It has been reported that a new vulnerability has been discovered in GNU InetUtils Telnetd that could let remote attackers gain root access without a password, putting any exposed Telnet service at risk of full system compromise. The flaw requires no user interaction and can be exploited over the network with a crafted login request. In response to the news, security experts at Closed Door Security, Talion and CybaVerse, give their comments.

Juliette Hudson, CTO of CybaVerse, said: “This vuln is actually pretty nuts. It seems to be super old, vulnerable since 2015, and affects systems running the GNU Inetutils Telnetd implementation. No user enumeration is required, so an attacker doesn’t need to do any meaningful work prior because of the abuse of variables passed to login(1).

“This essentially tells the system “all good, you can trust me”, bypassing the normal authentication flow entirely.

“If a telnet service using this vulnerable implementation is exposed to the internet (I really hope not!), even just by having it as a legacy service and not actively used, it is trivial for an attacker to gain unauthorised privileged access, typically resulting in a root-level session.

“Even if telnet is only running internally, once an attacker has a foothold on any host, potentially with low privileges, they can scan for port 23/telnet and abuse this to bypass authentication and obtain privileged access on that system.

“I would expect to see an increase in scanning for telnet as opportunists look for exactly this. Telnet is often forgotten about and left running in networks. If a vulnerable telnet service is running and exposed publicly, the safest assumption is that the host is already compromised until proven otherwise.

“This advice should absolutely be followed ASAP:

• Do not run a telnetd server at all. Restrict network access to the telnet port to trusted clients.
• Apply the patch or upgrade to a newer release which incorporate the patch.

## Workaround

• Disable telnetd server or make the InetUtils telnetd use a custom login(1) tool that does not permit use of the ‘-f’ parameter.”

William Wright, CEO of Closed Door Security, said: “This is a really simple, but really cool vulnerability that’s likely existed for ages and just no one has noticed. Thankfully, telnet is an old protocol that isn’t used widely on the internet these days, but it is extensively used on internal systems still.

Whilst this specific vulnerability may not be present in them all, a number of networking devices still utilise telnet. Key takeaways are to disable legacy protocols and protect those that cannot be disabled with access controls such as source IP based firewall rules. And of course, patch.”

Daniel Wilcock, threat intelligence analyst at Talion, added: “GNU Inetutils is a collection of core networking functionality and management tools needed for Unix-like or Linux systems, such as telnet, ping, ftp, ifconfig, traceroute, and syslogd.

“The research presented by Kyu Neushwaistein aka Carlos Cortes Alvarez shows that the flaw mentioned in the Security Advisory was originally introduced in GNU InetUtils since version 1.9.3, dating back to May 2015, and has continued to be present to today’s version, 2.7.

“The specific vulnerability relies on the use of telnetd (Telnet Daemon) which is a server program that listens for incoming connections using the legacy Telnet protocol and allows you to connect to and communicate with remote computers over a transmission control protocol/Internet protocol (TCP/IP) network.

“Telnet has since been superseded by other more secure protocols such as SSH but it’s understood that it is still used in legacy or low power devices.

“The Advisory advises that telnetd contains an authentication bypass vulnerability in its handling of user-supplied variables in which malicious actors could create and input a homebrewed $USER environment variable that can bypass all authentication and allow them access to a vulnerable system with any known user privileges, including ROOT.

“Talion would classify this flaw as High Severity as it represents the highest level of privilege escalation, which through exploitation malicious actors could gain near un-restricted access to a device/domain/network.

“If able we would advise to disable telnet access, and ensure proper network access controls are in place, however if this isn’t possible patches have been supplied via the advisory:
https://codeberg.org/inetutils/inetutils/commit/fd702c02497b2f398e739e3119bed0b23dd7aa7b
https://codeberg.org/inetutils/inetutils/commit/ccba9f748aa8d50a38d7748e2e60362edd6a32cc”

For more cybersecurity news, click here