Cleartext Transmission of Sensitive Information in the telnetlib Module

PY020

cleartext_transmission

CWE-319

⛔️ Error

---

The Python module telnetlib is a low-level module that provides access to the telnet protocol. The telnet protocol is a cleartext protocol, which means that all data transmitted over the connection is visible to anyone who can sniff the network traffic. This includes passwords, usernames, and other sensitive data.

If you need to access a remote system over a network, you should use a more secure protocol, such as SSH. SSH is a secure shell protocol that encrypts all data transmitted over the connection. This makes it much more difficult for attackers to eavesdrop on your communications.

If you must use telnetlib, you should take steps to mitigate the risks associated with using a cleartext protocol. For example, you should only use telnetlib to connect to systems that you trust. You should also use a strong password and enable encryption if possible.

Here are some additional reasons why you should not use telnetlib:

• It is not secure. As mentioned above, telnetlib transmits data in cleartext, which makes it vulnerable to eavesdropping.

• It is not recommended by security experts. Security experts recommend using more secure protocols, such as SSH.

Example

import getpass
import telnetlib


HOST = "localhost"
user = input("Username: ")
password = getpass.getpass()

tn = telnetlib.Telnet(HOST)
tn.read_until(b"login: ")
tn.write(user.encode('ascii') + b"\n")
if password:
    tn.read_until(b"Password: ")
    tn.write(password.encode('ascii') + b"\n")

tn.write(b"ls\n")
tn.write(b"exit\n")

Remediation

If you need to access a remote system over a network, you should use a more secure protocol, such as SSH. SSH is a secure shell protocol that encrypts all data transmitted over the connection. This makes it much more difficult for attackers to eavesdrop on your communications.

There are better alternatives. There are a number of other Python modules that provide access to the telnet protocol, such as Paramiko. These modules are more secure than telnetlib and should be used instead.

import getpass
import paramiko


HOST = "localhost"
user = input("Username: ")
password = getpass.getpass()

client = paramiko.SSHClient()
client.connect(HOST, username=user, password=password)
channel = client.invoke_shell()
client.close()

Alternatives to telnetlib

There are a number of alternatives to ftplib that provide security features. These alternatives include:

• Paramiko is a Python module that provides secure access to SSH servers. Paramiko uses encryption to protect data transmitted over the network.

• Twisted is a Python framework that provides a number of network protocols, including SSH. Twisted can be used to create secure SSH clients and servers.

False Positives

In the case of a false positive the rule can be suppressed. Simply add a trailing or preceding comment line with either the rule ID (PY020) or rule category name (cleartext_transmission).

Using rule ID

fix

import getpass
import telnetlib


HOST = "localhost"
user = input("Username: ")
password = getpass.getpass()

# suppress: PY020
tn = telnetlib.Telnet(HOST)
tn.read_until(b"login: ")
tn.write(user.encode('ascii') + b"\n")
if password:
    tn.read_until(b"Password: ")
    tn.write(password.encode('ascii') + b"\n")

tn.write(b"ls\n")
tn.write(b"exit\n")

Using category name

fix

import getpass
import telnetlib


HOST = "localhost"
user = input("Username: ")
password = getpass.getpass()

# suppress: cleartext_transmission
tn = telnetlib.Telnet(HOST)
tn.read_until(b"login: ")
tn.write(user.encode('ascii') + b"\n")
if password:
    tn.read_until(b"Password: ")
    tn.write(password.encode('ascii') + b"\n")

tn.write(b"ls\n")
tn.write(b"exit\n")

See also

info

• telnetlib — Telnet client
• CWE-319: Cleartext Transmission of Sensitive Information
• Paramiko
• Twisted