Computer Emergency Response Team - Industrie Services et Tertiaire
"0-day" in the "telnetd" daemon targeting Solaris 10 and 11

Reference: CERT-IST/AL-2007.002
Version: 2.0
Version date: 14 February 2007

Vulnerability Classification
Risk:
very-high
Impact: Take control
Confidence: Vendor-acknowledged and tested locally
Attack expertise: Beginner
Attack requirements: Remote (no account) over a standard service

System Information
Affected Platform(s):
  • Solaris 10 and 11 systems
Affected Software(s):
  • "telnetd" daemon
Impacted products

Description
Publication context:
 This alert has been re-issued in version 2.0 (14-February-2007) following the release of the final patches by Sun. 
Problem description:
This Alert has been initially released in version 1.0 (12-Feb-2007) for the same issue we addressed in the "potential DanGer"  (CERT-IST/DG-2007.003) , we sent the same day, because the exploit method is really  trivial  and is currently discussed in public mailing lists.

In the version 1.0 of this Alert, in order to protect Solaris 10 and 11 systems against such attacks, Cert-IST recommended to immediately stop the "telnetd" daemon  and to use the SSH daemon (instead of "telnetd") for remote connections. Other temporary solutions are available in "potential DanGer" CERT-IST/DG-2007.003.

Now, Cert-IST recommends to apply the Sun patches.

Solution

01 - Apply the Sun patches regarding the "telnetd" daemon vulnerability


SparcIntel
Solaris 10120068-02120069-02


02 - Temporary workaround regarding the "telnetd" daemon vulnerability

  • Disable the "telnetd" daemon : svcadm disable telnet

03 - Sun script to cleanup an infected Solaris 10 or 11 system

Standard vulnerability IDs

Additional Resources

History
Version Comment Date
1.0 Alert creation 12 February 2007
2.0 Sun final patches available 14 February 2007



Copyright © 1999-2005 Cert-IST. All rights reserved