New Telnet hole affects some Unix-based servers

A security hole discovered in a Unix-based operating system can allow remote hackers to gain complete access to or crash the Web server. It is unclear if all Unix mainstream operating systems are affected.

According to an advisory issued earlier this week by FreeBSD.org, the vulnerability in the Telnetd program was shipped with all versions -- except the forthcoming 4.4 release -- of FreeBSD's open-source operating systems built on code developed by Berkeley Software Design Inc. Telnetd is the server for the telnet remote virtual terminal protocol.

Other Unix operating systems built on code from Berkeley Software Design, such as BSDI and NetBSD, are also affected.

According to FreeBSD, the Telnet daemon is enabled by default on all FreeBSD installations and is being actively exploited "in the wild." Telnet is an Internet protocol that allows users to log on to a computer terminal from a remote location.

The vulnerability was discovered by the security group TESO, according to the CERT Coordination Center at Pittsburgh-based Carnegie Mellon University's Software Engineering Institute. In an advisory on its Web site yesterday, CERT said Cisco Systems Inc.'s Internetworking Operating System doesn't appear to be vulnerable. CERT said it's unclear if Hewlett Packard's operating system is affected. In addition, CERT said Sun Microsystems Inc. is investigating and has confirmed that a hacker "can make the in.telnetd daemon dump core, but Sun has not yet determined if this issue can be exploited on Solaris."

Join the newsletter!

Error: Please check your email address.

More about Berkeley Software DesignCarnegie Mellon University AustraliaCERT AustraliaCiscoMellonSun Microsystems

Show Comments