Source: cve@mitre.org
The default configuration of NCSA Telnet package for Macintosh and PC enables FTP, even though it does not include an "ftp=yes" line, which allows remote attackers to read and modify arbitrary files.
NCSA Telnet for Macintosh and PC, due to a configuration oversight, allows unauthenticated remote attackers to access and modify files via FTP. This vulnerability grants unauthorized access, potentially leading to data breaches and system compromise by exploiting the default configuration that enables FTP functionality without explicit user consent.
Step 1: Target Identification: The attacker identifies systems running NCSA Telnet for Macintosh or PC. This can be achieved through port scanning (port 21 for FTP). Step 2: FTP Connection: The attacker establishes an FTP connection to the vulnerable system using a standard FTP client. Step 3: Authentication Bypass: The attacker attempts to connect without providing credentials, or uses default credentials if known. The vulnerability allows this due to the default configuration. Step 4: File Access: Upon successful connection, the attacker gains read and write access to the file system. Step 5: Data Exfiltration/Modification: The attacker can now download sensitive files, upload malicious files (e.g., backdoors, malware), or modify existing files to compromise the system.
The vulnerability stems from an insecure default configuration in NCSA Telnet. The software enables FTP functionality by default, even without an explicit 'ftp=yes' setting in the configuration file. This implicit enablement allows any remote user to connect to the FTP server without authentication (or with default credentials if they exist), granting them read and write access to files on the affected system. The root cause is a design flaw where the FTP service is started and accessible without requiring proper configuration or user consent, leading to unauthorized access.
Due to the age of the vulnerability and the software, it is unlikely to be targeted by sophisticated APTs. However, any attacker with basic knowledge could exploit this vulnerability if they encounter a vulnerable system. This vulnerability is not listed on the CISA KEV.
Network traffic analysis: Monitor for FTP connections (port 21) to systems running NCSA Telnet.
Log analysis: Examine FTP server logs for unauthorized access attempts or suspicious file transfers.
File integrity monitoring: Implement file integrity checks to detect unauthorized modifications to critical system files.
Host-based intrusion detection systems (HIDS): Monitor for suspicious processes or file access patterns.
Isolate and remove the vulnerable software: The primary remediation is to remove NCSA Telnet from the environment, as it is outdated and no longer supported.
Network segmentation: If removal is not immediately possible, segment the network to limit access to systems running NCSA Telnet.
Firewall rules: Implement firewall rules to block inbound FTP connections (port 21) to systems running NCSA Telnet.
Security awareness training: Educate users about the risks of using outdated software and the importance of secure configurations.