[German]I have just come across information about a vulnerability in the Microsoft Telnet server. The vulnerability is said to allow a -Click-NTLM Authentication Bypass. Fortunately, only old systems up to Windows Server 2008 R2 are affected. Telnet should be deactivated an such old Windows servers, in case, it's activated.
A blog reader pointed out yesterday the following tweet to me in a private message on X. It reads somewhat alarmingly.
There is a 0-Click NTLM Authentication Bypass vulnerability in the Microsoft Telnet Server. A proof of concept (PoC) has since been published, but there is no patch. The linked article headlines in the screenshot above that Microsoft Telnet is vulnerable to a 0-click vulnerability and requires immediate action.
Sounded quite alarming – the above tweet links to the article 0-Click NTLM Authentication Bypass Hits Microsoft Telnet Server, PoC Releases, No Patch from Security Online. The article author refers to a GitHub post by hackerhouse-opensource, which has since been deleted. However, I found the article in the Internet Archive.
Under the heading Microsoft Telnet Server MS-TNAP Authentication Bypass [RCE 0day] it is stated that there is a critical 0-click remote authentication bypass vulnerability in the Microsoft Telnet Server. This allows attackers to gain access to systems as any user (including as an administrator) without valid credentials. The vulnerability exploits a misconfiguration in the NTLM authentication processes of the Telnet extension MS-TNAP, which allows unauthenticated attackers to remotely bypass authentication.
A proof of concept (PoC) exploit for this authentication bypass vulnerability, which is classified as critical in the implementation of NTLM authentication via MS-TNAP in Microsoft Telnet Server, was presented in the repository.
However, the a non warning can be given very quickly. This is because the vulnerability allows authentication to be completely bypassed by manipulating the mutual authentication process. However, this only affects very old systems from Windows 2000 to Windows Server 2008 R2, which have long since fallen out of regular support and are still receiving ESU support and updates as Windows Server 2008 R2. Anyone who still operates such a server that is accessible from "outside" via the network should check and deactivate the Telnet server. Telnet server is not activated on install of such Windows systems, afaik.
A dead protocol, Telnet, that is not installed by default, on Windows versions that have already been EOL for years. It's a clever find, but it's 15 years too late.
Anyone who exposes Telnet (which on Windows does NOT support encryption, only cleartext) to the big bad internet on ancient Windows versions is either a honeypot or mad.