Sun’s Solaris 10 Highly Vulnerable to Unlikely Telnet Exploit

Sun Microsystems, Secunia, the United States Computer Emergency Readiness Team and other security agencies have issued alerts for a somewhat oxymoronic telnet vulnerability in the Sun Solaris 10 operating system.

The vulnerability is oxymoronic because, while it’s possible for a hacker to gain potentially devastating access to a system, the administrators in charge of the system would also have to set up telnet usage against Sun’s recommendations in a way that would be about as secure as leaving your back door unlocked.

Root Access

The vulnerability in the telnet daemon shipped with Solaris 10 can let a hacker connect to the host and use the telnet service to gain unauthorized access to that host by connecting as any user on the system, according to Sun, allowing a hacker to execute arbitrary commands with the privileges of that user.

“This would include the root user if the host is configured to accept telnet logins as the root user,” Sun said. A hacker logged in as the root user could, of course, wreak havoc. To add insult to injury, a hacker doesn’t even need to use any special tools to gain access through this vulnerability — you could gain access by adding simple text to the telnet command.

“The good news is, you don’t automatically get root access — Solaris has had protected root access for a while — the only way you can get root access, which would be the really bad part, is if you specifically turned on telnet to gain root access,” Sun spokesperson Russ Castronovo told LinuxInsider.

“So in addition to us not being aware of anyone harmed by this exploit, a series of somewhat unlikely events would have to occur in order for someone to be exposed to this problem. They would have to go against recommendations for using telnet,” he added.

Vulnerability intelligence provider Secunia rates the problem as “moderately critical,” and notes that the solution is to disable the telnet service or use it only in a trusted network environment.

Who Still Uses Telnet, Anyway?

Telnet is an old network protocol that most savvy organizations eschew in favor of the more secure SSH protocol. The problem is that early versions of Solaris 10 that Sun shipped had the telnet service automatically enabled, while more recent versions of Solaris 10 and the beta version of Solaris 11 have shipped with the telnet service disabled.

While earlier versions of Solaris 10 shipped with telnet enabled by default, most systems administrators intentionally configure their systems to their own specifications, Castronovo explained. Consequently, Sun isn’t sure how many installations of Solaris 10 are running with the telnet service enabled, but he suspects that most customers would have disabled it anyway.

A Quick Fix

In any event, Sun jumped on the problem quickly and has already provided a temporary fix at sunsolve.sun.com/tpatches. Sun has also provided command details for determining if the telnet service is enabled in the first place.

Solaris 10 running on both SPARC and x86-based platforms are affected, while Sun Solaris 8 and 9 are not affected.