Published: 2007-03-01T02:55+00:00    Last Updated: 2007-03-01T02:55+00:00

TRTA07-059A
Sun Solaris Telnet Worm

Overview

A worm is exploiting a vulnerability (VU#881872) in the Sun Solaris telnet daemon (in.telnetd).

Event Information

Date (UTC)Description
2007-03-01 05:51 JPCERT/CC
JPCERT-AT-2007-0007: Sun Solaris in.telnetd Worm
2007-03-01 00:26 US-CERT
TA07-059A: Sun Solaris Telnet Worm
Via US-CERT Mailing List
2007-02-28 21:00 US-CERT
Worm Actively Exploits Vulnerability in Sun Solaris Telnet Daemon
US-CERT is aware of public reports of a worm that is actively exploiting a known vulnerability in the Sun Solaris telnet daemon (in.telnetd). The worm targets Solaris 10 (SunOS 5.10) systems that are not patched to address this vulnerability and have enabled the telnet daemon.
2007-02-28 Sun Microsystems
Solaris in.telnetd worm seen in the wild + inoculation script
Sun Microsystems is aware of an active worm which exploits the in.telnetd vulnerability described in Sun Alert 102802.
2007-02-27 SANS Internet Storm Center
Solaris worm?
Looks like a netrange over in France is scanning around for port 23. Read the article for further details about the "worm".
2007-02-13 Internet Security Systems
Solaris Telnet Login Authentication Bypass
2007-02-12 17:14 US-CERT
Authentication Bypass Vulnerability in Sun Solaris Telnet Daemon
US-CERT is aware of an authentication bypass vulnerability in the Sun Solaris telnet daemon (in.telnetd). The Sun Solaris telnet daemon does not properly sanitize the USER Environment variable before passing it to the login process.
2007-02-12 09:58 US-CERT
VU#881872: Sun Solaris telnet authentication bypass vulnerability
A vulnerability in the Sun Solaris telnet daemon (in.telnetd) could allow a remote attacker to log on to the system with elevated privileges.
2007-02-12 SANS Internet Storm Center
Another good reason to stop using telnet
There is a major zero day bug announced in solaris 10 and 11 with the telnet and login combination. It has been verified. In my opinion NOBODY be should running telnet open to the internet. Versions of Solaris 9 and lower do not appear to have this vulnerability.
2007-02-12 Sun Microsystems
Sun Alert 102802: Security Vulnerability in the in.telnetd(1M) Daemon May Allow Unauthorized Remote Users to Gain Access to a Solaris Host
A security vulnerability in the in.telnetd(1M) daemon shipped with Solaris 10 may allow a local or remote unprivileged user who is able to connect to a host using the telnet(1) service to gain unauthorized access to that host by connecting as any user on the system, allowing them to execute arbitrary commands with the privileges of that user. This would include the root user (uid 0) if the host is configured to accept telnet logins as the root user.
2007-02-11 Bugtraq
Sun Solaris Telnet Remote Authentication Bypass Vulnerability
Vulnerability Proof Of Concept (CVE-2007-0882)

Other Information