Sun rushes out patch for Solaris Telnet exploit

Sun rushes out patch for Solaris Telnet exploit

Summary: The fix comes just days after a hacker known as "Kingcope" went public with details of the vulnerability, which allows a remote attacker to bypass the Sun Solaris telnet daemon's authentication mechanisms.

TOPICS: Oracle
Sun Microsystems has rushed out patches to fix a code execution hole in the Solaris 10/11 telnet daemon (in.telnetd).

The company's fix comes just days after a hacker known as "Kingcope" went public with details of the vulnerability, which allows a remote attacker to bypass the Sun Solaris telnet daemon's authentication mechanisms. It only affects systems which have the telnet(1) service enabled.

The patches can be downloaded here.

"[This] was an almighty cock up and should not have happened," said Alan Hargreaves, a staff engineer in Sun's systems technical support center.

In a blog entry that provides an excellent snapshot of the security patch-creation process at Sun, Hargreaves explained how the company reacted to the issue, which was publicly released without advance warning to the vendor.

"The upside to the posted exploit was the fact that because the code was available, the poster included an analysis of what was going wrong, pointing at the code that was broken. This almost certainly saved us some time in troubleshooting the issue. For this part of the post, you have my thanks. I would certainly be interested if the person who posted the exploit could tell us how he found the problem; for no other reason, than I'm simply interested."

Although patches have been shipped, security experts have one simple message to Solaris users: Turn off telnet and leave it off.

Telnet can be disabled by issuing the following command: # svcadm disable telnet

Topic: Oracle

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • In the future...

    Sun should disable the telnet server (and most other servers) by default. There are reasons why one might want a working telnet server, but those that do can enable it themselves and take full responsibility for any intercepted data resulting therefrom.

    Same goes for all other UNIX/Linux vendors (Sun's just the one in the news).
    John L. Ries
  • Good job on Sun

    Good job on Sun for being on the ball so fast. Now if only people would only apply the patch as quickly or better yet, turn the bloody daemon off.

    Sun would get more points with me if they actually put a patch out that simply deleted the Telnet daemon. At the very least they patch the thing and warn people to disable it.
  • It IS disabled by default since S10U2

    There is no need to disable telnet by default in future Solaris releases. The "console=/dev/console" in /etc/default/login is uncommented since Solaris 10 Update 2, making it only possible to login directly as root on the system serial console, and making it impossible to directly attempt to login as root remotely.
    • you missed the point

      This is not only a root vulnerability.

      The CONSOLE thing will only block the root exploit. If you [b]only[/b] do that, you are still vulnerable for the bug to be used to gain access as other valid users, which could be equally damaging depending on your environment.

      That option was only offered in the Sun Alert in the name of putting all the options on the table and allowing the SA to make the appropriate risk management decision. You will note that it was accompanied by the explanation that this would not stop it being exploited to gain access to other accounts. The first option offered was to disable the service.

      Also, I corrected my comment about since s10u2; on checking, every currently supported Solaris shipped with the CONSOLE entry uncommented.

      One other thing, one of the other posters here mentioned about telnet being disabled by default in recent Solaris 10 updates. That is only true for a new install. If it's enabled and up upgrade, it will remain enabled after the upgrade.

  • formal patch can be downloaded at sunsolve

    Formal patches have been release on sunsolve,
    120068-02 for SPARC
    120069-02 for x86
    and they can be downloaded from
    Thus the T-patch (ISR) is probably no longer posted there any more.