CERT Advisory - AIX REXD Daemon Vulnerability

• Previous message (by thread): I am leaving SURAnet
• Next message (by thread): SURA Fix-East Scheduled outage
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

===========================================================================
CA-92:05                        CERT Advisory
                                March 5, 1992
                        AIX REXD Daemon Vulnerability

---------------------------------------------------------------------------

The Computer Emergency Response Team/Coordination Center (CERT/CC) has
received information concerning a vulnerability with the rexd daemon
in versions 3.1 and 3.2 of AIX for IBM RS/6000 machines.

IBM is aware of the problem and it will be fixed in future updates to
AIX 3.1 and 3.2.  Sites may call IBM Support (800-237-5511) and ask for
the patch for apar ix21353.  Patches may be obtained outside the U.S. by
contacting your local IBM representative.

The fix is also provided below.

---------------------------------------------------------------------------

I.   Description

     In certain configurations, particularly if NFS is installed,
     the rexd (RPC remote program execution) daemon is enabled.

     Note: Installing NFS with the current versions of "mknfs" will
     re-enable rexd even if it was previously disabled.

II.  Impact

     If a system allows rexd connections, anyone on the Internet can
     gain access to the system as a user other than root.

III. Solution 

     CERT/CC and IBM recommend that sites take the following actions
     immediately.  These steps should also be taken whenever "mknfs" is run.

     1.  Be sure the rexd line in /etc/inetd.conf is commented out by
     having a '#' at the beginning of the line:

         #rexd   sunrpc_tcp tcp  wait  root  /usr/etc/rpc.rexd rexd 100017 1

     2.  Refresh inetd by running the following command as root:

         refresh -s inetd


---------------------------------------------------------------------------
The CERT/CC wishes to thank Darren Reed of the Australian National
University for bringing this vulnerability to our attention and
IBM for their response to the problem.
---------------------------------------------------------------------------

If you believe that your system has been compromised, contact CERT/CC or
your representative in FIRST (Forum of Incident Response and Security Teams).

Internet E-mail: cert at cert.sei.cmu.edu
Telephone: 412-268-7090 (24-hour hotline)
           CERT/CC personnel answer 7:30 a.m.-6:00 p.m. EST(GMT-5)/EDT(GMT-4),
           on call for emergencies during other hours.

Computer Emergency Response Team/Coordination Center (CERT/CC)
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213-3890

Past advisories, information about FIRST representatives, and other
information related to computer security are available for anonymous ftp
from cert.sei.cmu.edu (192.88.209.5).

• Previous message (by thread): I am leaving SURAnet
• Next message (by thread): SURA Fix-East Scheduled outage
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]