Worm Exploiting Solaris Telnetd Vulnerability

MichaelSmith writes "Several news sites are reporting that a worm is starting to exploit the Solaris Telnet 0-day vulnerability. By adding simple text to the Telnet command, the system will skip asking for a username and password. If the systems are installed out of the box, they automatically come Telnet-enabled. 'The SANS Internet Storm Center, which monitors Internet threats, has noticed some increase in activity on the network port used by Solaris' telnet feature, according to an ISC blog posted on Tuesday. "One hopes that there aren't that many publicly reachable Solaris systems running telnet," ISC staffer Joel Esler wrote.'"

Yep.

[AltGrendel]

That's one of the first things any good admin turns off.

Use SSH.

...oh, and don't forget to wear your raincoat.

Re:Yep.

[fm6]

Yeah, that was my response when I first heard of this bug/exploit. But the real question is, should systems be shiped with telnet enabled? Obviously the answer is "no", but vendors seem to be slow to get this message.

And note that this worm is enabled by a bug in Solaris's implementation of telnet, not by telnet itself. A similar bug in ssh would have had the same effect.

Re:Yep.

[Venik]

I think the real question is: should Solaris telnetd have such an immense security hole?

Re:

[fm6]

No, the real question is: should I pay attention to a post stating the obvious?

Re:

[Venik]

Well, I am glad you think it's obvious. I was beginning to worry about folks here criticizing sysadmins for having telnet running, as opposed to criticizing Sun for missing such an obvious hole in their OS.

Re:

[geoffspear]

Well, it's arguable that shipping telnetd at all even without this vulnerability is an obvious hole in the OS, but software bugs are usually only "obvious" after they've been found.

Re:

[Venik]

There is nothing inherently wrong with telnet. It has functional limitations, just as any other method of communication. Telnet can be safely used, when its limitations are accounted in the overall environment. Look at it this way. A company that makes locks accidentally produced a model that can be opened by any key. Oops. You are saying: Hey, everybody knows that locks can be picked, so why are you still using them? Do you see a difference between a design limitation and a production defect?

Re:

[jericho4.0]

This company sells houses, and installs this lock by default on the backdoor of every house it sells.

Re:

[ArcherB]

-->I think the real question is: should Solaris telnetd have such an immense security hole?

what an idiotic question

I think the question was rhetorical.

My question is: Who the hell still uses telnet? I don't even use telnet on my LAN.

Re:

[DieNadel]

No, they do not!

Stop repeating that!

They don't use telnet, and that plaintext you see when sniffing their network is your natural ability to crack encryption.

How many times do I have to tell you that you're special?!

Now, back to the task I've given you. The NSA won't be lending me your brain again if you spend all my alloted time on /.

Re:

[ray-auch]

But the real question is, should systems be shiped with telnet enabled? Obviously the answer is "no", but vendors seem to be slow to get this message.

This is Sun. Remember "+" in hosts.equiv ? They deliberately shipped with a known insecure default config in order to reduce support costs / complaints ("ease-of-use" was allegedly considered more important than security).

Re:

[fm6]

Putting ease of use ahead of security is hardly unique to Sun. Actually, this kind of thing isn't even an ease of use issue. Somebody gets a customer complaint, they see a fix, and they implement it without thinking through the security implications. Happens every day — usually several times.

Re:

[fm6]

Since when was Microsoft known for usability?

Re:

[fm6]

Virus and rootkit support counts as feature creep, not usability!

Re:

[djh101010]

Yeah, that was my response when I first heard of this bug/exploit. But the real question is, should systems be shiped with telnet enabled? Obviously the answer is "no", but vendors seem to be slow to get this message.

Serious questions: 1. Who ships with telnet enabled? Certainly not Apple or any of the Linux distros I've used. and 2. Who uses Unix systems with the default build installed by Sun? Do they even _come_ with an OS anymore?

Re:

[djh101010]

Serious answers:

1: Ummm, Solaris ships with telnet enabled. Did you see the headline of the article you are posting in regards to?

Ummm, No, it doesn't. But I've only got about 1000 of 'em to use as a sample size so maybe my experience is too limited.

2: Many people, or there would be no worm, if you want a concrete example then look elsewhere.

Your (2) depends on your (1) to be true, and I suspect that it is not.

As others have pointed out, many of whom even stand behind their statements with their identity, the admin has to specifically decide they want telnet enabled. Exposing telnet to anything, especially the public internet, has been widely regarded as an Astonishingly Bad Idea for many years.

Re:

[djh101010]

Um yes it does. If you have 1000 machines you probably have an image, jumpstart installation, custom installer, or possibly newer OS CDs/DVDs. The admin, since its probably not you, also could have disabled it after the fact.

Assume much? Hell yes we have a jumpstart infrastructure. And my question remains, who in the world takes a raw box from Sun with an OS that they shipped with and use it? First of all, the partitioning is very unlikely to be suitable for, well, anything by default.

Telnet has been enabled by default for a long time on the default installs going back quite a ways on up well into several solaris 10 sub-releases.

Oddly enough, several non-AC's have posted otherwise. I tend to trust their word over that of someone not even willing to say who they are.

Re:

[G00F]

"Yeah, that was my response when I first heard of this bug/exploit."

Eh? My response was, who cares, no one uses it, but I'll check the top leevl comments to see if there was anything interesting or insightfull. I guess not ;)

Re:

[fm6]

Typical Slashdotter provincialism. In the real world, "No one I know" != "No one". And I'm guessing you don't run a data center or anything like that. Probably the fanciest system you've ever seen is your big brother's game machine.

Re:

[pclminion]

Yeah, that was my response when I first heard of this bug/exploit. But the real question is, should systems be shiped with telnet enabled? Obviously the answer is "no", but vendors seem to be slow to get this message.

Why the hell not? Installation of Solaris is not exactly an "end user" type of operations. More likely it would be performed by an IT professional. Having telnet enabled initially makes it easy to setup the system from another location without worrying about making ssh or anything else work

Re:

[fm6]

Having telnet enabled initially makes it easy to setup the system from another location without worrying about making ssh or anything else work.

So the convenience of the admin is more important than the security of the system? Your logic is the reason security is such a problem. Besides, what's the big deal in "making ssh work"? I've never had any trouble.

Incidentally, Solaris 11 will be shipped with all unnecessary services (including telnet) disabled by default.

Re:

[pclminion]

So the convenience of the admin is more important than the security of the system?

The security of the system is of FUNDAMENTAL importance. It is a failure of the administrator which turns telnet into a vulnerability. Security ultimately derives from actions taken by human beings. If humans don't do what is appropriate and security is compromised, it is the humans who have failed, not the system.

Re:

[fm6]

Let me guess: you're a Republican, right? Keeping the system safe is less important than allowing the sysadmin to demonstrate his Moral Fiber. Jeees-us!

Telnet is an obsolete protocol that nobody needs. If you want to show your "responsibility", take the trouble to learn how to use SSH. Or if you must use telnet, live with the fact that OS vendors are going to make you turn it on, instead of leaving an insecure protocol enabled by default.

Re:

[Afecks]

A good Windows admin has a router, firewall, anti-virus, automatic updates and a 3rd party browser. If that's not a good argument against the thousands of Windows zombies out there then it's not a good argument for you either.

Re:Yep.

[iamacat]

ssh is actually more complex than telnet and more likely to have exploitable bugs - there were a couple featured on slashdot in fact. ssh is for protection of the user, not the host system. It can make intrusion recovery more difficult, as you will not be able to see what the attacker is doing using network monitoring tools. Sun just got sloppy/unlucky with this one by unnecessarily mucking with login. Don't they teach in school to not add command line options/environment variables to a setuid program?

MOD PARENT UP

[Schraegstrichpunkt]

Exactly. All these comments to the effect of "telnetd should be off by default" are missing the point. Yes, telnetd should be off by default, but that's just so that dumb users don't get used to typing in their passwords over a cleartext connection.

It makes me wonder about how much original thought there is on Slashdot, versus how many comments are just clueless people using technical terms in a syntactically-correct fashion without really understanding what they're saying.

If I went back into the Slas

Re:

[amper]

What really makes me laugh is how many people think that running sshd instead of telnetd is somehow going to magically give you protection from being hacked.

For those of you who don't realize this...you can break into *any* vanilla sshd by guessing the right password...just the same as if you were running telnetd. The *only* difference is somewhat greater protection over having your password sniffed over the network while in transit. Unless, of course, you're running some sort of PKI infrastructure with cli

SSHD DOES give you magical powers - real passwords

[wsanders]

- The Solaris telnet authenticates against their login PAM modules, which only uses the first 8 chars of the password for authentication. SSH bypasses /bin/login and passwords can be as long as you want. This is more longtime Solaris silliness that has not been fixed in Solaris 10.

At least they do come with a binch of stuff disabled by default, and with a fairly recent version of SSH.

I *DO* have numerous Solaris hosts happily floating in the effuent of an unfirewalled Internet connection, and they are probe

Woah nelly...

[Ayanami Rei]

man crypt_bsdmd5

in /etc/security/crypt.conf:
CRYPT_DEFAULT=__unix__ => CRYPT_DEFAULT=1

This makes Solaris PAM compatible with Linux/BSD-style MD5 shadow hashes distributed via file, NIS, LDAP, or whatever. It will process an arbitrarily long password.

And in that case, you should edit your /etc/ssh/sshd_config and set PAMAuthenticationViaKBDInt to yes. That way you can manage your auth/session modules via pam.conf and manage your security policy in one place.

Re:

[wsanders]

Actually I'm an idiot and don't deserve my mod point. BAD INFORMATION - I should have pointed out that Solaris passwd only uses the first 8 chars, and it's the bottleneck, unless you switch to MD5 as you suggest. So a password entered with passwd by default will only pay attention to the first 8 chars whether you are using telnet or ssh "out of the box".

We use public key authentication, with passwords, and bypass password authentication completely, shoudl have said that.

Oh well, won't be the first time I go

Re:

[Red Flayer]

It makes me wonder about how much original thought there is on Slashdot, versus how many comments are just clueless people using technical terms in a syntactically-correct fashion without really understanding what they're saying.

You must be new here.

If I went back into the Slashdot archives for around 1999, I wouldn't be surprised if I could find a ton of comments to the effect of "only stupid people write down their passwords".

That's because obvious truths == positive moderation. Inobvious truths and

Re:

[drinkypoo]

ssh is actually more complex than telnet and more likely to have exploitable bugs - there were a couple featured on slashdot in fact. ssh is for protection of the user, not the host system. ssh is for protection of the user, not the host system.

Keeping user accounts secure provides for the protection of the system. It's usually a lot easier to escalate from a local user to root than to simply get remote root.

It can make intrusion recovery more difficult, as you will not be able to see what the attacker is

Re:

[iamacat]

So in the case you described, encryption would benefit you and not the owner of the system. Intruder could use a shell without a tty and ptrace his own processes so that you can not. It's much more reliable to log telnet traffic from an independent system that doesn't allow any remote access. If I need to give people accounts with potentially dangerous privileges for them to do work, I might prefer telnet so that, if someone "fucks once" with my database, I can discover who it was. If I am chatting with my

Correction

[Megane]

Correction: that's one of the first things any good distro never turns on.

Linux and BSD had it for a long time before Solaris had it in the standard install. And you can't even enable telnetd on OS X since about 10.2 or so, unless you know how to edit the right config files in /etc.

Re:

[Afrosheen]

Most linux distros stopped enabling the telnet daemon post-install years ago. Now, however, even the big vendors like Redhat leave PermitRootLogin=yes in the config file for the ssh daemon which is nearly as bad. It's on my checklist as the first thing to fix post-install on new servers.

Re:

[LWATCDR]

Why have telnetd on the system at all?

I kind of thought that ssh had replaced telnet a long time ago.
Then again on a server maybe nothing should be turned on by default.

Re:

[Random BedHead Ed]

I have to admit to being amazed that telnetd is turned on at all in an installation of Solaris. In any Linux distro you have to enable it - heck, you usually have to do some digging for telnet and install it.

I remember a couple years ago in my role as a Linux admin I had to help an outside vendor access a specialized Solaris box one of our research groups used, and they wanted telnet access to it. They were shocked (and remember, this was only a couple years ago) that my network team wouldn't put an exc

Re:

[qwijibo]

Yes, they did. In PHBthink, it's cheaper to bring in a consultant at any cost when a problem occurs instead of spending the money on maintenance. The results of the money spent on maintenance are invisible, whereas consultants address known, specific problems. I think the management-by-russian-roulette philosophy is all the rage in MBA schools now.

Re:

[allenw]

Solaris 8 never officially shipped with ssh. If you have a Sun-branded ssh on Solaris 8, it was installed from something other than the official Solaris install media. It should also be pointed out that Solaris 8 is ancient stuff. Perhaps its time to upgrade the OS to a version made in this decade?

Oh no

[wumpus188]

These 4 users running telnet on solaris are gonna be pissed...

Re:

[Degrees]

After reading this [pbs.org], I wonder....

(Nowhere does it say that the solaris servers are running telnet. But our IT organization has a connection to a state agency, and today the state agency warned us they had a virus on the rampage. That agency has one of those solaris servers running in one of our mini data centers.)

Free software to the rescue?

[dosius]

What about replacing telnetd with openbsd's?

-uso.

Re:

[ebvwfbw]

What about replacing telnetd with openbsd's?

It won't help because the vulnerability is in login (that telnetd calls) and not with telenetd. Since this is almost a month old and everyone should know by now, here it is -

telnet -l "-froot" [hostname]

Re:

[The Man]

No, that's not correct. login(1) is just fine; telnetd fails to correctly validate user input, passing arguments to login that it should not.

Also, "Free software to the rescue" is rather misleading as well; the telnetd shipping in Solaris has been open source for almost 2 years. In any case, the bug has already been fixed and patches are available.

Re:

[The Man]

Another slashdotter spouting off with no clue.

I've read the code and the history in question and I probably understand the problem far better than you do. Assumption of ignorance on the part of those with whom you disagree is the very kind of "knee-jerk reaction" you assert I've had.

Did you even bother to do a "man login" to see what parms it takes? You expect login to not check for such things?

The man pages document those interfaces which are Public; that is, those which are intended for use by user

Mine is!

[Doctor Memory]

But it's only reachable via ports 80 and 443. And I installed patch #120069-02 a couple of weeks ago. In fact, I already installed the -03 version of that patch. If you keep up with your security patches, it's really not a problem. Of course, this is easy for me to say, I have one workstation; I'm sure that for sites with dozens (or hundreds) of servers, it's more problematic. I also STR that patch 120069 used to require a reboot after installation, which makes it a bit more of a hassle to install (I usually save those for Fridays, when I can install them and then walk away while the box reboots).

Re:

[tcopeland]

> I'm sure that for sites with dozens (or hundreds) of servers, it's more problematic

Although in those cases I'd hope that they'd have everything nicely automated so that pushing out updates is just a matter running some utility that executes the update on all the machines. As Zed Shaw [zedshaw.com] says, "if you're ssh'ing in to your servers more than once a week, you haven't automated things enough."

Of course there will be exceptions - custom installations and whatnot - but hopefully a change like this could just b

Re:

[fm6]

As Zed Shaw [zedshaw.com] says, "if you're ssh'ing in to your servers more than once a week, you haven't automated things enough."

Dude, many data centers have thousands of servers. Sun itself sells a blade system [sun.com] that puts 20 servers in a single rack. In that kind of environment, if you ever ssh into your systems, you haven't automated things enough!

Re:

[amper]

Not to nitpick, but did you mean 20 servers in a single rack space? Because if you didn't, 20 servers in a single, standard 42U rack isn't impressive, considering that with any ol' 1U server, you can fit 42 of them in the same space, right? OTOH, 20 servers in 1U *would* be impressive.

Re:

[fm6]

Oops. You're quite correct. Though it should be noted that each of the blades in the system I mentioned is much more powerful than any 1U system.

Re:

[drsmithy]

Sun itself sells a blade system that puts 20 servers in a single rack.

Sun's Blade system aren't particularly impressive from a density perspective - IBM's, with 14 blades per 7U (84 servers in a rack), are much more interesting.

Re:

[msouth]

> I'm sure that for sites with dozens (or hundreds) of servers, it's more problematic

Although in those cases I'd hope that they'd have everything nicely automated so that pushing out updates is just a matter running some utility that executes the update on all the machines. As Zed Shaw says, "if you're ssh'ing in to your servers more than once a week, you haven't automated things enough."

Uh, dude, I think the point is that they don't have to--we can just write a worm that installs the patch for them...

Re:

[Nonac]

> If you keep up with your security patches, it's really not a problem.

I dare say that most sysadmins who keep up with patches don't have telnetd running.

Re:

[multipartmixed]

I'm a sparc user so I don't have 120069, but 120068-03 "SunOS 5.10: in.telnetd patch" is listed as "Install Requirements: NA". Presumably these are the same patch. ...Interesting, -03 seems to fix 6524404 which says "rebootafter property is not necessary".

Looks like -02 says it required a reboot but didn't; -03 does it right (I didn't get -02, I just disabled in.telnetd).

-02 is quite hiliarious, it fixes bug "6523815 LARGE vulnerability in telnetd"

Re:

[xsbellx]

While I agree with the philosophy of of your post, the real world has a slightly different opinion. Let's take an example:

1) You have 1200 Solaris production systems running various levels of Solaris, 7 through 10. You have an identical test environment, same 1200 severs running exactly the same version of everything. Add to this 700 odd UAT systems and about 500 dev systems. So now we are looking at 3600 servers. Now it's time to throw some bureaucracy into the mix.

2) Patches must be TESTED in the dev

I might have missed something....

[8127972]

.... but wasn't this just fixed?

http://blogs.sun.com/tpenta/entry/the_in_telnetd_v ulnerability_exploit [sun.com]

Re:

[pizza_milkshake]

yes, but not everyone applies every patch the instant it becomes available.

Re:

[diegocgteleline.es]

Duh, you mean that sun doesn't have automatic software updates turned by default? It's a stupid thing to do, even for servers - and "admins must test the update first" is not an excuse, I'd rather have something breaking than a security hole

Re:

[Doctor Memory]

I'd rather have something breaking than a security hole

I doubt you'll find many sysadmins agreeing with you there. As someone else mentioned, most sysadmins will already have disabled telnetd. So to install a patch and reboot their systems without warning (possibly during the work day) seems like a little harsh treatment for somebody who's already mitigated the threat.

Re:

[boner]

that is utterly stupid... you'd rather have an automatic update break your box so you can spend hours trying to find out how???

For a reasonable commercial system downtime is measured in thousands of dollars of lost revenue per hour. You will want to update your post after you have had a CEO, CTO, CFO etc... throwing a hissy fit because the system is down... 'automatic update' as an excuse will get you fired, and rightly so.

Re:

[djh101010]

Duh, you mean that sun doesn't have automatic software updates turned by default? It's a stupid thing to do, even for servers - and "admins must test the update first" is not an excuse, I'd rather have something breaking than a security hole

In the real world, things need to be tested and run through the dev/stage/prod environments. This isn't Joe's Bait Shop we're talking about...

Re:

[diegocgteleline.es]

This isn't Joe's Bait Shop we're talking about...

Which is why I wouldn't like to have a system that doesn't patches security holes ASAP.

Re:

[djh101010]

This isn't Joe's Bait Shop we're talking about...

Which is why I wouldn't like to have a system that doesn't patches security holes ASAP.

Unless you can show me otherwise, I'm going with the statement made by several folks in the thread that it's disabled by default. It's only a security hole if you open it. If you cut a hole in the side of your house for when you leave, is that the house-builder's fault?

It's been a long day...

[Odiumjunkie]

So, just to be clear, this story, posted on March 2nd, is reporting on a worm which has started exploiting a zero day vulnerability that was covered by slashdot on February 12th?

Isn't twenty days long enough to disable a remotely exploitable and totally unnecessery, unsafe service that no admin in his right mind should have enabled on a box connected to the net anyway?

Re:It's been a long day...

[Cheapy]

Sysadmins have been search this entire time to find a Solaris box to fix.

They are still searching.

Re:

[8127972]

You must be new here.

Re:

[Billosaur]

Isn't twenty days long enough to disable a remotely exploitable and totally unnecessery, unsafe service that no admin in his right mind should have enabled on a box connected to the net anyway?

Yes, but some people are a little slow... others are just overworked... and then there are the stupid ones...

Honestly, does anybody have a use for telnet anymore? It really shouldn't be enabled by default anyway. I guess if your system isn't connected to the Internet you have no fears, but who would do that?

Re:

[qwijibo]

I work for a major bank that leaves telnet on all over the place, in spite of the 1997 company policy of replacing it with SSH as soon as possible. Sensible configuration and maintenance are impossible when business people micromanage the technology side. You'd think that putting a gun to their head would be enough to make people do it, but you'd be wrong. They're one step ahead of us all. Business people cannot be harmed by a bullet to the brain. They're already brain dead.

Re:

[dknj]

Judging by your UID, i will assume you are new here and new to IT in general. In The Real World(tm), patches are not applied as soon as they are released. You must test them, most managers are clueless to OS level patches and require the same testing process that, say, application testing goes through. I have seen patches take a week to be approved and put into production and I have worked with companies that have a 30 day delayed patch release schedule.

With that said, no one should be running any insecu

Re:

[Nethead]

Judging by your UID, I will assume you are new here.

Re:

[dknj]

no just a long time lurker. i should have a uid in the 5 digit range, but i always posted as AC. when i finally decided to register an account, it was already in the 400,000 range. similar with icq, k5, and audiworld

Should have happened...

[alexhs]

What about this argument that OSs other than Microsoft ones don't get malware developped for them because they don't have significant marketshare, again ?

Re:

[the_humeister]

It's not just marketshare. Being easily exploited and high profile also need to fit the bill too. Do we ever hear about exploits for QNX, BeOS, OS/2, Minix, etc? At least we don't hear about them on slashdot.

Re:

[runderwo]

Do we ever hear about exploits for QNX, BeOS, OS/2, Minix, etc? At least we don't hear about them on slashdot.

Yeah, but to be exploited, you first need a network stack. Oh, and you'll need one to submit the story to slashdot too.

Amazing...

[patio11]

I was wondering how to spin this so that it would possibly be anti-Microsoft. Thank you, Slashdot.

telwhat?

[glwtta]

Tell who?

What year is it?

Re:

[Nethead]

In other news, gopherd......

Other Telnet vulnerabilities

[Flying pig]

Amazing but true - there are printers on some networks which are accessible over the public Internet and which have their telnet ports exposed. I'm obviously not spelling out the implications here, but some people need the proverbial rocket up the backside.

Re:Other Telnet vulnerabilities

[geoffspear]

I've yet to come across a printer that was running Solaris, but I'll certainly keep that in mind if I ever do.

Re:

[geoffspear]

Ok, that makes it more likely (but probably not by a huge amount) that I will someday come across one of these. Hey, who needs servers when your printer is a Sparc?

Re:

[wiredlogic]

Most later HP laserjets with jetdirect cards have two ports open by default. One for an interactive command shell and the other for an interactive Postscript session.

What proverb is that?

[SanityInAnarchy]

proverbial rocket up the backside.

I'm pretty sure I never heard my mother say, "Son, if you ever expose a Telnet port to the Internet, I'll fire a rocket up your ass!"

Re:

[Elm Tree]

You're lucky! My mother flipped when she found out I'd exposed my... "ports" on the internet.

Re:

[Maximum Prophet]

Well, that would be Bob 37:527 "Fear the rocket, and keep your ports closed, lest your ass gets burnt."
Bob 37:528 goes on to say. "Close down all your ports, and only open the ones truely needed, or the you will learn why you should fear the rocket."

Informative?

[SanityInAnarchy]

What kind of mod is that?... ...Mom, is that you?

Telnet for transparency?

[Anonymous Coward]

A while ago I found a strange comment here about why telnet was still used, even by security-knowledgeable IT department. The comment was saying this:

Large financial institutions in Europe use telnet, as use of encryption is restricted on their trusted networks, for reasons of transparency to the stock regulating authorities. (Googling for this phrase should get you the /. comment)

If this is true (and not the post of a random troll), can anyone shed some light on this? For it seems very strange... There are many other way to provide transparency to the financial authorities without having to compromise your network no!?

A new box won't have this problem...

[kenh]

This is not present in the Update 3 of Solaris, released 11/06 - that prompts the user to enable "network services" if they like, but warns that will expose the system to problems. One of those problems is the famously insecure telnetd service. If you say "No" telnetd is not installed/activated - and "No" is the default.

Existing boxes need to fix this, but a patch has been out for a while - are we dealing with the "short bus" hackers that it took this long to actually exploit? Why, oh why, doesn't Solaris warrant better hackers? ;^)

Re:

[kenh]

I stand corrected - see: http://docs.sun.com/app/docs/doc/819-6764/6n8onr7p d?a=view [sun.com]

But, the installer does explain (in no uncertain terms) that you should probably disable Network Services - you can alway enable the services you need...

Thanks,

Re:

[steveg]

And I can promise you that 1106 DOES have the insecure telnet. You have to apply the patch if you ever want to enable telnet -- and if you choose to enable Network services for some other reason, like, oh, say to use XDMCP, you get telnet enabled as a bonus.
.

congradulations...

[Jose]

...on writing the worlds most unsuccessful worm.

isn't even coming close to their trend on activity-by-ports page

So they finally secured sendmail and fingerd?

[iamacat]

And is it going to take another 20 years to close all the holes in telnet?

It's good to get the word out about this

[Tarlus]

At the university where I work, there were a number of people running Solaris boxes who weren't even aware that telnet was running. It's not that they weren't aware of the secure advantage of using SSH. But they just weren't paying close attention to what ports they had open.

So if you or someone you know runs Solaris, but uses SSH, make sure that telnet is 100% disabled for sure!

Telnet?!

[kindbud]

I don't even run inetd!

Wecome back Morris

[daves]

Given the age of the vulnerability, it's probably just the Morris worm [wikipedia.org] still kicking about.

Why use telnet, anyway?

[Sherloqq]

The last time I used telnet was probably somewhere in the late 90's. Since then I've been using ssh, like most people. Besides being secure, ssh puts a lot of power and flexibility at my fingertips: port-forwarding for tunnelling, passwordless connectivity, secure file transfers just to name a few. So it could be that it's been so long that I don't see the point of using telnet anymore, let alone willingly leave it enabled on my systems.

So besides the old argument of "I have legacy systems / applications wh

Re:

[99BottlesOfBeerInMyF]

So besides the old argument of "I have legacy systems / applications which rely on telnet and other outdated modes of communication", why would people use telnet? Laziness? Ignorance? What else am I missing here?

People who use telnet on a large scale that I know of include:

• European financial companies who are not allowed to use encryption while trading stock for regulatory reasons (on a private network).
• South and Central American ISPs who provide shell accounts as part of internet access and who have to support the lowest common denominator.
• Major network operators in Asia and China who run telnet on their control networks.
• New hardware appliances that are configured once from telnet or console and for whom SSH

And is this somehow different that other versions?

[amper]

'The SANS Internet Storm Center, which monitors Internet threats, has noticed some increase in activity on the network port used by Solaris' telnet feature, according to an ISC blog posted on Tuesday.

Pardon my ignorance, but doesn't Solaris use TCP port 23 like every other version of telnet in the universe, unless it's specifically redirected to a different port?

The real vulnerability... telnet enabled at all!

[argent]

I would have thought that by now nobody would be shipping systems with telnetd enabled by default.

NOT.CHUFFING.WELL.TRUE.

[sparkz]

Telnet is *not* enabled out-of-the-box.

And, as has been noted, the patch has been available for about 3 weeks now.

This is a terrible bug, which should never have got in to Solaris in the first place, but it did, and it was fixed.

OTOH, if you've
a) Chosen to run telnetd in the first place, and
b) Explicitly enabled remote root login for maximum damange
Then you can't really whine that "if a cracker can access the network, he can get root", because presumably "even if this bug did n

Re:

[SanityInAnarchy]

It's such a joke that every one claims to be more secure then the next guy. But really they mean if you turn everything off and patch your system every day.

Which is the default, these days.

That's what a 0 day exploit means. You have to patch every day or you could be at risk.

No, a 0 day exploit means even if you patch every day, you're still at risk. But you know what? You're at risk every day simply by being alive. You could be hit by a meteor the next second! Oh noes!

Grow up and stop fearmongering. Th