But for several security bloggers, the flaw served as a stark reminder that Telnet is easy pickings for the bad...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
guys and should not be used anymore.
Several security organizations issued urgent warnings about the Solaris flaw Monday, describing it as a serious design error in the operating system's Telnet daemon that allows for unauthenticated remote root logins
"This vulnerability can be exploited by using standard Telnet commands, further increasing the severity of this exposure," Cupertino, Calif.-based antivirus giant Symantec Corp. warned in an emailed message to customers of its DeepSight threat management service. "An exploit for this issue was released without an associated advisory and therefore it is believed that it has been exploited in the wild prior to the release."
The French Security Incident Response Team (FrSIRT) has rated the problem high-risk, describing it as an error in the Telnet daemon (in.telnetd) that fails to properly validate authentication information before being passed to the login process.
To industry experts, the very mention of Telnet raises alarm bells.
The protocol allows virtual network terminals to be connected over the Internet and is incorporated into a variety of popular operating systems, from Sun Solaris and Red Hat Enterprise Linux to Apple's Mac OS X. It has long been considered a security risk because user names, passwords and all subsequent commands are transmitted as easily-exploitable plaintext.
"In my opinion nobody should be running Telnet open to the Internet," Donald Smith, a volunteer handler at the Bethesda, Md.-based SANS Internet Storm Center (ISC), wrote on the ISC Web site. He noted that since 1994, the CERT Software Engineering Institute at Carnegie Mellon University has recommended using something other than plain text authentication due to potential network monitoring attacks.
It didn't take long to find people in the blogosphere who wholeheartedly agree with him.
Corey Nachreiner, network security analyst for WatchGuard's LiveSecurity Service, wrote in the WatchGuard blog that nobody should use Telnet anymore, especially since SSH (Secure Shell), its "much smarter and more secure cousin," has been around for ages.
"It's easy to use and widely available on many platforms," he wrote. "It lets you do everything Telnet does, with the added benefit of hiding your sessions from prying eyes. I just don't see any reason you'd want to use Telnet, still."
He noted that the Solaris flaw is trivial to exploit. "If you allow outside users to access your Solaris Telnet server, an unauthenticated remote hacker merely has to send it a specially crafted string and blammo -- he's got root," he wrote. "This really is a horrible flaw for those it affects."
Andy Davidson, a UK-based Linux systems expert, wrote in his My Web 0.2 Website blog that he always considered Telnet good at least as a back-up during SSH upgrades. But the Solaris flaw has given him second thoughts.
"My mantra has always been 'Telnet is only dangerous if you use it,'" he wrote. "Leaving it enabled as an emergency way in during SSH upgrades, for example, is a good idea. All this changed at the weekend with the disclosure of" the Solaris flaw.
Tyler Reguly, security research engineer for nCircle Network Security Inc., wrote in the nCircle blog that the Solaris flaw looked a lot like an old AIX/Linux RLogin vulnerability from 1994 and that it shouldn't be a big deal, since most people know not to use Telnet.
"I hope most people have moved to a more secure [form of] communication such as SSH," he wrote.
Whatever people think of Telnet, Alan Hargreaves, a member of the OpenSolaris project sponsored by Sun, noted in his Alan Hargreaves Weblog that Sun and members of the project deserve credit for fixing the Solaris problem in record time.
"For Sun to respond to and address a vulnerability like this in around 24 hours would have been completely unheard of even two to three years ago," he wrote.