Critical telnetd Vulnerability Exploited for Unauthenticated Root Access
A critical security flaw has been identified in the GNU InetUtils telnetd server, designated as CVE-2026-24061, which allows unauthenticated attackers to gain root access to Linux systems. This vulnerability affects GNU InetUtils versions 1.9.3 through 2.7 and has been actively exploited in the wild.
Understanding the Vulnerability
The core issue lies in how telnetd handles the USER environment variable during the Telnet negotiation phase. When a Telnet client connects, it can send environment variables, including USER, to the server. Telnetd then passes this USER variable directly to the /usr/bin/login program without proper sanitization. By crafting a malicious USER variable containing the string -f root, an attacker can exploit this behavior. The -f flag instructs the login program to bypass authentication for the specified user—in this case, root—granting the attacker immediate root shell access without any credential verification.
Exploitation in the Wild
Security firm GreyNoise has observed a coordinated exploitation campaign targeting Telnet services (TCP/23) using this authentication bypass flaw. Analysis of honeypot traffic revealed 60 unique exploitation attempts from 18 distinct source IP addresses. These attacks range from opportunistic scanning to more sophisticated persistence mechanisms, including SSH key injection and malware deployment.
Attack Methodology
The exploitation process typically follows these steps:
1. Connection Initiation: The attacker establishes a Telnet connection to the target system.
2. Environment Variable Injection: During the Telnet negotiation, the attacker sets the USER environment variable to -f root.
3. Execution: Telnetd invokes the login program with the unsanitized USER variable, resulting in the execution of login -p -h
4. Authentication Bypass: The -f flag causes the login program to skip authentication for the root user, granting the attacker a root shell.
Observed Attacker Behavior
Analysis of captured attack traffic has identified distinct patterns:
– Terminal Speed: Common settings include 38400 baud and 9600 baud, with some attacks negotiating 0,0 (no speed).
– Terminal Type: Payloads vary between standard XTERM-256COLOR, compatibility mode xterm-256color, and generic UNKNOWN types.
– Target Users: While root is the primary target (83% of attempts), probes for users like nobody, daemon, and randomized usernames have been observed.
Upon gaining access, attackers often execute reconnaissance commands such as uname -a, id, and cat /etc/passwd, sometimes wrapped in delimiters for automated parsing by command-and-control infrastructure.
Advanced Persistent Threats
More sophisticated attackers have been observed attempting to establish persistence on compromised systems. For instance, one campaign from IP address 216.106.186[.]24 attempted to append a 3072-bit RSA key to the ~/.ssh/authorized_keys file, facilitating future access. This actor also attempted to download a second-stage Python payload (apps.py) from a distribution server, indicating potential botnet recruitment efforts.
Indicators of Compromise (IoCs)
Organizations should monitor for the following IoCs:
– Attacker IP Addresses:
– 178.16.53[.]82: Top source with 12 sessions targeting 10 unique systems, primarily for reconnaissance.
– 216.106.186[.]24: Associated with SSH key injection and malware download attempts.
– 67.220.95[.]16: Involved in malware distribution and exploitation activities.
– 156.238.237[.]103: Confirmed root access via intrusion detection system alerts.
– Malware Indicators:
– Malware URL: http://67.220.95[.]16:8000/apps.py (Python payload delivery).
– File Name: apps.py (Second-stage payload).
– SSH Key Comment: [email protected][.]hosting (Associated with persistence attempts).
Mitigation Strategies
To protect systems from this vulnerability, administrators should:
1. Disable Telnet Services: Given Telnet’s inherent security weaknesses, it’s advisable to disable Telnet services entirely and replace them with more secure alternatives like SSH.
2. Apply Patches: Ensure that all systems are updated to the latest versions of GNU InetUtils, as patches addressing this vulnerability have been released.
3. Monitor Network Traffic: Implement network monitoring to detect unusual Telnet traffic patterns, which may indicate exploitation attempts.
4. Restrict Access: Limit access to Telnet services to trusted networks only, reducing the attack surface.
5. Implement Intrusion Detection Systems (IDS): Deploy IDS to identify and alert on suspicious activities related to Telnet services.
Conclusion
The exploitation of CVE-2026-24061 underscores the critical need for organizations to reassess the use of legacy protocols like Telnet. By disabling Telnet services, applying necessary patches, and implementing robust monitoring and access controls, organizations can mitigate the risks associated with this vulnerability and enhance their overall security posture.
