CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
EPSS
Percentile
98.6%
A vulnerability in the Sun Solaris telnet daemon (in.telnetd
) could allow a remote attacker to log on to the system with elevated privileges.
The Sun Solaris telnet daemon may accept authentication information via the USER
environment variable. However, the daemon does not properly sanitize this information before passing it to the login program, and login makes unsafe assumptions about the information. This may allow a remote attacker to trivially bypass the telnet and login authentication mechanisms. In some default configurations of Solaris this vulnerability cannot be exploited to gain access to the root
account, but it can be used to gain privileges of other accounts, such as adm
and lp
.
According to Sun, Solaris 10 (SunOS 5.10) and Solaris “Nevada” (SunOS 5.11) are affected by this issue. More information is available in Sun Alert Notification 102802 and in Alan Hargreaves’ blog, here and here.
This vulnerability is being exploited by a worm, for more information see the Security Sun Alert Feed and Technical Alert TA07-059A.
A remote attacker could log on to a vulnerable system via telnet and gain elevated privileges.
Apply a patch
Apply the patches referenced in Sun Alert Notification 102802.
Disable telnet
Disable telnet if it’s not needed. Telnet can be disabled by issuing the following command:
# svcadm disable telnet
Restrict access
You may wish to block access to the vulnerable software from outside your network perimeter, specifically by blocking access to the ports used by Sun Solaris telnet (typically 23/tcp). This will limit your exposure to attacks.
Prefer SSH over telnet
881872
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: February 12, 2007 Updated: February 16, 2007
Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Please see Sun Alert Notification 102802.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23881872 Feedback>).
Group | Score | Vector |
---|---|---|
Base | 0 | AV:–/AC:–/Au:–/C:–/I:–/A:– |
Temporal | 0 | E:ND/RL:ND/RC:ND |
Environmental | 0 | CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND |
This vulnerability was reported by Kingcope.
This document was written by Art Manion and Chris Taschner.
CVE IDs: | CVE-2007-0882 |
---|---|
Severity Metric: | 67.50 Date Public: |
asert.arbornetworks.com/2007/02/solaris-telnet-scanning-possible-worm/
blog.ncircle.com/blogs/vert/archives/2007/02/whats_old_is_new_again.html
blogs.sun.com/security/entry/solaris_in_telnetd_worm_seen
blogs.sun.com/tpenta/entry/more_on_the_in_telnetd
blogs.sun.com/tpenta/entry/the_in_telnetd_vulnerability_exploit
erratasec.blogspot.com/2007/02/trivial-remote-solaris-0day-disable.html
riosec.com/solaris-telnet-0-day
secunia.com/advisories/24166/
securitytracker.com/alerts/2007/Feb/1017625.html
sunsolve.sun.com/search/document.do?assetkey=1-26-102802-1
www.ciac.org/ciac/bulletins/r-139.shtml
www.com-winner.com/0day_was_the_case_that_they_gave_me.pdf
www.computerdefense.org/?p=258
www.ietf.org/rfc/rfc1572.txt