Sun have released an interim fix here for the Telnet vulnerability that was made public earlier in the week, Sun have also acknowledged the vulnerability here in Sun Alert 102802. You can also see here the a fix for the issue that has been added to the OpenSolaris CVS, in the OpenSolaris source it is pretty easy to spot the cause of the problem.

If you run Solaris and haven’t already, take a bit of time and check your systems out for signs of possible exploitation. Don’t forget to check out everything, you may have the odd third part appliance out there that is running Solaris.

Remember if Telnet is not required for business operation, turn it off. If it is required then drop in some ACLs to limit access to known hosts and install the Interim patch if you can. There is also a Bleeding Edge Snort signature out to detect attempts to use the vulnerabillity submitted by Chris Bryd.

# Submitted 2007-02-12 by Chris Byrd
alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:”BLEEDING-EDGE EXPLOIT Solaris telnet USER environment vuln”; flow:to_server,established; content: “|ff fa 27 00 00 55 53 45 52 01 2d 66|”; rawbytes; classtype:attempted-user; reference:url,riosec.com/solaris-telnet-0-day; sid:2003411; rev:1;)

The discussion rages on Full Disclosure about the vulnerability and has made it into the blogs of a couple of Sun Staff, here and here.

Add this page to your favorite Social Bookmarking websites