Vulnerability in Sun Solaris Telnet Daemon

Authentication bypass vulnerability in the Sun Solaris telnet daemon (in.telnetd) has been discovered. The Sun Solaris telnet daemon does not properly parse the USER Environment variable before passing it to the login process.

By supplying a specially crafted USER Environment variable over telnet, a remote attacker may be able to bypass authentication to gain access to the system with elevated privileges. We have come to know about public exploit code are available/ posted on some sites.

NOTE : An attacker must have knowledge of a user account other than root to exploit this vulnerability successfully. Additionally, in default Solaris configurations, this vulnerability cannot be used to gain root level access.

We recommend
– Disable Telnet daemon.
– Restrict access to port 23/tcp to trusted hosts only.

More infomation on VU#881872