CVE-2016-5791 – CVE-2016-5791 allows unauthenticated attackers ... (How to Fix)

Q: What is the severity of CVE-2016-5791?

CVE-2016-5791 has a CVSS score of 9.8 (CRITICAL). CVE-2016-5791 allows unauthenticated attackers to access a BusyBox Linux shell via TELNET on JanTek JTC-200 industrial controllers. This provides complete system control without credentials. All versions of JanTek JTC-200 are affected.

📋 TL;DR

CVE-2016-5791 allows unauthenticated attackers to access a BusyBox Linux shell via TELNET on JanTek JTC-200 industrial controllers. This provides complete system control without credentials. All versions of JanTek JTC-200 are affected.

💻 Affected Systems

Products:

JanTek JTC-200

Versions: All versions

Operating Systems: Embedded Linux with BusyBox

Default Config Vulnerable: ⚠️ Yes

Notes: TELNET service is enabled by default on port 23. No authentication required for BusyBox shell access.

📦 What is this software?

Jtc 200 Firmware by Jantek

View all CVEs affecting Jtc 200 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of industrial control system allowing attackers to modify configurations, disrupt operations, or use device as pivot point into industrial networks.

🟠

Likely Case

Unauthorized access leading to configuration changes, data theft, or device takeover for botnet participation.

🟢

If Mitigated

Limited impact if TELNET is disabled and network segmentation prevents access to vulnerable devices.

🌐 Internet-Facing: HIGH - Direct internet exposure allows immediate exploitation without authentication.

🏢 Internal Only: HIGH - Even internally, any network access to the device allows complete compromise.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple telnet connection to port 23 provides immediate shell access. Widely known in ICS security community.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: None available

Vendor Advisory: https://ics-cert.us-cert.gov/advisories/ICSA-17-283-02

Restart Required: No

Instructions:

No official patch exists. Follow workarounds and mitigation steps below.

🔧 Temporary Workarounds

Disable TELNET Service

linux

Completely disable TELNET service to prevent unauthenticated access

telnetd -l /bin/sh -p 23 & (to check if running)
killall telnetd (to stop service)
Remove telnetd from startup scripts

Block TELNET Port

linux

Use firewall rules to block access to TELNET port 23

iptables -A INPUT -p tcp --dport 23 -j DROP
iptables -A OUTPUT -p tcp --dport 23 -j DROP

🧯 If You Can't Patch

Implement strict network segmentation to isolate JTC-200 devices from untrusted networks
Replace TELNET with SSH for remote management with proper authentication

🔍 How to Verify

Check if Vulnerable:

Attempt telnet connection to device IP on port 23. If you get a BusyBox shell prompt without authentication, device is vulnerable.

Check Version:

No version-specific fix. Check if telnetd process is running: ps aux | grep telnetd

Verify Fix Applied:

After applying workarounds, attempt telnet connection again. Connection should be refused or timeout.

📡 Detection & Monitoring

Log Indicators:

Successful telnet connections without authentication
Unexpected shell sessions from unknown IPs

Network Indicators:

TCP connections to port 23 from unauthorized sources
Telnet protocol traffic to industrial controllers

SIEM Query:

source_port=23 AND (destination_ip=JTC-200_IP_RANGE) AND event_type=connection_success

📊 Metadata

CVE ID: CVE-2016-5791

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-287

Published: October 13, 2017

Last Updated: April 20, 2025

🔗 References

https://ics-cert.us-cert.gov/advisories/ICSA-17-283-02 Third Party Advisory,US Government Resource
https://ics-cert.us-cert.gov/advisories/ICSA-17-283-02 Third Party Advisory,US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2016-5791, you might also want to check these: