Weekly Edition
Return to the Security page
| |||||||||||||
A hole in telnetdAn unexpected FreeBSD security team "holiday message" had an underlying cause that was, perhaps, even more surprising: a long-standing remote code execution flaw in telnetd. As the message notes, FreeBSD tries hard to avoid releasing security updates at inconvenient times, and the end of the year is pretty inconvenient for most. But, attacks were being seen in the wild and, since telnetd is typically run as root, the consequences were severe. Some, perhaps many, readers can be forgiven for wondering what all the fuss is about, as it has been well over a decade since telnet was being actively discouraged for use on Linux (and other operating systems). It is still present in many distribution repositories, however, which led to a pile of Linux updates in addition to the FreeBSD update. It turns out that telnetd is actually being used much more than one might think, especially on embedded devices. The reason that telnet has long been deprecated—at least over unencrypted networks—is that it is a cleartext protocol. Logging into a remote system using telnet means that your username and password were being sent in the clear, such that any man-in-the-middle could sniff your credentials. But, it turns out that the telnet protocol does have an encrypted mode (though it's not considered cryptographically strong), and it is that mode that is being exploited by the recent attacks. The bug itself is a fairly mundane buffer overflow that is triggered when an overlong encryption key is sent to the server. That key is sent before any authentication has occurred, which allows random attackers to target any vulnerable telnetd server. Even readers without much knowledge of C (or buffer overflows) will likely understand the basics of the patch that fixes the problem. There is also a fairly comprehensive exploit available for study. It can target multiple Linux and BSD installations, and contains shell code (i.e. code that will create a root shell when executed by telnetd because of the exploit) for i386 and SPARC architectures. While the bug itself has been around for quite some time, it is interesting—nearly amusing—to see that sites still have telnetd servers running. The updates imply that these hosts are both accessible by untrusted users (or no update would be needed) and are regularly accessed via telnet. There are few, if any, Linux distributions that enable telnetd by default, so administrators or device makers are knowingly enabling it. While sshd most certainly has had its share of bugs, and will likely have more down the road, one would guess that security researchers pay a lot more attention to sshd than they do to telnetd. Not so for attackers evidently. Part of the reason that telnetd may still be hanging around is that Windows doesn't ship an SSH client, but does ship telnet. That may encourage device makers to enable telnet so that Windows users can access the device without installing any software. In addition, there were several reports that Cisco and Juniper routers are often accessed via telnet in the comment thread on our posting of the FreeBSD message. Given that those devices often sit in strategic internet locations, and may well be running a telnetd descended from the vulnerable code, it could lead to some fairly serious consequences. One hopes that Cisco, Juniper, and others are paying attention. (Log in to post comments)
A hole in telnetd Posted Jan 5, 2012 3:02 UTC (Thu) by smoogen (subscriber, #97) [Link]
Most of the devices I have seen that run telnetd are things like powerstrips, printers, and serial consoles. They usually don't have a lot of CPU/random noise and so require keys to be uploaded somehow for SSL/SSH to work properly. If they use the same or related telnetd.. then the fixes are going to be a LOT harder to get out.
2012 the year of the powerstrip worm.
A hole in telnetd Posted Jan 5, 2012 16:28 UTC (Thu) by epa (subscriber, #39769) [Link]
ssh with a predictable host key is still better than telnet. Heck, even ssh without encryption (older versions supported a 'none' cipher) is better than telnet, though on any CPU made in the last 15 years encryption won't be much of a burden.
A hole in telnetd Posted Jan 5, 2012 9:01 UTC (Thu) by elanthis (guest, #6227) [Link]
For what it's worth, Windows 7 no longer ships a telnet client by default (or if it does, it's not in the system's PATH), so if Windows' default applications are in any way a culprit to telnet's popularity the issue will soon be resolved as Windows 7 (and potentially 8 soon) are rapidly gaining marketshare over XP.
A hole in telnetd Posted Jan 10, 2012 12:02 UTC (Tue) by sorpigal (subscriber, #36106) [Link]
It may not be available in the default install but it's still an optional 'Windows component' that can be installed from the control panel--and, I assure you, anyone who's been using telnet on XP will do this long before they download a third party ssh client from the internet. The problem won't be solved until MS ships a ssh client on the windows install disc.
A hole in telnetd Posted Jan 5, 2012 11:23 UTC (Thu) by paravoid (subscriber, #32869) [Link]
Juniper's operating system (JunOS), even though a FreeBSD derivative, runs netkit's telnet rather than inetutils, which is not vulnerable. That's the case with most embedded devices too (the other popular one being BusyBox's implementation).
No idea about which version Cisco runs but I'm rather confident that it's not vulnerable, seeing that the Internet still works...
A hole in telnetd Posted Jan 5, 2012 15:27 UTC (Thu) by joey (subscriber, #328) [Link]
There are valid reasons to run a public telnetd. telnet nethack.alt.org for example.
Fun graph:
http://qa.debian.org/popcon-graph.php?packages=telnetd+te...
Another good reason to run telnetd Posted Jan 8, 2012 2:48 UTC (Sun) by pr1268 (subscriber, #24648) [Link] > There are valid reasons to run a public telnetd. telnet nethack.alt.org for example. Also, telnet towel.blinkenlights.nl for some entertainment.
Another good reason to run telnetd Posted Jan 12, 2012 18:09 UTC (Thu) by nix (subscriber, #2304) [Link]
The question there is why anyone bothered to add IPv6 support to telnetd.
A hole in telnetd Posted Jan 11, 2012 15:11 UTC (Wed) by robbe (guest, #16131) [Link]
One could run a public sshd just as well. No one should snoop on me dungeon crawling.
Regarding the graph, plotting the relation between ssh and telnetd would be nice. I spot-checked the year 2007, which for some reason saw the doubling of the telnetd numbers. sshd installations increased by a much higher factor.
As root? Posted Jan 5, 2012 16:30 UTC (Thu) by epa (subscriber, #39769) [Link]
Why must telnetd run as root? Once it's listening for incoming connections, can't it drop privileges and then run login(1) to authenticate new sessions?
A hole in telnetd Posted Jan 5, 2012 19:21 UTC (Thu) by RobSeace (subscriber, #4435) [Link]
> routers are often accessed via telnet
While true, I would hope they all by default only listen on the internal network not the external one... If not, then that's a horrible problem in and of itself, regardless of buggy telnetd or not...
A hole in telnetd Posted Jan 12, 2012 7:58 UTC (Thu) by magfr (guest, #16052) [Link]
I have, as late as last year, returned a wifi router to the store since it ran telnetd on the external interface.
That was rather sad as it was a nice machine with crap managment software on top, and sadly a nonfree wifi driver in order to prevent kernel upgrades.
|
|||||||||||||