The Day the Telnet Died

Original Article ↗ Hacker News Discussion ↗

Impact and Nature of the Telnetd Vulnerability

  • CVE is in GNU inetutils telnetd (server), not the telnet client nor the generic “telnet protocol” itself.
  • Bug: argument injection into login(1) (e.g., -f root), giving an unauthenticated root shell. Trivially exploitable once known.
  • Vulnerable code came from a 2015 commit (variable rename + unsafe getenv use) and apparently went unnoticed ~11 years.
  • Debate over whether this is “just” a serious bug vs a plausible backdoor; no concrete evidence of intent was presented.
  • Some are shocked there were no meaningful tests and compare this to broader issues in under-maintained core utilities.

Port 23 Filtering by Backbone / Transit Providers

  • GreyNoise shows a step-function collapse in global telnet (port 23) scanner traffic, interpreted as upstream (likely Tier 1) port 23 filtering.
  • Unclear if filtering is strictly port-based or protocol-aware; most commenters assume a simple TCP/23 block.
  • Some observe classic services (e.g., ASCII Star Wars) failing over IPv4 but still reachable via IPv6, matching this hypothesis.
  • Disagreement on whether this is appropriate:
    • Pro: pragmatic emergency mitigation for legacy, unpatched systems; analogous to historic blocking of ports 25, 139, etc.
    • Con: worrisome precedent for “invisible” control by backbone operators and erosion of end-to-end, net-neutral behavior.

Who Still Uses Telnet / Port 23?

  • Modern legitimate use on the public internet is rare and often niche: MUDs/MOOs, BBSes, route-view services, some industrial/embedded gear.
  • Long subthread clarifies:
    • Many MUD clients and servers actually implement the Telnet protocol (RFC 854 + options), though historically some families did not.
    • Many MUDs run on high, unprivileged ports; some still expose port 23 and may now be partially unreachable.
  • Telnet client remains widely used as a generic TCP text tool, but many recommend netcat, socat, openssl s_client, or /dev/tcp instead.
  • OS trends: telnet client often removed from base installs (Ubuntu, macOS), provoking pushback from admins who still need it for legacy equipment.

Security Architecture and Responsibility

  • Discussion on remote-login design: you still need a privileged component able to setuid to arbitrary users, even with privilege separation.
  • Old telnetd model: small daemon + setuid-root /bin/login inside a PTY; now considered risky because /bin/login wasn’t written for hostile network input.
  • OpenSSH highlighted as an example of heavy privilege separation and sandboxing; but many note real-world SSH deployments often disable key checks and 2FA.

Meta: Article Style and AI, and Exploit History

  • Several readers feel the article’s tone and structure resemble LLM output (repetitive rhetorical patterns, blended with a song parody), others disagree.
  • Some skepticism that such an easy bug really lay unused for 11 years; others note that most “telnet on port 23” devices are not GNU telnetd, so real exposure may have been modest.
  • Overall sense: this event marks a symbolic end to telnet’s public-internet era and illustrates how critical flaws can now be mitigated “in the network” before many even notice.