Note: This is an archival copy of Security Sun Alert 200150 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000108.1.
Article ID : 1000108.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2003-04-28
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

A System Wide Denial of Service May be Caused Through The in.telnetd(1M) Daemon

Category
Security

Release Phase
Resolved

Product
Solaris 9 Operating System
Solaris 2.6 Operating System
Solaris 7 Operating System
Solaris 8 Operating System

Bug Id
4798177

Date of Resolved Release
02-JUN-2003

Impact

Unprivileged local or remote users may be able to cause the in.telnetd(1M) daemon process to enter an infinite loop resulting in large amounts of CPU time being used.

With multiple "in.telnetd" processes in this looping state the system may become unresponsive as a whole.


Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Solaris 2.6 without patch 106049-05
  • Solaris 7 without patch 107475-05
  • Solaris 8 without patch 110668-04
  • Solaris 9 without patch 114729-01

x86 Platform

  • Solaris 2.6 without patch 106050-05
  • Solaris 7 without patch 107476-05
  • Solaris 8 without patch 110669-04
  • Solaris 9 without patch 114730-01

Solaris 2.5.1 will not be evaluated regarding the potential impact of the issue described in this Sun Alert document.


Symptoms

Tracing a looping "in.telnetd" process using the truss(1) command will show the following pattern of repeated failing "putmsg()" calls: 

    [...]
putmsg(0, 0xEFFFF934, 0xEFFFF928, 0)            Err#60 ENOSTR
putmsg(0, 0xEFFFF934, 0xEFFFF928, 0)            Err#60 ENOSTR
putmsg(0, 0xEFFFF934, 0xEFFFF928, 0)            Err#60 ENOSTR
putmsg(0, 0xEFFFF934, 0xEFFFF928, 0)            Err#60 ENOSTR
[...]

Workaround

To minimize the risk imposed by this issue, restrict incoming telnet connections to origins within trustworthy networks, e.g. by using firewalls, packet filtering software, or TCP-wrappers.

Alternatively, incoming telnet connections may be entirely disabled by commenting out the "in.telnetd" related line in the "/etc/inetd/inetd.conf" file using the hash ("#") character as shown in the following example: 

    #telnet  stream  tcp6    nowait  root    /usr/sbin/in.telnetd in.telnetd

For the above change to become active, the "inetd" process has to be sent a "HUP" signal by issuing the following command as root user: 

    # kill -HUP <pid of inetd>

(here, "<pid of inetd>" has to be replaced by the process ID of the "inetd" process).


Resolution

This issue is addressed in the following releases:

SPARC Platform

  • Solaris 2.6 with patch 106049-05 or later
  • Solaris 7 with patch 107475-05 or later
  • Solaris 8 with patch 110668-04 or later
  • Solaris 9 with patch 114729-01 or later

x86 Platform

  • Solaris 2.6 with patch 106050-05 or later
  • Solaris 7 with patch 107476-05 or later
  • Solaris 8 with patch 110669-04 or later
  • Solaris 9 with patch 114730-01 or later


Modification History

References
 106049-05

 106050-05

 107475-05

 107476-05

 110668-04

 110669-04

 114729-01

 114730-01



                                                                                             


Attachments
This solution has no attachment