Critical telnetd Vulnerability Grants Unauthenticated Root Access to Linux Systems
A critical security flaw has been identified in the GNU InetUtils telnetd server, designated as CVE-2026-24061, which allows unauthenticated attackers to gain root access on Linux systems. This vulnerability affects GNU InetUtils versions 1.9.3 through 2.7 and is currently being actively exploited in the wild.
Understanding the Vulnerability
The core issue lies in how telnetd handles the USER environment variable during the Telnet negotiation phase. When a Telnet client connects, telnetd receives this variable from the client and passes it directly to the `/usr/bin/login` program without proper sanitization. By crafting a malicious USER variable containing the string `-f root`, an attacker can manipulate the login process to bypass authentication checks entirely. The `-f` flag instructs the login program to treat the session as pre-authenticated for the specified user—in this case, the root user—thereby granting immediate root shell access without requiring valid credentials.
Exploitation in the Wild
Security monitoring services, such as GreyNoise, have detected coordinated exploitation campaigns targeting Telnet services (TCP/23) by leveraging this authentication bypass flaw. Analysis of honeypot traffic has revealed 60 unique exploitation attempts originating from 18 distinct IP addresses. These attacks range from opportunistic scanning to more sophisticated persistence mechanisms, including SSH key injection and malware deployment.
Technical Details of the Exploit
The exploitation process involves several steps:
1. Negotiation: The attacker initiates a Telnet connection and sends a malicious ENVIRON variable.
2. Injection: The USER variable is set to `-f root`.
3. Execution: telnetd executes the command `login -p -h
4. Bypass: The `-f` flag instructs the login program to skip authentication for the specified user (root), granting a shell.
This sequence effectively allows the attacker to gain root access without any authentication.
Indicators of Compromise (IoCs)
Organizations should be vigilant for the following indicators of compromise:
– Attacker IP Addresses:
– 178.16.53[.]82: Noted for multiple sessions targeting various systems, primarily engaging in reconnaissance activities.
– 216.106.186[.]24: Associated with SSH key injection and malware downloads.
– 67.220.95[.]16: Involved in malware distribution and exploitation attempts.
– 156.238.237[.]103: Confirmed instances of root access through intrusion detection system alerts.
– Malware Indicators:
– Malware URL: http://67.220.95[.]16:8000/apps.py
– File Name: apps[.]py
– SSH Key Comment: [email protected][.]hosting
Mitigation Strategies
To protect systems from this vulnerability, administrators are advised to:
1. Update Software: Upgrade GNU InetUtils to a version that addresses CVE-2026-24061.
2. Disable Telnet Services: If Telnet is not essential, disable the service to eliminate the attack vector.
3. Implement Network Controls: Restrict access to Telnet services using firewalls or access control lists to limit exposure.
4. Monitor Logs: Regularly review system and network logs for unusual activity, such as unauthorized access attempts or unexpected changes to system files.
5. Deploy Intrusion Detection Systems (IDS): Utilize IDS to detect and alert on suspicious activities related to Telnet services.
Conclusion
The exploitation of CVE-2026-24061 underscores the critical need for robust security practices, especially concerning legacy services like Telnet. Organizations must prioritize patch management, monitor for signs of compromise, and consider deprecating outdated protocols to maintain a secure computing environment.
