US-CERT is aware of public reports of a worm that is actively exploiting a known vulnerability in the Sun Solaris telnet daemon (in.telnetd). The worm targets Solaris 10 (SunOS 5.10) systems that are not patched to address this vulnerability and have enabled the telnet daemon. When the worm discovers a vulnerable host, it attempts to log into the host using the lp or adm account to invoke one or more of the following malicious actions:
- Modifies the /var/adm and /var/spool/lp directories
- Installs and runs a server on port 32982
- Schedules a crontab entry to run at 1:00 A.M.
- Scans for other vulnerable hosts
More information about this vulnerability is located in the following:
- Vulnerability Note VU#881872 - Sun Solaris telnet authentication bypass vulnerability
- Sun Alert 102802 - Security Vulnerability in the in.telnetd (1M) Daemon May Allow Unauthorized Remote Users to Gain Access to a Solaris Host
US-CERT recommends the following actions to help mitigate the security risks:
- Apply the latest patches, as specified in Sun Alert 102802 to address this vulnerability.
- Run the Sun inoculation script if your host is infected.
- Disable Telnet daemon if unable to apply the patch at this time.
- Restrict access to port 23/tcp to trusted hosts only.
For more in-depth information about this Telnet worm, check the Arbor Networks Blog.
No comments:
Post a Comment