Source: cve@mitre.org
Xyplex terminal server 6.0.1S1, and possibly other versions, allows remote attackers to bypass the password prompt by entering (1) a CTRL-Z character, or (2) a ? (question mark).
Xyplex terminal servers are vulnerable to a critical authentication bypass, allowing remote attackers to gain unauthorized access. By sending specific characters (CTRL-Z or ?), attackers can circumvent the password prompt, potentially leading to complete system compromise and data exfiltration.
Step 1: Connection Establishment: The attacker initiates a TCP connection to the Xyplex terminal server on the appropriate port (typically 23 for Telnet or similar). Step 2: Authentication Prompt: The terminal server presents the standard login prompt (e.g., 'Username:'). Step 3: Payload Delivery (CTRL-Z): The attacker sends a CTRL-Z character (ASCII code 26) instead of a username. Step 3: Payload Delivery (Question Mark): The attacker sends a question mark character (?) instead of a username. Step 4: Authentication Bypass: The terminal server, due to the vulnerability, fails to properly process the input and bypasses the password prompt. Step 5: Access Granted: The attacker gains unauthorized access to the system, potentially with elevated privileges depending on the configuration.
The vulnerability stems from inadequate input validation within the terminal server's authentication routines. Specifically, the software fails to properly handle or sanitize the input received before processing the authentication request. The CTRL-Z character, often used to signal end-of-transmission or interrupt, or the question mark character, likely triggers an unexpected state or bypasses the password check entirely. This could be due to a logic error, where the input is not correctly parsed or handled, leading to the program's control flow being diverted to an unintended path, granting access without proper authentication. The root cause is likely a missing or flawed check on the input, allowing the attacker to manipulate the authentication process.
Due to the age of the vulnerability, it's unlikely to be directly associated with specific APT groups. However, any attacker seeking initial access could leverage this. This vulnerability is not listed on the CISA KEV list, but its potential impact warrants immediate attention if identified in an environment.
Monitor network traffic for connections to Xyplex terminal server ports (e.g., 23, 2001, etc.).
Analyze network traffic for the presence of CTRL-Z (ASCII 26) or question mark (?) characters sent during the authentication phase.
Review terminal server logs for failed login attempts followed by successful access without proper authentication.
Implement and monitor intrusion detection systems (IDS) and intrusion prevention systems (IPS) with rules specifically designed to detect this pattern of authentication bypass.
Examine system logs for unexpected activity originating from the terminal server, such as unauthorized file access or command execution.
Immediately upgrade to a patched version or a supported terminal server solution. If upgrading is not immediately possible, consider isolating the affected systems.
Implement strong authentication mechanisms, such as multi-factor authentication (MFA).
Disable or restrict access to the terminal server if it is not essential.
Review and harden the terminal server configuration, including disabling unnecessary services and features.
Implement network segmentation to limit the impact of a successful compromise.
Regularly scan the network for vulnerable systems using vulnerability scanners.