Hi all, I plan to commit and push the attached patch in a few days to address this vulnerability, unless there are reasonable objections.
Cheers, Erik On Thu, Feb 12, 2026 at 03:22:47PM +0200, Ron Ben Yizhak wrote: > Hi, > > Following this report, I wanted to ask - do you have any estimation for a > fix release date, and a CVE release? > > Best regards, > Ron Ben Yizhak > > On Mon, Feb 9, 2026 at 11:37 AM Ron Ben Yizhak <[email protected]> > wrote: > > > Hello, > > > > Thank you for consulting with me. As a vulnerability researcher, I do not > > want to take responsibility for the effectiveness of the fix. > > With that being said, In my opinion the proposed fix will stop this > > exploit, but the main issue stays. The issue exists as long as > > unauthenticated clients can set arbitrary environment variables in the > > memory of telnetd and its sub processes. > > The best solution will be that the environment variables set by the client > > will only apply on the shell process and only after the client has already > > authenticated. No process running as root should run with any environment > > variables set by the client. > > > > Best regards, > > Ron Ben Yizhak > > > > On Mon, Feb 9, 2026 at 11:21 AM Erik Auerswald <[email protected]> > > wrote: > > > >> Hi Ron Ben Yizhak, > >> > >> On Fri, Feb 06, 2026 at 06:27:30PM +0100, Erik Auerswald wrote: > >> > On Thu, Feb 05, 2026 at 02:39:57PM +0200, Ron Ben Yizhak via Bug > >> reports for the GNU Internet utilities wrote: > >> > > > >> > > My name is Ron Ben Yizhak and I am a security researcher from > >> SafeBreach. > >> > > > >> > > I want to report a severe vulnerability that I found in telnetd from > >> the > >> > > repository https://codeberg.org/inetutils/inetutils > >> > > [...] > >> > > >> > [...] a quick and dirty hack that should stop this method is contained > >> > in the attached patch. I have tested it with the above mentioned > >> > method only. > >> > >> Can you confirm that the patch[0] from my previous message[1] stops > >> the exploit? > >> > >> [0] > >> https://lists.gnu.org/archive/html/bug-inetutils/2026-02/txt5Lp7CdbQkO.txt > >> [1] > >> https://lists.gnu.org/archive/html/bug-inetutils/2026-02/msg00001.html > >> > >> > [...] > >> > A possible workaround would be to use an older version of "login". > >> > >> Another possible workaround would be to wrap "login" execution with > >> "env", and use "env" to unset the problematic environment variable > >> "CREDENTIALS_DIRECTORY". The inetd.conf line could look as below: > >> > >> telnet stream tcp nowait root /usr/local/libexec/telnetd telnetd > >> --exec-login "/usr/bin/env -u CREDENTIALS_DIRECTORY /usr/bin/login -p -h %h > >> %?u{-f -- %u}{-- %U}" > >> > >> Can you confirm that this stops the exploit? > >> > >> Thanks, > >> Erik
>From 4db2f19f4caac03c7f4da6363c140bd70df31386 Mon Sep 17 00:00:00 2001 From: Erik Auerswald <[email protected]> Date: Sun, 15 Feb 2026 15:38:50 +0100 Subject: [PATCH] telnetd: don't allow systemd service credentials The login(1) implementation of util-linux added support for systemd service credentials in release 2.40. This allows to bypass authentication by specifying a directory name in the environment variable CREDENTIALS_DIRECTORY. If this directory contains a file named 'login.noauth' with the content of 'yes', login(1) skips authentication. GNU Inetutils telnetd supports to set arbitrary environment variables using the 'Environment' and 'New Environment' Telnet options. This allows specifying a directory containing 'login.noauth'. A local user can create such a directory and file, and, e.g., specify the user name 'root' to escalate privileges. This problem was reported by Ron Ben Yizhak in <https://lists.gnu.org/archive/html/bug-inetutils/2026-02/msg00000.html>. This commit clears CREDENTIALS_DIRECTORY from the environment before executing login(1) to implement a simple fix that can be backported easily. * NEWS.md: Mention fix. * THANKS: Mention Ron Ben Yizhak. * telnetd/pty.c: Clear CREDENTIALS_DIRECTORY from the environment before executing 'login'. --- NEWS.md | 5 +++++ THANKS | 1 + telnetd/pty.c | 8 ++++++++ 3 files changed, 14 insertions(+) diff --git a/NEWS.md b/NEWS.md index 877ca53b..f5172a71 100644 --- a/NEWS.md +++ b/NEWS.md @@ -6,6 +6,11 @@ GNU inetutils NEWS -- history of user-visible changes. Reported by Kyu Neushwaistein. Initial patch by Paul Eggert; further improvements and security advisory by Simon Josefsson. +** Prevent privilege escalation via telnetd abusing systemd service +credentials support added to the login(1) implementation of util-linux +in release 2.40. Reported by Ron Ben Yizhak in +<https://lists.gnu.org/archive/html/bug-inetutils/2026-02/msg00000.html>. + ** telnet: Drop everything related to TN3270. The code did not build (several missing required header files) and even if we could fix it, we have no way to test it. It may contain diff --git a/THANKS b/THANKS index 8d1d3dbb..ef5f6063 100644 --- a/THANKS +++ b/THANKS @@ -10,6 +10,7 @@ In particular: Nathan Neulinger (tftpd) Thomas Bushnell (sockaddr sin_len field) Kyu Neushwaistein (reported remote root exploit in telnetd) + Ron Ben Yizhak (reported privilege escalation via telnetd) Please see version control logs and ChangeLog.? for full credits. diff --git a/telnetd/pty.c b/telnetd/pty.c index c727e7be..f3518049 100644 --- a/telnetd/pty.c +++ b/telnetd/pty.c @@ -129,6 +129,14 @@ start_login (char *host, int autologin, char *name) if (!cmd) fatal (net, "can't expand login command line"); argcv_get (cmd, "", &argc, &argv); + + /* util-linux's "login" introduced an authentication bypass method + * via environment variable "CREDENTIALS_DIRECTORY" in version 2.40. + * Clear it from the environment before executing "login" to prevent + * abuse via Telnet. + */ + unsetenv ("CREDENTIALS_DIRECTORY"); + execv (argv[0], argv); syslog (LOG_ERR, "%s: %m\n", cmd); fatalperror (net, cmd); -- 2.34.1
