Solaris telnet vuln solutions digest and network risks

a couple of updates and a summary digest of useful information shared from all around on this vulnerability, for those of us trying to make sense of what it means to our networks:

1. sun released a patch (although it is not a final one). it can be found on their site
( http://sunsolve.sun.com/tpatches – thanks to casper dik of sun, for those who have been following the discussion).

to quote: “the simplest possible fix on such short notice”:
open solaris source diff

2. if you haven’t already, i strongly recommend checking your network for machines running telnet, and more specifcially, vulnerable to this particular issue.

several folks are speaking of third-party appliances running on solaris, as well as some back-end voip devices that have been confirmed as vulnerable.

apparently, telnet returns a different answer when this vulnerability is used. we are not sure yet, but noam rathaus brought up the option that it looks like the client responds with a “won’t authentication option” to the server’s “do authentication option”. this could perhaps be used to actively detect the “attack”.

3. if this solution is viable for you and you haven’t already, acling 23/tcp at the border or from your user space may not be a bad idea, if it won’t kill anything. at least for now.

4. bleeding edge (ex bleeding snort) released snort signatures for this:
bleeding threats snort signature

quoting:
——–
chris byrd has submitted an accurate signature for the exploit.
# submitted 2007-02-12 by chris byrd
alert tcp $external_net any -> $home_net 23 (msg:.bleeding-edge exploit
solaris telnet user environment
vuln.; flow:to_server,established; content: .|ff fa 27 00 00 55 53 45 52
01 2d
66|.; rawbytes; classtype:attempted-user; reference:url,riosec.com/solaris-telnet-0-day; sid:2003411; rev:1;)
——–

4. an analysis of how this vulnerability works can be found here:
http://www.com-winner.com/0day_was_the_case_that_they_gave_me.pdf

and blogs by sun on how this happened and was fixed (thanks to georg oppenberg):
http://blogs.sun.com/tpenta/entry/the_in_telnetd_vulnerability_exploit
http://blogs.sun.com/danmcd/entry/how_opensolaris_did_its_job

and a fine explanation by casper dik on bugtraq:
http://seclists.org/bugtraq/2007/feb/0205.html

a bit of background:
http://blogs.securiteam.com/index.php/archives/814

and some on how corporations responded as we saw from our own client base:
http://blogs.securiteam.com/index.php/archives/819

opinion:

whatever my thoughts are on how silly, sad or funny this vulnerability is (quaint really), how they use telnet (?!) and how sun should be smacked on the back of the head for it, i have to honestly admit sun’s response and the level they were open to the community and industry on this without too many pr/legal blocks getting in their way are very encouraging, releasing information on the vulnerability, how it happened and why, a quick beta patch and even discussing openly on mailing lists.
i am in awe. now it is time for others to follow their example.

this one, despite its simplicity and age, is going to be with us for a while.

gadi evron,

ge@beyondsecurity.com.

Share