'Worm' targets Sun Solaris Telnet flaw

Security researchers have found evidence that a worm is trying to exploit the recently patched Telnet flaw in Sun Solaris. Experts say it's another reason to stay away from Telnet.

It isn't expected to become a monster like Windows-based malware of the past, but security experts say an apparent worm exploiting a recently patched Sun Solaris flaw serves as another reminder to disable Telnet.

Sun Microsystems Inc. patched a design flaw in the Telnet daemon of its Solaris 10 and 11 operating systems two weeks ago that attackers could exploit for unauthenticated remote root logins.

Tuesday, researchers at Lexington, Mass.-based Arbor Networks Inc. began to detect hosts scanning for Telnet servers.

"A team member found what appears to a Sun Solaris Telnet worm," Jose Nazario, senior security engineer for Arbor Networks, wrote in the company's blog. "While this may seem like a throwback to days gone by, and maybe someone is starting from scratch in their exploit activity, this is related to [the] recent Solaris bug."

In my opinion nobody should be running Telnet open to the Internet.
Donald Smith
SANS ISC
The worm attempts to log in to targeted systems as the user's "lp" or "adm" and "execute a bunch of shell commands to set up shop and keep on truckin'," he said. "[It's] very old school."

But, he added, so is Telnet.

"If you haven't patched yet, you should," he said. "Better yet, just disable Telnet. It's 2007, after all."

Joel Esler, a volunteer handler at the Bethesda, Md.-based SANS Internet Storm Center (ISC), wrote on the organization's Web site that a IP address range in France appeared to be scanning around for Port 23.

"We checked our data here at the Storm Center and it appears we have similar traffic from the same net ranges," Esler said. This, he added, would appear to back up Arbor Networks' conclusion that a Solaris worm is making the rounds.

For many security experts, the flaw and subsequent exploit serve as a stark reminder that Telnet is easy pickings for the bad guys and should not be used anymore.

The protocol allows virtual network terminals to be connected over the Internet and is incorporated into a variety of popular operating systems, from Sun Solaris and Red Hat Inc.'s Enterprise Linux to Apple Computer Corp.'s Mac OS X. It has long been considered a security risk because user names, passwords and all subsequent commands are transmitted as easily exploitable plaintext.

"In my opinion nobody should be running Telnet open to the Internet," Donald Smith, another volunteer handler at the ISC, said when the Solaris flaw was discovered two weeks ago. He noted that since 1994, the CERT Software Engineering Institute at Pennsylvania's Carnegie Mellon University has recommended using something other than plain text authentication, due to potential network-monitoring attacks.

Read more on Operating systems software