Sudden #Telnet Traffic Drop. Are #Telcos Filtering Ports to Block Critical #Vulnerability?
Telcos likely received advance warning about January's critical Telnet vulnerability before its public disclosure, according to threat intelligence biz GreyNoise. Global Telnet traffic "fell off a cliff" on January 14, 6 days before #security advisories for CVE-2026-24061 went public on Jan 20. The flaw, a decade-old bug in GNU #InetUtils telnetd with a 9.8 #CVSS score, allows …
2.7までのGNU inetutilsに含まれるtelnetdに、細工した環境変数を送信するだけで認証を回避して特権ユーザーでのログインが可能な脆弱性が発見されたらしい。CVE-2026-24061。いまどきtelnetdをThe Internetに露出している人はそうそういないはずとはいえ、なかなか興味深いので調べてみたところ。`telnetd`が`execv()`で呼び出す`/usr/bin/login`のコマンドラインオプションをうまく使うことでそういうことができてしまうようで、正直興奮した。
#CVE #GNU #inetutils #login #telnetd #サイバーセキュリティ #セキュリティ #情報セキュリティ #脆弱性
Bernstein's famous papers on the subject post-date all of us, of course. There are those available, now. I wonder how much else there is, though.
There are textbooks on design patterns and anti-patterns, and general ones on #Unix programming; but where's the book that tells you that -- is not just an interesting quirk but a general defence measure whose habitual use would (for example) have stopped #telnetd+#login having this same issue 3 times over (in #inetutils, in Solaris, and reportedly in AIX before that)?
Where is the textbook that explains that postcodes have no legal requirement to match a simplistic regular expression? Or the handiness of vis encoding in making whitespace-separated flat table files workable? Or that sscanf() is inadequate for a terminal emulator dealing with control sequences?
Or that habitually using the ADO.NET connection string builder classes, command builders, and parameter classes are good ideas?
My first suspect for a #login not supporting -- would be something with a 1980s history pre-dating standard #getopt, such as Solaris, which is ironic given that #inetutils has its only -- present in conditionally compiled code targetting Solaris.
#FreeBSD, #NetBSD, and #OpenBSD login all use getopt(), pervasive in these worlds for decades, as do the util-linux login (used by Debian et al.), and the #Illumos and #BusyBox logins.
#suckless login supports -- via ARGBEGIN.
Looking at the commit and the code as it still stands today, it is interesting that only on Solaris does it even try to use -- in the arguments to login to signal the end of options, and even then only in limited circumstances.
#FreeBSD telnetd, for comparison, always puts -- in before the supplied account name.
I wonder how long it will be before the lesson is properly learned.
Assigning your copyright to the FSF helps defend the GPL and keep software free. Thanks to Benjamin Woodruff, Jeffrey Bencteux, John Muhl, Matheus Branco Borella, Sergey Alexandrovich Bugaev, and Wang Diancheng for assigning their copyright to the FSF! #Inetutils, #GDB, #GCC, #GNUCLib, #GNUHurd, #GNUMach, #GNUstep, #Emacs, and more: https://u.fsf.org/3ht #CopyrightAssignments
Assigning your copyright to the FSF helps defend the GPL and keep software free. Thanks to Benjamin Woodruff, Jeffrey Bencteux, John Muhl, Matheus Branco Borella, Sergey Alexandrovich Bugaev, and Wang Diancheng for assigning their copyright to the FSF! #Inetutils, #GDB, #GCC, #GNUCLib, #GNUHurd, #GNUMach, #GNUstep, #Emacs, and more: https://u.fsf.org/3ht #CopyrightAssignments
Assigning your copyright to the FSF helps defend the GPL and keep software free. Thanks to Benjamin Woodruff, Jeffrey Bencteux, John Muhl, Matheus Branco Borella, Sergey Alexandrovich Bugaev, and Wang Diancheng for assigning their copyright to the FSF! #Inetutils, #GDB, #GCC, #GNUCLib, #GNUHurd, #GNUMach, #GNUstep, #Emacs, and more: https://u.fsf.org/3ht #CopyrightAssignments
Assigning your copyright to the FSF helps defend the GPL and keep software free. Thanks to Benjamin Woodruff, Jeffrey Bencteux, John Muhl, Matheus Branco Borella, Sergey Alexandrovich Bugaev, and Wang Diancheng for assigning their copyright to the FSF! #Inetutils, #GDB, #GCC, #GNUCLib, #GNUHurd, #GNUMach, #GNUstep, #Emacs, and more: https://u.fsf.org/3ht #CopyrightAssignments
Assigning your copyright to the FSF helps defend the GPL and keep software free. Thanks to Benjamin Woodruff, Jeffrey Bencteux, John Muhl, Matheus Branco Borella, Sergey Alexandrovich Bugaev, and Wang Diancheng for assigning their copyright to the FSF! #Inetutils, #GDB, #GCC, #GNUCLib, #GNUHurd, #GNUMach, #GNUstep, #Emacs, and more: https://u.fsf.org/3ht #CopyrightAssignments
Assigning your copyright to the FSF helps defend the GPL and keep software free. Thanks to Benjamin Woodruff, Jeffrey Bencteux, John Muhl, Matheus Branco Borella, Sergey Alexandrovich Bugaev, and Wang Diancheng for assigning their copyright to the FSF! #Inetutils, #GDB, #GCC, #GNUCLib, #GNUHurd, #GNUMach, #GNUstep, #Emacs, and more: https://u.fsf.org/3ht #CopyrightAssignments
Assigning your copyright to the FSF helps defend the GPL and keep software free. Thanks to Benjamin Woodruff, Jeffrey Bencteux, John Muhl, Matheus Branco Borella, Sergey Alexandrovich Bugaev, and Wang Diancheng for assigning their copyright to the FSF! #Inetutils, #GDB, #GCC, #GNUCLib, #GNUHurd, #GNUMach, #GNUstep, #Emacs, and more: https://u.fsf.org/3ht #CopyrightAssignments
Assigning your copyright to the FSF helps defend the GPL and keep software free. Thanks to Benjamin Woodruff, Jeffrey Bencteux, John Muhl, Matheus Branco Borella, Sergey Alexandrovich Bugaev, and Wang Diancheng for assigning their copyright to the FSF! #Inetutils, #GDB, #GCC, #GNUCLib, #GNUHurd, #GNUMach, #GNUstep, #Emacs, and more: https://u.fsf.org/3ht #CopyrightAssignments
Assigning your copyright to the FSF helps defend the GPL and keep software free. Thanks to Benjamin Woodruff, Jeffrey Bencteux, John Muhl, Matheus Branco Borella, Sergey Alexandrovich Bugaev, and Wang Diancheng for assigning their copyright to the FSF! #Inetutils, #GDB, #GCC, #GNUCLib, #GNUHurd, #GNUMach, #GNUstep, #Emacs, and more: https://u.fsf.org/3ht #CopyrightAssignments
Assigning your copyright to the FSF helps defend the GPL and keep software free. Thanks to Benjamin Woodruff, Jeffrey Bencteux, John Muhl, Matheus Branco Borella, Sergey Alexandrovich Bugaev, and Wang Diancheng for assigning their copyright to the FSF! #Inetutils, #GDB, #GCC, #GNUCLib, #GNUHurd, #GNUMach, #GNUstep, #Emacs, and more: https://u.fsf.org/3ht #CopyrightAssignments
Assigning your copyright to the FSF helps defend the GPL and keep software free. Thanks to Benjamin Woodruff, Jeffrey Bencteux, John Muhl, Matheus Branco Borella, Sergey Alexandrovich Bugaev, and Wang Diancheng for assigning their copyright to the FSF! #Inetutils, #GDB, #GCC, #GNUCLib, #GNUHurd, #GNUMach, #GNUstep, #Emacs, and more: https://u.fsf.org/3ht #CopyrightAssignments
Assigning your copyright to the FSF helps defend the GPL and keep software free. Thanks to Benjamin Woodruff, Jeffrey Bencteux, John Muhl, Matheus Branco Borella, Sergey Alexandrovich Bugaev, and Wang Diancheng for assigning their copyright to the FSF! #Inetutils, #GDB, #GCC, #GNUCLib, #GNUHurd, #GNUMach, #GNUstep, #Emacs, and more: https://u.fsf.org/3ht #CopyrightAssignments
Assigning your copyright to the FSF helps defend the GPL and keep software free. Thanks to Benjamin Woodruff, Jeffrey Bencteux, John Muhl, Matheus Branco Borella, Sergey Alexandrovich Bugaev, and Wang Diancheng for assigning their copyright to the FSF! #Inetutils, #GDB, #GCC, #GNUCLib, #GNUHurd, #GNUMach, #GNUstep, #Emacs, and more: https://u.fsf.org/3ht #CopyrightAssignments
Assigning your copyright to the FSF helps defend the GPL and keep software free. Thanks to Benjamin Woodruff, Jeffrey Bencteux, John Muhl, Matheus Branco Borella, Sergey Alexandrovich Bugaev, and Wang Diancheng for assigning their copyright to the FSF! #Inetutils, #GDB, #GCC, #GNUCLib, #GNUHurd, #GNUMach, #GNUstep, #Emacs, and more: https://u.fsf.org/3ht #CopyrightAssignments
