Tuesday, February 13, 2007

Telnet vulnerability FUD is making me crazy!

Sun did a pretty awesome thing this weekend. A vulnerability was reported on an OpenSolaris alias, not even the correct place to report a security vulnerability, an engineer who happened to be reading his email on the weekend saw the post, reproduced the bug in house, fixed the code, got code review, tested and integrated a fix into Nevada (aka OpenSolaris) within HOURS. On a weekend. We have folks that are on pager call for handling this type of stuff, but since this was not sent to that alias, we were so lucky that several other engineers were watching an open alias for this & responded & fixed it on their day off.

The next day, Monday, the fix was integrated into the Solaris 10 patch gate, with official T-Patches on their way, yet I'm still seeing articles like this from News.com which make it sound like we're still trying to figure it out. And gets the facts wrong (I believe the Sun rep was misquoted, but I don't know that for a fact). The article mentions that only as of last month did we start shipping with SSH enabled by default. *UGH* We've been shipping with SSH enabled by default since Solaris 9 - for YEARS now. I think what they meant was that as of last month, Solaris 10 Update 3 started shipping with ONLY SSH enabled by default. That is, telnet, rlogin, etc are all disabled by default. It was part of our huge security initiative, Secure By Default.

There are several workarounds to this problem:

  • Disable telnet on your S10, S10U1 or S10U2 system
  • make root a role
  • Disable telnet to root for non CONSOLE logins (default, btw, since the initial release of Solaris)

Solaris 9 and earlier are not affected. This was unintentionally introduced into the Solaris 10 & Nevada code base when a major project integrated into Solaris 10.

I am mystified as to why we didn't immediately release a SunAlert with the workaround, but I know those folks were waiting for the IDRs to be available - and they are now. Official patches will be available Real Soon Now. I'll keep poking a sharp stick at folks to try to convince them to do better OFFICIAL communication, but what we've got going with OpenSolaris on the discussion aliases is very cool.