A security vulnerability in the in.telnetd(1M) daemon shipped with Solaris 10 may allow a local or remote unprivileged user who is able to connect to a host using the telnet(1) service to gain unauthorized access to that host by connecting as any user on the system, allowing them to execute arbitrary commands with the privileges of that user. This would include the root user (uid 0) if the host is configured to accept telnet logins as the root user.

Note: There is at least one WORM in existence that is making use of this exploit to compromise system integrity.

This issue is described in the following documents:

CERT VU#881872 at http://www.kb.cert.org/vuls/id/881872

CVE-2007-0882 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0882

This issue can occur in the following releases:

SPARC Platform

• Solaris 10 without patch 120068-02

x86 Platform

• Solaris 10 without patch 120069-02

Notes:

1. Solaris 8 and 9 are not affected by this issue.
2. This issue only affects systems which have the telnet(1) service enabled.

The following command can be used to determine if the service is enabled, which will output 'online' for the service state if the system is affected by this issue:

    $ svcs telnet
    STATE          STIME    FMRI
    online         Jan_30   svc:/network/telnet:default

If remote root logins are disabled, the impact of this issue will be limited to users other than root.

Remote root logins are disabled if the file "/etc/default/login" contains a line that begins with 'CONSOLE'. This can be seen using the grep command as shown below:

    $ grep CONSOLE /etc/default/login
    CONSOLE=/dev/console

If this line has been commented out by inserting a '#' at the beginning, as in the following example:

    #CONSOLE=/dev/console

or if there is no line containing the word 'CONSOLE', then this issue will also apply to the root user.

See login(1) for more information about the /etc/default/login file.

Depending on the manner in which this issue has been exploited, the output from commands such as last(1) (which display information about login and logout activity), may show unexpected logins to the system. Using the '-a' flag with the last(1) command will show the hostname associated with these logins.

To workaround this issue, the telnet service can be disabled as in the following example (Note that this will remove the functionality of the in.telnetd daemon on that host):

    # svcadm disable svc:/network/telnet:default

Note: If instead of disabling the service, removal of the service is being considered, then please first read Sun Alert 102799:

"Synopsis: svc.startd(1M) May Core Dump While Removing a Service, Causing patchrm(1M) to Terminate and Leave the System Unbootable"

In addition, it is also possible to uncomment (or add) the 'CONSOLE' line in the "/etc/default/login" file so that it looks similar to the following:

    CONSOLE=/dev/console

However, this will only prevent unauthorized access to the root account; other user accounts will still be affected by this issue.

Until patches can be applied, you may wish to block access to the telnet service from untrusted networks such as the Internet. Use a firewall or other packet-filtering technology, such as ipfilter, which is shipped with Solaris 10, to block the appropriate network ports.Consult your vendor or your firewall documentation for detailed instructions on how to configure the ports.

This issue is addressed in the following releases:

SPARC Platform

• Solaris 10 with patch 120068-02 or later

x86 Platform

• Solaris 10 with patch 120069-02 or later

Note: These patches have been created with a tag that says that a reboot is required after installation. However, this is incorrect (see Bug 6524404). Future Solaris 10 telnetd(1M) patch revisions have had this tag removed.

• Updated Contributing Factors and Resolution sections
• State: Resolved

14-Feb-2007:

• Updated Relief/Workaround section

16-Feb-2007:

• Updated Resolution section

28-Feb-2007:

• Updated Impact and Relief/Workaround sections

This solution has no attachment