February 13, 2007 9:21 AM PST

Sun's Solaris 10 at risk of zero-day exploit

Solaris 10 is at risk of a zero-day exploit, due to security bugs in its telnet service, Sun Microsystems warned Tuesday.

The "highly critical" vulnerabilities could enable attackers to gain unauthorized access to a user's system without requiring the user to download exploit code, said Johannes Ullrich, chief research officer at the Sans Institute, which also issued a security advisory.

Attackers could exploit the so-called zero-day vulnerabilities in Solaris 10 and the beta version of Solaris 11 via the telnet service if it is automatically enabled, the advisory said.

Telnet, which dates back to the early days of Unix, was one of the first methods devised to allow system administrators to remotely monitor their networks. The service will usually prompt people for their user name and password. However, security flaws in the operating system could allow an attacker to add additional parameters to connect to the remote telnet server without a user name or password, Ullrich noted.

Once attackers have gained access, they could execute arbitrary commands with the same privileges as the user.

"It's an ancient way to administer systems," Ullrich said. "There's no good reason to enable telnet on Solaris...All the communication with telnet is not encrypted. In recent years, other technologies have replaced it, like (encrypted communications through a secure shell) SSH."

Last month, Sun issued an update to Solaris 10, which now has the SSH enabled by default, said Bob Wientzen, Solaris spokesman for Sun. He added that the company is currently working on a fix for the telnet vulnerabilities.

Sun, in its security advisory, said the vulnerabilities are found in Solaris 10, running on Sparc servers, as well as on x86 servers.

The Sans Institute and Sun said they were not aware of any reports of systems exploited due to the security flaws in the telnet service.

If users must run Solaris with the telnet service enabled, Ullrich recommends using a firewall to limit connections to a user's telnet service. However, he said that while this workaround will prevent direct access to the root account, other accounts on a user's system could still be compromised.

See more CNET content tagged:
Sun Solaris 10, Sun Solaris, Sun Microsystems Inc., SANS Institute, security bug

8 comments

Join the conversation!
Add your comment
how interesting...
An exploit is found in Solaris and nobody makes a post about how
c|net is biased against Sun and always points out their flaws!?

If this was a Windows exploit, this board would be lit up by people
pointing out Microsoft's foibles and Microsoft supporters
complaining about c|net.

Note this story when an article about a Vista exploit comes out.
Posted by jelloburn (252 comments )
Reply Link Flag
Let's be honest here....
Of course no one jumps up. How many Solaris exploits have been found vs. the exploits discovered on Microsoft products on a daily basis? Has nothing to do with supporting one company over the other. But, it has everything to do with the fact that MS makes marginal products that are rife with holes. And before you go on about me being an anti this or that, know that I am XP/Microsoft user and have been for years. Lastly, how long was it before Sun had a fix for this exploit? A day? Let's see Microsoft try that. Oh yeah, they had bug fixes and patches for the LAUNCH day of Vista....
Posted by ProfessorFry (5 comments )
Link Flag
<gasp> Security holes can exist in non-MS systems?!
Going from some of the zealotry that's posted on many Internet forums one might be amazed that, yes in fact, operating systems from companies OTHER than Microsoft can and DO have have security holes. Yup, even such OSes as Solaris and OS X can have 'em.

That being said, anyone using Telnet in this day and age has got to have rocks in their head, it's HUGELY insecure by design! This is a fully unencrypted protocol, even for username and password. No matter how good your server-side protection is it is only a simple matter of network-sniffing somewhere along the chain and you've got full access to a user account. This is a very well known limitation of Telnet (whether it be for Solaris, Windows, Linux or OS X, all of which have built-in Telnet servers, all disabled by default) and it's the reason why everyone with a clue uses SSH instead.
Posted by Hoser McMoose (182 comments )
Reply Link Flag
Some actual facts about the issue
Val corrects some misconceptions in the story at <a class="jive-link-external" href="http://blogs.sun.com/bubbva/entry/telnet_vulnerability_fud_is_making" target="_newWindow">http://blogs.sun.com/bubbva/entry/telnet_vulnerability_fud_is_making</a> and I give the outline of what happened to get first interim relief and then final patches out for the problem at <a class="jive-link-external" href="http://blogs.sun.com/tpenta/entry/the_in_telnetd_vulnerability_exploit" target="_newWindow">http://blogs.sun.com/tpenta/entry/the_in_telnetd_vulnerability_exploit</a>

Alan.
Posted by tpenta (4 comments )
Reply Link Flag
Telnet what the heck is that?
I heard my grandpa speak of this protocol when I was a little boy.
Posted by johnnysecure (1 comment )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.