This vulnerability is caused by an overflowable buffer due to incorrect bounds checking of data buffered for output to the remote client. This vulnerability only requires the ability to connect to the telnetd server -- logging in with a valid username and password is not needed.

According to several reports, this problem is being actively exploited. (An exploit was published to BugTraq.) Remote users may be able to execute code as root (the user who normally runs telnetd). According to the NetBSD security announcement, your DAEMON facility logs (maybe at /var/log/messages) may show signs of an attempted exploit: telnetd [[0-9]*]: ttloop: peer died: No such file or directory

OpenBSD and recent versions of NetBSD and FreeBSD don't enable the telnet daemon by default. To quickly make sure telnetd isn't available (or to disable it) via inetd, check your /etc/inetd.conf file. Any lines with "telnet" or "telnetd" can be removed or disabled by commenting out by prepending the line with a hash mark (#). To make inetd reload the configuration, send a HUP signal to the inetd process.

As another workaround, consider using TCP wrappers (such as /etc/hosts.deny and /etc/hosts.allow) to disable telnet access. You can also use IPFW, IP Filter or pf to restrict packets. Please note that if you allow telnet access from another "trusted" machine that has been compromised, your machine becomes vulnerable.

You could also consider replacing telnet access with SSH access (which also provides further security enhancements). (Regular telnet passes usernames, passwords and other data in plain text, so its use is often discouraged.)

FreeBSD has released fixes for this buffer overflow problem. For more information, read ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:49.telnetd.asc. The patches are available at ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:49/.

NetBSD also has fixes for this problem in -current (dated 2001-07-20 or later); and a patch is available for the NetBSD 1.3, 1.4 and 1.5 families at ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2001-012-telnetd.patch.

According to postings to the OpenBSD misc mailing list, OpenBSD has been safe from this vulnerability since version 2.3 (May 1998).

Fixes that address the telnetd network buffer overflow problem for BSD/OS are also available via http://www.bsdi.com/services/support/patches/. (An article about updating a BSD/OS system with mods is available at BSD Today.)

The original TESO advisory is available via http://www.team-teso.net/. Another advisory is available from CERT at http://www.cert.org/advisories/CA-2001-21.html.