By Dawn Kawamoto
Staff Writer, CNET News.com
February 13, 2007
Solaris 10 is at risk of a zero-day exploit, due to security bugs in its
telnet service, Sun Microsystems warned Tuesday.
The "highly critical" vulnerabilities could enable attackers to gain
unauthorized access to a user's system without requiring the user to
download exploit code, said Johannes Ullrich, chief research officer at
the Sans Institute, which also issued a security advisory.
Attackers could exploit the so-called zero-day vulnerabilities in
Solaris 10 and the beta version of Solaris 11 via the telnet service if
it is automatically enabled, the advisory said.
Telnet, which dates back to the early days of Unix, was one of the first
methods devised to allow system administrators to remotely monitor their
networks. The service will usually prompt people for their user name and
password. However, security flaws in the operating system could allow an
attacker to add additional parameters to connect to the remote telnet
server without a user name or password, Ullrich noted.
Once attackers have gained access, they could execute arbitrary commands
with the same privileges as the user.
"It's an ancient way to administer systems," Ullrich said. "There's no
good reason to enable telnet on Solaris...All the communication with
telnet is not encrypted. In recent years, other technologies have
replaced it, like (encrypted communications through a secure shell)
Last month, Sun issued an update to Solaris 10, which now has the SSH
enabled by default, said Bob Wientzen, Solaris spokesman for Sun. He
added that the company is currently working on a fix for the telnet
Sun, in its security advisory, said the vulnerabilities are found in
Solaris 10, running on Sparc servers, as well as on x86 servers.
The Sans Institute and Sun said they were not aware of any reports of
systems exploited due to the security flaws in the telnet service.
If users must run Solaris with the telnet service enabled, Ullrich
recommends using a firewall to limit connections to a user's telnet
service. However, he said that while this workaround will prevent direct
access to the root account, other accounts on a user's system could
still be compromised.
Copyright 2007 CNET Networks, Inc. All rights reserved.
Subscribe to the InfoSec News RSS Feed