Simon Josefsson Warns of an Authentication Bypass Vulnerability in telnetd
"Recommendation: do not run a telnetd server at all," Josefsson advises.
Anyone running a telnet daemon for unsecured remote access is advised to take notice of a serious security vulnerability, spotted this week after seemingly going unnoticed for a decade — and that allows anyone on the network to bypass authentication and log in as the root user.
"The telnetd server invokes /usr/bin/login (normally running as root) passing the value of the USER environment variable received from the client as the last parameter," explains Simon Josefsson of the flaw, first reported by security researcher Kyu Neushwaistein/Carlos Cortes Alvarez, in a post to the GNU InetUtils bug mailing list. "If the client supply a carefully crafted USER environment value being the string "-f root", and passes the telnet(1) -a or --login parameter to send this USER environment to the server, the client will be automatically logged in as root bypassing normal authentication processes."
The telnet protocol was developed as part of the ARPANET project in the late 1960s and was standardized in the 1970s as part of Internet Standard 8. It offers the ability to log int to remote systems and includes the ability to authenticate with a username and password — but does not include any more secure form of authentication nor default support for encryption, meaning all data is transmitted in the clear. As a result, most use in-the-wild has been replaced with more secure protocols like Secure Shell (SSH) — though a surprising amount of embedded hardware still offers a telnet option.
Neushwaistein's discovery is specific to the telnetd daemon provided as part of the GNU InetUtils project, and can be traced to a failure to sanitize user input before passing it to the login tool — which can be tricked into bypassing authentication and logging the remote user in under any local user account, including the "root" super user, without needing a password. The flaw, Josefsson says, has been present in all versions of telnetd from 1.9.3, released more than 10 years ago.
"Recommendation: do not run a telnetd server at all," Josefsson advises. "[Or] restrict network access to the telnet port to trusted clients. Apply the patch or upgrade to a newer release which incorporate the patch."
The patch, developed by Paul Eggert and extended by Josefsson, is available in Josefsson's GNU InetUtils bug mailing list post; Neushwaistein's original report is available in the same thread.