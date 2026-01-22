news
Security Issue Found in telnetd, Patches Put Forth Already
GNU InetUtils Security Advisory: remote authentication by-pass in telnetd
The telnetd server invokes /usr/bin/login (normally running as root) passing the value of the USER environment variable received from the client as the last parameter.
If the client supply a carefully crafted USER environment value being the string "-f root", and passes the telnet(1) -a or --login parameter to send this USER environment to the server, the client will be automatically logged in as root bypassing normal authentication processes.
This happens because the telnetd server do not sanitize the USER environment variable before passing it on to login(1), and login(1) uses the -f parameter to by-pass normal authentication.
Severity: High
Vulnerable versions: GNU InetUtils since version 1.9.3 up to and including version 2.7.
We chose to sanitize all variables for expansion. The following two patches are what we suggest: [...]
Remote authentication bypass in telnetd
One would assume that most LWN readers stopped running network-accessible
telnet services some number of decades ago. For the rest of you, this security advisory from
Simon Josefsson is worthy of note: [...]