Ruben Schade  🔰 🇦🇺2d ago
abadidea
enjoyed this telnetd analysis. (if you can’t believe anyone has a legitimate operational reason to run telnet, you live in a cozy world indeed) https://labs.watchtowr.com/a-32-year-old-bug-walks-into-a-telnet-server-gnu-inetutils-telnetd-cve-2026-32746/
A 32-Year-Old Bug Walks Into A Telnet Server (GNU inetutils Telnetd CVE-2026-32746)

A long, long time ago, in a land free of binary exploit mitigations, when Unix still roamed the Earth, there lived a pre-authentication Telnetd vulnerability. In fact, this vulnerability was born so long ago (way back in 1994) that it may even be older than you. To put the timespan

watchTowr Labs
Mar 25 at 5:56amWeb
Show threadRodger2d ago
@0xabad1dea it is delightful “That was so long ago that RISC was still a distant dream.” Made my eye twitch like an old man who realises that his youth has become sufficiently history that the details have flattened out
Show threadLudwig Vielfrass2d ago
@rodgerd @0xabad1dea I feel you. Those RS/6000s and SPARCStations I thought I used in the early 1990s must have been a fever dream!
Show threadRodger2d ago

@lerxst @0xabad1dea exactly - I had an ARM2 in high school (via Acorn) in the 80s.

But it’s all A Very Long Time Ago from here.

Show threadStoneBear 2d ago
@lerxst I adminned a cluster of 6000's back in the day. I actually liked them. And all telnet... ssh wasn't until '95... @rodgerd @0xabad1dea
Show threadBrad Howes2d ago
@rodgerd @0xabad1dea that line about RISC caught my eye. It is not true, however. RISC systems started appearing in the 80s, especially the Sun SPARC ones that I used at my first job out of college in 1988.
Show threadGlyph2d ago
@0xabad1dea do you have a specific example of such a legit need? I do not typically think of myself as “sheltered” but this one eludes me
Show threadabadidea2d ago
@glyph wander into any factory in the world and you'll find 30yo industrial machinery that's been running the same firmware the entire time and trying to fiddle with it is liable to end the business
Show threadEmma needs ☕️ and paying work2d ago

@0xabad1dea @glyph my wife had to use a robot driven from a computer running Windows 2000 to move samples out of an electron microscope.

That's not telnet, but is similar.

Show threadKevin Karhan 2d ago
@emma @0xabad1dea @glyph I still know some stuff running MS-DOS!
Show threadnick1d ago
@kkarhan @emma @0xabad1dea @glyph yeah and not that newfangled dos 4.0 either ...
Show threadV2d ago
@0xabad1dea @glyph For more specific examples: Someone I know had to use telnet to connect to something (a mill or lathe, possibly was just one of each) at a shop she worked in not too long ago.
In uni, I had to use telnet to connect to a telescope for some physics classes.
Show threadKevin Karhan 2d ago
@miss_rodent @0xabad1dea @glyph a lot of scientific and industrial equipment runs on very old stuff cuz that never got upgraded (nor was it feasible or even possible to do so!)
Show threadV2d ago
@kkarhan @0xabad1dea @glyph Yeah, even when it is possible/feasible...
Do you want to build a new telescope - including all the permitting headaches, cost, fees, etc. - or do you want to spend an extra 10-20 minutes each year to teach a few 19-year-olds how to connect over telnet.
Show threadKevin Karhan 2d ago

@miss_rodent @0xabad1dea @glyph Same goes for everything similarly nieche in medical, industry and science.

  • Yeah, it's old, outdated and so forth but it still works fine and neither is there budget for "upgrades" nor is there a pressing need and the few people who can even access it have a vested interest in keeping it operational.
    • This ain't like a banking mainframe or payment backend or something similarly juicy "worth hacking" as everyone would dislike that...
Show threadV2d ago
@0xabad1dea @glyph So - not something most people have to deal with day-to-day, but, if you need to communicate remotely with old machinery, it still comes up. A lot of stuff like that works on a 'if it ain't broke, don't fix it' policy.
... Especially if 'fix it' involves hauling parts into orbit, or to the top of a mountain in a remote corner of the country without too much light pollution (yet).
Show threadTrammell Hudson2d ago
@0xabad1dea @glyph I visited a semiconductor fab in Chippewa Falls in 2013 and was shocked to find that the production line also doubled as a retrocomputing museum with Sun 3 and VAX hardware still in operation.
Show threadjulf2d ago
@th @0xabad1dea @glyph I assume the Cray was not operational any more?
Show threadBonkers2d ago
@julf @th @0xabad1dea @glyph it is fully operational as a cozy bench, apparently.
Show threadTrammell Hudson2d ago
@julf that Cray XMP was a static display and no longer operational. my guess is they don't have anyone who can rewire it.
Show threadjulf2d ago
@th Wow! They need a Jacquard loom...
Show threadAndreas Sikkema2d ago
@th I remember the days when SARA had a bench like that in the waiting area 😉
Show threadAndrea (Drea) Tamar Pinski2d ago

@glyph @0xabad1dea

I can think of one reason, terminal servers; though most serial terminals these days support ssh. Even the one I have support ssh; though I used telnet rather than ssh as it was out of habbit. Plus I was using it on my own local network only and never exported.

Show threadSnoopJ2d ago

@glyph @0xabad1dea a former employer of mine used (probably still uses to this day) telnet to talk to a domain-specific piece of software that was at the heart of their business, and which once upon a time was connected directly to glass teletypes.

Tweaking it usually caused more problems for the business than leaving it be (and had an eye-popping hourly billing rate), and a full upgrade to a "modern" solution would have been an appreciable capital outlay and risk to business continuity for very little feature gain aside from "the UI is now 100x worse because everything's squeezed through the browser"

(sure, we wrapped it in an SSH connection, but it was still telnet under the hood)

Show threadChris Siebenmann1d ago

@glyph @0xabad1dea At least some of the rack PDUs in our machine room only support telnet access for remote power control and outlet configuration, not SSH.

(And even when things support SSH their embedded OS and SSH daemon may be so old that it only supports ancient SSH encryption modes that you need special tools for. We have some of those too.)

Show threadWILLIAM B PECKHAM2d ago
@0xabad1dea I have often used telnet for network and server diagnostics, and I use it occasionally for bulletin board systems on the internet. But I have never needed to install Telnetd in the last 20 years. But if I needed to tomorrow, I would remember this.
Show threaddivVerent1d ago
@0xabad1dea Exactly. I do run a "telnet" daemon, but it's not telnetd but my own meme thing. At
telnet rmpolzer.de 21576 # for TERM=linux (text console) telnet rmpolzer.de 21577 # for TERM=xterm and similar
it doesn't even speak telnet protocol, and in fact, you can just use nc instead, or even curl -N http://rmpolzer.de:21577 is gonna work just as well.

So fun can be had without it. There is no need for the unencrypted backdoor service itself anymore.