Kukuvara kwakawanikwa mu telnetd server kubva kuGNU InetUtils suite. Kukuvara uku kunobvumira kubatana semushandisi chero upi zvake, kusanganisira mudzi, pasina kusimbiswa kwepassword. CVE identifier haisati yapihwa. Kukuvara kwacho kwave kuripo kubvira paInetUtils vhezheni 1.9.3 (2015) uye kuchiri kusagadziriswa mu 2.7.0 iripo. Kugadziriswa kunowanikwa muma patches (1, 2).
Dambudziko iri rinokonzerwa nekuti kuti utarise password, nzira yeTelnetd inodana "/usr/bin/login" utility, ichipa senharo zita remushandisi rakatarwa nemutengi pakubatanidza ku sevhaChishandiso che "login" chinotsigira sarudzo ye "-f", iyo inobvumira kupinda pasina kusimbiswa (sarudzo iyi yakagadzirirwa kushandiswa kana mushandisi atove akasimbiswa). Saka, nekuisa sarudzo ye "-f" muzita rekushandisa, unogona kubatanidza pasina kusimbiswa kwepassword.
Nekubatana kwakajairika, haugone kushandisa zita rekushandisa rakaita se "-f root," asi Telnet ine otomatiki yekubatanidza inovhurwa nesarudzo ye "-a". Muiyi modhi, zita rekushandisa haribvi pamutsetse wemirairo, asi rinopfuudzwa kuburikidza neUSER environment variable. Pakadanwa login utility, kukosha kweiyi environment variable kwakatsiviwa pasina kutarisa kwekuwedzera uye pasina kubuda mavara akakosha. Saka, kuti ubatanidzwe semushandisi wemidzi, ingoisa USER environment variable ku "-f root" uye batanidza kune Telnet server uchishandisa sarudzo ye "-a": $ USER='-f root' telnet -a server_name
Shanduko yakaunza dambudziko iri yakawedzerwa kukodhi yetelnetd munaKurume 2015 uye yakagadzirisa nyaya yaitadzisa zita remushandisi kuwanikwa mu autologin mode pasina Kerberos authentication. Semhinduro, rutsigiro rwekupa zita remushandisi mu autologin mode kuburikidza ne environment variable rwakawedzerwa, asi cheki yekusimbisa zita remushandisi kubva ku environment variable yakakanganwika.
Source: opennet.ru
