Note: This is an archival copy of Security Sun Alert 201391 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1001064.1.
Solaris 10 Operating System
Date of Workaround Release
Date of Resolved Release
A security vulnerability in the in.telnetd(1M) daemon shipped with Solaris 10 may allow a local or remote unprivileged user who is able to connect to a host using the telnet(1) service to gain unauthorized access to that host by connecting as any user on the system, allowing them to execute arbitrary commands with the privileges of that user. This would include the root user (uid 0) if the host is configured to accept telnet logins as the root user.
Note: There is at least one WORM in existence that is making use of this exploit to compromise system integrity.
This issue is described in the following documents:
CERT VU#881872 at http://www.kb.cert.org/vuls/id/881872
CVE-2007-0882 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0882
This issue can occur in the following releases:
The following command can be used to determine if the service is enabled, which will output 'online' for the service state if the system is affected by this issue:
$ svcs telnet STATE STIME FMRI online Jan_30 svc:/network/telnet:default
If remote root logins are disabled, the impact of this issue will be limited to users other than root.
Remote root logins are disabled if the file "/etc/default/login" contains a line that begins with 'CONSOLE'. This can be seen using the grep command as shown below:
$ grep CONSOLE /etc/default/login CONSOLE=/dev/console
If this line has been commented out by inserting a '#' at the beginning, as in the following example:
or if there is no line containing the word 'CONSOLE', then this issue will also apply to the root user.
See login(1) for more information about the /etc/default/login file.
Depending on the manner in which this issue has been exploited, the output from commands such as last(1) (which display information about login and logout activity), may show unexpected logins to the system. Using the '-a' flag with the last(1) command will show the hostname associated with these logins.
To workaround this issue, the telnet service can be disabled as in the following example (Note that this will remove the functionality of the in.telnetd daemon on that host):
# svcadm disable svc:/network/telnet:default
Note: If instead of disabling the service, removal of the service is being considered, then please first read Sun Alert 102799:
"Synopsis: svc.startd(1M) May Core Dump While Removing a Service, Causing patchrm(1M) to Terminate and Leave the System Unbootable"
In addition, it is also possible to uncomment (or add) the 'CONSOLE' line in the "/etc/default/login" file so that it looks similar to the following:
However, this will only prevent unauthorized access to the root account; other user accounts will still be affected by this issue.
Until patches can be applied, you may wish to block access to the telnet service from untrusted networks such as the Internet. Use a firewall or other packet-filtering technology, such as ipfilter, which is shipped with Solaris 10, to block the appropriate network ports.Consult your vendor or your firewall documentation for detailed instructions on how to configure the ports.
This issue is addressed in the following releases:
Note: These patches have been created with a tag that says that a reboot is required after installation. However, this is incorrect (see Bug 6524404). Future Solaris 10 telnetd(1M) patch revisions have had this tag removed.
This solution has no attachment