Thread-topic: US-CERT Technical Cyber Security Alert TA07-059A -- Sun Solaris Telnet Worm
> -----Original Message-----
> From: US-CERT Technical Alerts [mailto:technical-alerts@xxxxxxxxxxx]
> Sent: Thursday, March 01, 2007 3:27 AM
> To: technical-alerts@xxxxxxxxxxx
> Subject: US-CERT Technical Cyber Security Alert TA07-059A --
> Sun Solaris Telnet Worm
>
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> National Cyber Alert System
>
> Technical Cyber Security Alert TA07-059A
>
>
> Sun Solaris Telnet Worm
>
> Original release date: February 28, 2007
> Last revised: --
> Source: US-CERT
>
>
> Systems Affected
>
> * Sun Solaris 10 (SunOS 5.10)
> * Sun "Nevada" (SunOS 5.11)
>
> Both SPARC and Intel (x86) architectures are affected.
>
>
> Overview
>
> A worm is exploiting a vulnerability (VU#881872) in the Sun Solaris
> telnet daemon (in.telnetd).
>
>
> I. Description
>
> A worm is exploiting a vulnerability in the telnet daemon
> (in.telnetd) on unpatched Sun Solaris systems. The vulnerability
> allows the worm (or any attacker) to log in via telnet (23/tcp)
> with elevated privileges. Further details about the vulnerability
> are available in Vulnerability Note VU#881872 (CVE-2007-0882).
>
> Because VU#881872 is trivial to exploit and sufficient technical
> detail is publicly available, any attacker, not just this worm,
> could exploit vulnerable systems.
>
> Characteristics of the worm include, but are not limited to:
>
> * Exploiting VU#881872 to log in via telnet as the users
> adm or lp
> * Changing permissions on /var/adm/wtmpx to -rw-r--rw-
> * Creating the directory .adm in /var/adm/sa/
> * Adding .profile files to /var/adm/ and /var/spool/lp/
> * Installing an authenticated backdoor shell on port 32982/tcp
> * Modifying crontab entries for the users adm and lp
> * Scanning for other hosts running telnet (23/tcp)
>
> Sun has published information about the worm in the Security Sun
> Alert Feed including an inoculation script that disables the telnet
> daemon and reverses known changes made by the worm.
>
>
> II. Impact
>
> VU#881872 allows remote attacker to log on to a vulnerable system
> via telnet and gain elevated privileges. The worm exploits this
> vulnerability to compromise systems as described above. Since the
> worm installs a backdoor shell, it is possible for an attacker with
> knowledge of the authentication tokens to access a compromised
> system and take any action with the privileges of the backdoor
> shell process, likely adm or lp.
>
>
> III. Solution
>
> Apply a patch
>
> To address VU#881872, apply the appropriate patches referenced in
> Sun Alert Notification 102802.
>
> Run inoculation script
>
> To recover compromised systems, Sun has provided an
> inoculation script
> that disables the telnet daemon and reverses known changes
> made by the
> worm.
>
> Note that the inoculation script only recovers from this particular
> worm. Running the inoculation script does not guarantee system
> integrity. A vulnerable system may be compromised in different ways
> by attackers exploiting VU#881872 or using the backdoor installed
> by the worm. To fully recover, it may be necessary to rebuild a
> compromised system using trusted software sources. For more
> information, see Recovering from an Incident.
>
>
> IV. Workarounds
>
> Until the appropriate patches can be applied, consider the
> following workarounds.
>
> Disable telnet
>
> Telnet can be disabled by issuing the following command as root:
>
> # /usr/sbin/svcadm disable telnet
>
> Restrict telnet access
>
> Restrict access to telnet (23/tcp) from untrusted networks such as
> the Internet.
>
> Use SSH instead of telnet
>
> SSH provides a comparatively more secure method for remotely
> logging into a system than telnet. As general advice, we recommend
> using SSH rather than telnet.
>
>
> V. References
>
> * US-CERT Vulnerability Note VU#881872 -
> <>
>
> * Recovering from an Incident -
> <>
>
> * Sun Alert Notification 102802 -
>
> <>
>
> * Solaris in.telnetd worm seen in the wild + inoculation script -
>
> <>
>
> * inoculate.local -
> <>
>
> * CVE-2007-0882 -
> <>
>
>
> ____________________________________________________________________
>
> The most recent version of this document can be found at:
>
> <>
> ____________________________________________________________________
>
> Feedback can be directed to US-CERT Technical Staff. Please send
> email to <cert@xxxxxxxx> with "TA07-059A Feedback VU#881872" in the
> subject.
> ____________________________________________________________________
>
> For instructions on subscribing to or unsubscribing from this
> mailing list, visit <>.
> ____________________________________________________________________
>
> Produced 2007 by US-CERT, a government organization.
>
> Terms of use:
>
> <>
> ____________________________________________________________________
>
>
> Revision History
>
> February 28, 2007: Initial release
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.1 (GNU/Linux)
>
> iQEVAwUBReYctOxOF3G+ig+rAQKGUAf+LY2zbs3k8mx3mYhgtpLWCCOo5wDjd90a
> g+apWM4B9qEsAvlIsI/tWof5xSf682D7Yx47xwDDxUyIswHkovGaIWQ7TKmew1Be
> On7KUFSi0fHQ9Su4536COmr3aCOoeXhPpIIC8nFyb9rZ22aax6LowxH4THU1uFRO
> vITWFHKuWkSW75D4WQ9z19m1cdkXf2Y6SC9UcqADdImFo0ZG/mVzQ8as1sb3nHM7
> 0cBje0Dt4rEUtMkgBRrIMqoa1FquJXnLT0YnUtQp914SguxhD5sB/shjiIrttpVq
> uROeI77nsfGzAyWLes2K/fDik4/HJLIgiTpnONBTrXNYuuTsfKOJ0Q==
> =rcWZ
> -----END PGP SIGNATURE-----
>
