Cisco has released a High severity security advisory for a telnet vulnerability that affects Cisco IOS XE software.
In a blog post published February 28, 2020, APPGATE first presented details on the vulnerability CVE-2020-10188 in the Fedora 31 version of netkit-telnet-0.17 telnetd. To add, the researchers said the issue had been present for a long time and was also remotely exploitable.
Cisco now says certain configurations if Cisco IOS XE software is also vulnerable.
“Cisco IOS XE Software is affected only if the device is configured with the persistent Telnet feature. The Telnet service that is used for TTY lines in Cisco IOS Software and Cisco IOS XE Software is not affected,” Cisco explained in the advisory.
Cisco further warned that proof of concept code is available and results show impacted devices run at high CPU usage. As a result, devices will need to be rebooted to recover the device.
Although software updates will be forthcoming, Cisco does offer workarounds that will address this vulnerability.
Administrators should disable the persistent Telnet feature and use persistent Secure Shell (SSH) instead.
Impacted Products
Cisco confirmed Cisco IOS XE Software, when persistent Telnet is configured, is affected by CVE-2020-10188.
Back on April, Fedora previously released several security updates to address the telnet vulnerability: Fedora 32 telnet-0.17-79.fc32, Fedora 30 telnet-0.17-77.fc30, and Fedora 31 telnet-0.17-78.fc31.
Debian also patched the issue in the telnetd component of inetutils, a collection of network utilities.
In conclusion, this comes as another reminder to not use insecure protocols (such as telnet) for most remote access and administrative functions. Instead, use more secure protocols such as SSH.