Kufunyenwe ubuthathaka kwiseva ye-telnetd evela kwi-GNU InetUtils suite. Olu buthathaka luvumela unxibelelwano njengaye nawuphi na umsebenzisi, kuquka ingcambu, ngaphandle kokuqinisekiswa kwegama eligqithisiweyo. Isazisi se-CVE asikanikwa. Ubuthathaka bukhona ukususela kwinguqulelo ye-InetUtils 1.9.3 (2015) kwaye abuzange bufakwe kwi-2.7.0 yokukhululwa kwangoku. Ulungiso lufumaneka kwiipatches (1, 2).
Ingxaki ibangelwa kukuba ukuze kujongwe igama eligqithisiweyo, inkqubo ye-telnetd ibiza usetyenziso lwe-"/usr/bin/login", idlulisa njengengxoxo igama lomsebenzisi elichazwe ngumthengi xa eqhagamshela kwi- umncedisiIsixhobo "sokungena" sixhasa ukhetho "-f", oluvumela ukungena ngaphandle kokuqinisekiswa (olu khetho lujoliswe ekusetyenzisweni xa umsebenzisi sele eqinisekisiwe). Ke ngoko, ngokufaka ukhetho "-f" endaweni yegama lomsebenzisi, ungaqhagamshela ngaphandle kokuqinisekiswa kwegama eligqithisiweyo.
Ngoqhagamshelo oluqhelekileyo, awunakusebenzisa igama lomsebenzisi elifana nelithi "-f root," kodwa iTelnet inemo yoqhagamshelo oluzenzekelayo oluvuselelwa lukhetho lwe-"-a". Kule mo, igama lomsebenzisi alithathwa kumgca womyalelo, kodwa lidluliselwa kwi-USER environment variable. Xa i-utility yokungena ibizwe, ixabiso lale nvironment variable latshintshwa ngaphandle kokujonga okongeziweyo kwaye ngaphandle kokubaleka oonobumba abakhethekileyo. Ke ngoko, ukuze uqhagamshele njengomsebenzisi weengcambu, setha nje i-USER environment variable kwi-"-f root" kwaye uqhagamshele kwiseva yeTelnet usebenzisa ukhetho lwe-"-a": $ USER='-f root' telnet -a server_name
Utshintsho oluzise ubuthathaka longezwe kwikhowudi ye-telnetd ngoMatshi 2015 kwaye lwajongana nomba owathintela igama lomsebenzisi ukuba lingamiselwa kwimo ye-autologin ngaphandle kokuqinisekiswa kweKerberos. Njengesisombululo, inkxaso yokudlulisa igama lomsebenzisi kwimo ye-autologin nge-environment variable yongezwe, kodwa itshekhi yokuqinisekisa igama lomsebenzisi kwi-environment variable yalityalwa.
umthombo: opennet.ru
