)

Worm Exploiting Solaris Telnetd Vulnerability

Posted by Zonk on from the beware-of-rotten-fruit dept.

MichaelSmith writes "Several news sites are reporting that a worm is starting to exploit the Solaris Telnet 0-day vulnerability. By adding simple text to the Telnet command, the system will skip asking for a username and password. If the systems are installed out of the box, they automatically come Telnet-enabled. 'The SANS Internet Storm Center, which monitors Internet threats, has noticed some increase in activity on the network port used by Solaris' telnet feature, according to an ISC blog posted on Tuesday. "One hopes that there aren't that many publicly reachable Solaris systems running telnet," ISC staffer Joel Esler wrote.'"

11 of 164 comments (clear)

  1. Yep. by AltGrendel · · Score: 4, Insightful
    That's one of the first things any good admin turns off.

    Use SSH.

    ...oh, and don't forget to wear your raincoat.

    --
    The simple truth is that interstellar distances will not fit into the human imagination

    - Douglas Adams

    1. Re:Yep. by fm6 · · Score: 4, Insightful

      Yeah, that was my response when I first heard of this bug/exploit. But the real question is, should systems be shiped with telnet enabled? Obviously the answer is "no", but vendors seem to be slow to get this message.

      And note that this worm is enabled by a bug in Solaris's implementation of telnet, not by telnet itself. A similar bug in ssh would have had the same effect.

    2. Re:Yep. by Venik · · Score: 3, Funny

      I think the real question is: should Solaris telnetd have such an immense security hole?

    3. Re:Yep. by iamacat · · Score: 3, Insightful

      ssh is actually more complex than telnet and more likely to have exploitable bugs - there were a couple featured on slashdot in fact. ssh is for protection of the user, not the host system. It can make intrusion recovery more difficult, as you will not be able to see what the attacker is doing using network monitoring tools. Sun just got sloppy/unlucky with this one by unnecessarily mucking with login. Don't they teach in school to not add command line options/environment variables to a setuid program?

  2. Oh no by wumpus188 · · Score: 4, Funny

    These 4 users running telnet on solaris are gonna be pissed...

  3. I might have missed something.... by 8127972 · · Score: 3, Informative

    .... but wasn't this just fixed?

    http://blogs.sun.com/tpenta/entry/the_in_telnetd_v ulnerability_exploit

    --
    This is my opinion. To make sure you don't steal it, it's covered by the DMCA.
  4. It's been a long day... by Odiumjunkie · · Score: 5, Insightful

    So, just to be clear, this story, posted on March 2nd, is reporting on a worm which has started exploiting a zero day vulnerability that was covered by slashdot on February 12th?

    Isn't twenty days long enough to disable a remotely exploitable and totally unnecessery, unsafe service that no admin in his right mind should have enabled on a box connected to the net anyway?

    1. Re:It's been a long day... by Cheapy · · Score: 3, Funny

      Sysadmins have been search this entire time to find a Solaris box to fix.

      They are still searching.

      --
      Would you kindly mod me +1 insightful?
  5. Should have happened... by alexhs · · Score: 4, Insightful

    What about this argument that OSs other than Microsoft ones don't get malware developped for them because they don't have significant marketshare, again ?

    --
    I have discovered a truly marvelous proof of killer sig, which this margin is too narrow to contain.
  6. Telnet for transparency? by Anonymous Coward · · Score: 4, Interesting

    A while ago I found a strange comment here about why telnet was still used, even by security-knowledgeable IT department. The comment was saying this:

    Large financial institutions in Europe use telnet, as use of encryption is restricted on their trusted networks, for reasons of transparency to the stock regulating authorities. (Googling for this phrase should get you the /. comment)

    If this is true (and not the post of a random troll), can anyone shed some light on this? For it seems very strange... There are many other way to provide transparency to the financial authorities without having to compromise your network no!?

  7. Re:Other Telnet vulnerabilities by geoffspear · · Score: 3, Funny

    I've yet to come across a printer that was running Solaris, but I'll certainly keep that in mind if I ever do.

    --
    Don't blame me; I'm never given mod points.