Windows (Telnet) tlntsess.exe Remote Access Man-in-the-Middle Attack

Telnet is a clear text protocol that provides bi-directional interactive command line access to a remote user. By default, Telnet does not offer encryption which allows for all interaction, including usernames and passwords to be viewed by third parties during a man-in-the-middle attack. Many compliance and security standards, including PCI, require that remote access employ two-factor authentication.

Exploitation

Stages

1. During a man-in-the-middle attack, a malicious user can obtain the user’s credentials during authentication due to Telnet being a clear text protocol by default.
2. Additionally, during a man-in-the-middle attack, it is possible for a malicious user to know if the credentials provided are valid or invalid due to Telnet being a clear text protocol by default.
3. Lastly, when authentication has been successful, all commands and interactions can be recorded by the malicious user due to Telnet being a clear text protocol by default.

Prerequisites

It is necessary for the Telnet service to be open to an unauthorized network or the internet to conduct this attack.

Alert Logic Coverage

Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.

The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.

Recommendations for Mitigation

Upon discovery of a successful exploit, customers are expected to take normal reasonable action in accordance with their own standard operating procedures, such as:

• Isolate the compromised device from the network
• Uninstall the Telnet service from the vulnerable host (or otherwise mitigate with FW, config, etc.)
• If remote access is necessary, an encrypted service such as SSH should be installed
• Test the device
• Return the compromised device to the network and full operation

In addition to the above standard remediation, PCI and other compliance/security standards demand that remote access employ two-factor authentication.