news
Security Issue Found in telnetd, Patches Put Forth Already
-
LWN ☛ GNU InetUtils Security Advisory: remote authentication by-pass in telnetd
The telnetd server invokes /usr/bin/login (normally running as root) passing the value of the USER environment variable received from the client as the last parameter.
If the client supply a carefully crafted USER environment value being the string "-f root", and passes the telnet(1) -a or --login parameter to send this USER environment to the server, the client will be automatically logged in as root bypassing normal authentication processes.
This happens because the telnetd server do not sanitize the USER environment variable before passing it on to login(1), and login(1) uses the -f parameter to by-pass normal authentication.
Severity: High
Vulnerable versions: GNU InetUtils since version 1.9.3 up to and including version 2.7.
[...]
We chose to sanitize all variables for expansion. The following two patches are what we suggest: [...] -
LWN ☛ Remote authentication bypass in telnetd
One would assume that most LWN readers stopped running network-accessible
telnet services some number of decades ago. For the rest of you, this security advisory from
Simon Josefsson is worthy of note: [...]
The Register MS:
-
Ancient telnet bug happily hands out root to attackers
A recently disclosed critical vulnerability in the GNU InetUtils telnet daemon (telnetd) is "trivial" to exploit, experts say.
The bug, which had gone unnoticed for nearly 11 years, was disclosed on January 20 and is tracked as CVE-2026-24061 (9.8).
It was introduced in a May 2015 update, and if you're one of the few to still be running telnetd, patch up, because attacks are already underway.
GreyNoise data shows that in the past 24 hours, 15 unique IPs were trying to execute a remote authentication bypass attack by using the vulnerability.
The security advisory explains that the bug allows attackers to easily gain root access to a target system.