Erik Auerswald <[email protected]> writes: > Hi all, > > I plan to commit and push the attached patch in a few days to address > this vulnerability, unless there are reasonable objections.
Thanks -- I wish we could implement the --accept-env approach and make the default not set any environment variables at all, but I don't have cycles to work on that. Anyone else? Your patch seems to close this vulnerability report in a most minimal way, so IMHO we should apply it. /Simon > Cheers, > Erik > > > On Thu, Feb 12, 2026 at 03:22:47PM +0200, Ron Ben Yizhak wrote: >> Hi, >> >> Following this report, I wanted to ask - do you have any estimation for a >> fix release date, and a CVE release? >> >> Best regards, >> Ron Ben Yizhak >> >> On Mon, Feb 9, 2026 at 11:37 AM Ron Ben Yizhak <[email protected]> >> wrote: >> >> > Hello, >> > >> > Thank you for consulting with me. As a vulnerability researcher, I do not >> > want to take responsibility for the effectiveness of the fix. >> > With that being said, In my opinion the proposed fix will stop this >> > exploit, but the main issue stays. The issue exists as long as >> > unauthenticated clients can set arbitrary environment variables in the >> > memory of telnetd and its sub processes. >> > The best solution will be that the environment variables set by the client >> > will only apply on the shell process and only after the client has already >> > authenticated. No process running as root should run with any environment >> > variables set by the client. >> > >> > Best regards, >> > Ron Ben Yizhak >> > >> > On Mon, Feb 9, 2026 at 11:21 AM Erik Auerswald <[email protected]> >> > wrote: >> > >> >> Hi Ron Ben Yizhak, >> >> >> >> On Fri, Feb 06, 2026 at 06:27:30PM +0100, Erik Auerswald wrote: >> >> > On Thu, Feb 05, 2026 at 02:39:57PM +0200, Ron Ben Yizhak via Bug >> >> reports for the GNU Internet utilities wrote: >> >> > > >> >> > > My name is Ron Ben Yizhak and I am a security researcher from >> >> SafeBreach. >> >> > > >> >> > > I want to report a severe vulnerability that I found in telnetd from >> >> the >> >> > > repository https://codeberg.org/inetutils/inetutils >> >> > > [...] >> >> > >> >> > [...] a quick and dirty hack that should stop this method is contained >> >> > in the attached patch. I have tested it with the above mentioned >> >> > method only. >> >> >> >> Can you confirm that the patch[0] from my previous message[1] stops >> >> the exploit? >> >> >> >> [0] >> >> https://lists.gnu.org/archive/html/bug-inetutils/2026-02/txt5Lp7CdbQkO.txt >> >> [1] >> >> https://lists.gnu.org/archive/html/bug-inetutils/2026-02/msg00001.html >> >> >> >> > [...] >> >> > A possible workaround would be to use an older version of "login". >> >> >> >> Another possible workaround would be to wrap "login" execution with >> >> "env", and use "env" to unset the problematic environment variable >> >> "CREDENTIALS_DIRECTORY". The inetd.conf line could look as below: >> >> >> >> telnet stream tcp nowait root /usr/local/libexec/telnetd telnetd >> >> --exec-login "/usr/bin/env -u CREDENTIALS_DIRECTORY /usr/bin/login -p -h >> >> %h >> >> %?u{-f -- %u}{-- %U}" >> >> >> >> Can you confirm that this stops the exploit? >> >> >> >> Thanks, >> >> Erik > > From 4db2f19f4caac03c7f4da6363c140bd70df31386 Mon Sep 17 00:00:00 2001 > From: Erik Auerswald <[email protected]> > Date: Sun, 15 Feb 2026 15:38:50 +0100 > Subject: [PATCH] telnetd: don't allow systemd service credentials > > The login(1) implementation of util-linux added support for > systemd service credentials in release 2.40. This allows to > bypass authentication by specifying a directory name in the > environment variable CREDENTIALS_DIRECTORY. If this directory > contains a file named 'login.noauth' with the content of 'yes', > login(1) skips authentication. > > GNU Inetutils telnetd supports to set arbitrary environment > variables using the 'Environment' and 'New Environment' > Telnet options. This allows specifying a directory containing > 'login.noauth'. A local user can create such a directory > and file, and, e.g., specify the user name 'root' to escalate > privileges. > > This problem was reported by Ron Ben Yizhak in > <https://lists.gnu.org/archive/html/bug-inetutils/2026-02/msg00000.html>. > > This commit clears CREDENTIALS_DIRECTORY from the environment > before executing login(1) to implement a simple fix that can > be backported easily. > > * NEWS.md: Mention fix. > * THANKS: Mention Ron Ben Yizhak. > * telnetd/pty.c: Clear CREDENTIALS_DIRECTORY from the environment > before executing 'login'. > --- > NEWS.md | 5 +++++ > THANKS | 1 + > telnetd/pty.c | 8 ++++++++ > 3 files changed, 14 insertions(+) > > diff --git a/NEWS.md b/NEWS.md > index 877ca53b..f5172a71 100644 > --- a/NEWS.md > +++ b/NEWS.md > @@ -6,6 +6,11 @@ GNU inetutils NEWS -- history of user-visible changes. > Reported by Kyu Neushwaistein. Initial patch by Paul Eggert; further > improvements and security advisory by Simon Josefsson. > > +** Prevent privilege escalation via telnetd abusing systemd service > +credentials support added to the login(1) implementation of util-linux > +in release 2.40. Reported by Ron Ben Yizhak in > +<https://lists.gnu.org/archive/html/bug-inetutils/2026-02/msg00000.html>. > + > ** telnet: Drop everything related to TN3270. > The code did not build (several missing required header files) and > even if we could fix it, we have no way to test it. It may contain > diff --git a/THANKS b/THANKS > index 8d1d3dbb..ef5f6063 100644 > --- a/THANKS > +++ b/THANKS > @@ -10,6 +10,7 @@ In particular: > Nathan Neulinger (tftpd) > Thomas Bushnell (sockaddr sin_len field) > Kyu Neushwaistein (reported remote root exploit in telnetd) > + Ron Ben Yizhak (reported privilege escalation via telnetd) > > Please see version control logs and ChangeLog.? for full credits. > > diff --git a/telnetd/pty.c b/telnetd/pty.c > index c727e7be..f3518049 100644 > --- a/telnetd/pty.c > +++ b/telnetd/pty.c > @@ -129,6 +129,14 @@ start_login (char *host, int autologin, char *name) > if (!cmd) > fatal (net, "can't expand login command line"); > argcv_get (cmd, "", &argc, &argv); > + > + /* util-linux's "login" introduced an authentication bypass method > + * via environment variable "CREDENTIALS_DIRECTORY" in version 2.40. > + * Clear it from the environment before executing "login" to prevent > + * abuse via Telnet. > + */ > + unsetenv ("CREDENTIALS_DIRECTORY"); > + > execv (argv[0], argv); > syslog (LOG_ERR, "%s: %m\n", cmd); > fatalperror (net, cmd);
signature.asc
Description: PGP signature
