Kutholakale ubuthakathaka kuseva ye-telnetd kusuka ku-suite ye-GNU InetUtils. Lokhu buthakathaka kuvumela ukuxhumana njenganoma yimuphi umsebenzisi, kufaka phakathi impande, ngaphandle kokuqinisekiswa kwephasiwedi. Isihlonzi se-CVE asikabelwa. Ubuthakathaka bukhona kusukela kunguqulo ye-InetUtils 1.9.3 (2015) futhi busalokhu bungashintshiwe ekukhishweni kwamanje kwe-2.7.0. Ukulungiswa kuyatholakala kuma-patches (1, 2).
Inkinga ibangelwa iqiniso lokuthi ukuze kuhlolwe iphasiwedi, inqubo ye-telnetd ibiza umbuso "/usr/bin/login", idlulise njengempikiswano igama lomsebenzisi elichazwe yiklayenti lapho lixhuma ku- isevaIsisetshenziswa "sokungena ngemvume" sisekela inketho ethi "-f", evumela ukungena ngemvume ngaphandle kokuqinisekiswa (le nketho ihloselwe ukusetshenziswa lapho umsebenzisi esevele eqinisekisiwe). Ngakho-ke, ngokufaka inketho ethi "-f" esikhundleni segama lomsebenzisi, ungaxhuma ngaphandle kokuqinisekiswa kwephasiwedi.
Ngokuxhumeka okuvamile, awukwazi ukusebenzisa igama lomsebenzisi elifana ne-"-f root," kodwa i-Telnet inemodi yokuxhumanisa ezenzakalelayo evuselelwa yinketho ethi "-a". Kule modi, igama lomsebenzisi alithathwa emgqeni womyalo, kodwa lidlula ku-USER environment variable. Lapho i-utility yokungena ibizwa, inani lale environment variable lashintshwa ngaphandle kokuhlola okwengeziwe futhi ngaphandle kokubalekela izinhlamvu ezikhethekile. Ngakho-ke, ukuze uxhumeke njengomsebenzisi wempande, mane usethe i-USER environment variable ibe yi-"-f root" bese uxhuma kuseva ye-Telnet usebenzisa inketho ethi "-a": $ USER='-f root' telnet -a server_name
Ushintsho olwethula ubungozi lwengezwe kukhodi ye-telnetd ngoMashi 2015 futhi lwabhekana nenkinga eyavimbela igama lomsebenzisi ukuthi linqunywe kumodi ye-autologin ngaphandle kokuqinisekiswa kwe-Kerberos. Njengesixazululo, ukwesekwa kokudlulisa igama lomsebenzisi lemodi ye-autologin nge-environment variable kwengezwe, kodwa ukuhlolwa kokuqinisekisa kwegama lomsebenzisi kusuka ku-environment variable kwalibaleka.
Source: opennet.ru
