CVE-2026-28372 Overview
CVE-2026-28372 is a privilege escalation vulnerability affecting telnetd in GNU inetutils through version 2.7. The vulnerability can be exploited by abusing systemd service credentials support that was introduced in the login(1) implementation of util-linux release 2.40. Specifically, the flaw relates to client control over the CREDENTIALS_DIRECTORY environment variable, requiring an unprivileged local user to create a login.noauth file to exploit the vulnerability.
This vulnerability represents a significant security risk for Linux systems running affected versions of GNU inetutils in combination with util-linux 2.40 or later, as it allows local users to escalate their privileges beyond their intended authorization level.
Critical Impact
Local privilege escalation allowing unprivileged users to gain elevated system access by manipulating systemd service credentials through the telnetd service.
Affected Products
- GNU inetutils through version 2.7
- Systems running util-linux 2.40 or later with systemd service credentials support
- Linux distributions with telnetd enabled and affected component versions
Discovery Timeline
- 2026-02-27 - CVE-2026-28372 published to NVD
- 2026-03-02 - Last updated in NVD database
Technical Details for CVE-2026-28372
Vulnerability Analysis
This vulnerability falls into the category of Privilege Escalation, specifically exploiting the interaction between GNU inetutils' telnetd daemon and the systemd service credentials mechanism introduced in util-linux 2.40. The root cause stems from improper handling of environment variables that are trusted by the login process.
When a user connects via telnet, the telnetd service spawns a login process. In util-linux 2.40 and later, the login(1) command gained support for systemd service credentials, which relies on the CREDENTIALS_DIRECTORY environment variable to locate credential files. The vulnerability arises because telnetd does not properly sanitize or restrict client-controlled environment variables before passing them to the login subprocess.
An attacker with local system access can create a login.noauth file in a directory they control, then manipulate the CREDENTIALS_DIRECTORY environment variable during a telnet session to point to their malicious directory. When the login process reads this credential file, it may bypass normal authentication mechanisms, effectively granting the attacker elevated privileges.
Root Cause
The fundamental issue is CWE-829 (Inclusion of Functionality from Untrusted Control Sphere). The telnetd service fails to adequately sanitize environment variables passed from client connections before they are inherited by child processes. When combined with util-linux 2.40's new systemd credentials feature in login(1), this allows unprivileged users to influence the authentication behavior through attacker-controlled credential directories.
The vulnerability specifically requires:
- GNU inetutils telnetd through version 2.7
- util-linux 2.40 or later with systemd service credentials support
- Local access to create files on the target system
- Ability to establish a telnet connection (typically via localhost)
Attack Vector
The attack is executed locally, requiring the attacker to have an unprivileged account on the target system. The exploitation flow involves creating a malicious login.noauth credential file in a user-controlled directory, then initiating a telnet connection with a manipulated CREDENTIALS_DIRECTORY environment variable pointing to that directory. When telnetd spawns the login process, the unsanitized environment variable causes login to read the attacker's credential file, potentially bypassing authentication controls.
The attack does not require user interaction once the malicious files are in place, and successful exploitation can lead to complete compromise of confidentiality, integrity, and availability of the affected system.
Detection Methods for CVE-2026-28372
Indicators of Compromise
- Presence of unexpected login.noauth files in user-writable directories
- Unusual telnet connections originating from localhost or internal network segments
- Login processes spawned with non-standard CREDENTIALS_DIRECTORY environment variable values
- Suspicious privilege escalation events following telnet sessions
Detection Strategies
- Monitor for file creation events matching the pattern login.noauth in non-standard directories
- Implement process monitoring to detect telnetd child processes with manipulated environment variables
- Configure auditd rules to track modifications to credential-related files and directories
- Enable logging for all telnet connection attempts, especially from local interfaces
Monitoring Recommendations
- Deploy file integrity monitoring (FIM) on critical system directories and credential storage locations
- Implement centralized logging for authentication events and correlate with telnet session activity
- Use endpoint detection and response (EDR) solutions to monitor for privilege escalation patterns
- Regularly audit running services for vulnerable GNU inetutils versions
How to Mitigate CVE-2026-28372
Immediate Actions Required
- Disable telnetd service if not required for business operations
- Restrict telnet access to trusted networks and users via firewall rules
- Update GNU inetutils to a patched version when available from your distribution
- Consider replacing telnet with SSH for secure remote access
Patch Information
A fix has been committed to the Debian inetutils package repository. The patch can be reviewed at the Debian Inetutils Commit. Organizations should apply distribution-specific security updates as they become available. Additional technical discussion is available through the GNU Bug Report and OpenWall OSS Security Discussion.
Workarounds
- Disable the telnetd service entirely using systemctl disable telnetd or equivalent for your init system
- Configure PAM or other authentication mechanisms to ignore systemd credential files from non-standard locations
- Implement network segmentation to restrict telnet access to management networks only
- Use application-level controls to sanitize environment variables passed to child processes
# Configuration example
# Disable telnetd service on systemd-based systems
sudo systemctl stop telnetd
sudo systemctl disable telnetd
# Block telnet port at the firewall level
sudo iptables -A INPUT -p tcp --dport 23 -j DROP
# Verify telnetd is not running
sudo ss -tlnp | grep :23
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
