• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Sun Solaris Telnet Remote Authentication Bypass Vulnerability

Severity: CRITICAL

Description:

Sun Solaris 10 is prone to a vulnerability that allows remote attackers to bypass authentication.

This issue presents itself when remote attackers use the '-l-f<user>' parameter when connecting to vulnerable computers. The '-l' telnet client option results in sending the USER environment variable to the server. The contents of the variable are passed onto the 'login' program, which interprets the '-f' option as logging in as the specified user without first prompting for authentication.

If non-console logins for superuser are enabled in '/etc/default/login', then remote attackers may use '-froot' to login as the superuser without authentication. Otherwise, attackers may gain access as any other user (including 'bin').

Successfully exploiting this issue allows remote attackers to gain remote access to vulnerable computers. If the targeted computer is configured to allow non-console logins for superusers, then remote superuser access is possible.

Update: By exploiting the same underlying flaw, attackers may also pass arguments such as '-l-d/dev/console' to bypass the 'CONSOLE=/dev/console' line in '/etc/default/login'. This does not directly bypass authentication, but may possibly be used in conjunction with '-froot'.

Affected Products:

• Avaya Interactive Response 2.0
• Nortel Networks Media Processing Svr 1000 Rel 3.0
• Nortel Networks Media Processing Svr 500 Rel 3.0
• Nortel Networks Self-Service - CCSS7
• Nortel Networks Self-Service - Peri Application Rel 3.0
• Sun Solaris 10.0
• Sun Solaris 10.0_x86

References:

• Avaya: ASA-2007-062 - Security Vulnerability in the in.telnetd(1M) Daemon May Allow Una
• Nortel: Nortel response to Solaris Security Vulnerability in the in.telnetd(1M) Daemon
• Riosec: solaris-telnet-0-day
• SANS: Another good reason to stop using telnet
• Sun: Sun Alert ID: 102802 - Security Vulnerability in the in.telnetd(1M) Daemon May A
• Sun Microsystems: Solaris Homepage
• US-CERT: Vulnerability Note VU#881872 - Sun Solaris telnet authentication bypass vulnerab

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.