Telnetd vulnerability, or, dealing with ancient software
Friday, August 26, 2022
Pierre Kim notes a Denial-of-Service vulnerability in various
implementations of telnetd. Well, duh, as they say. As Kim’s post
mentions, a lot of this code hasn’t been updated in 30 years. It’s
hardly surprising that code in BSD 4.3 Reno, UNICOS, SunOS, DYNIX, and
Ultrix—all of which have long since been discontinued—should have such
vulnerabilities. This isn’t a problem, since nobody is using those
today.
The problem is that telnetd is not just in these old operating
systems, but is available in current versions of FreeBSD, NetBSD,
and essentially every Linux distribution.
Kim’s post makes the recommendation, “It is 2022. Do not use telnet.
Seriously!” I think this is wrong, or rather, misses the point. A
better recommendation would be “Remove telnetd from your operating
system.”1
Programs which don’t exist can’t have bugs. Do not ship known-vulnerable code. Just don’t.
Footnotes:
The OpenBSD Project removed it in in 2005, in the leadup to OpenBSD 3.8. Microsoft removed it from their workstation OS branch with Windows Vista in 2006, and the server branch with Windows Server 2016. Apple removed it in 2017, with the release of Mac OS X 10.13 “High Sierra.” The telnet client is still available by default in OpenBSD. Windows installations do not include the client by default, but it can be installed by going to “Turn Windows features on or off” or via Powershell. The telnet client is not available at all from Apple, post-10.13 (though you can install it via Homebrew).