[185] in DCNS Development
[CERT Advisory - AIX REXD Daemon Vulnerability]
daemon@ATHENA.MIT.EDU (hoffmann@MIT.EDU)
Thu Mar 5 15:52:07 1992
From: hoffmann@MIT.EDU
Date: Thu, 5 Mar 92 15:47:57 -0500
To: netusers@MIT.EDU (MITnet Users)
Cc: developers@MIT.EDU, op@MIT.EDU
From: CERT Advisory <cert-advisory-request@cert.sei.cmu.edu>
Date: Thu, 5 Mar 92 14:07:10 EST
To: cert-advisory@cert.sei.cmu.edu
Subject: CERT Advisory - AIX REXD Daemon Vulnerability
Organization: Computer Emergency Response Team : 412-268-7090
===========================================================================
CA-92:05 CERT Advisory
March 5, 1992
AIX REXD Daemon Vulnerability
---------------------------------------------------------------------------
The Computer Emergency Response Team/Coordination Center (CERT/CC) has
received information concerning a vulnerability with the rexd daemon
in versions 3.1 and 3.2 of AIX for IBM RS/6000 machines.
IBM is aware of the problem and it will be fixed in future updates to
AIX 3.1 and 3.2. Sites may call IBM Support (800-237-5511) and ask for
the patch for apar ix21353. Patches may be obtained outside the U.S. by
contacting your local IBM representative.
The fix is also provided below.
---------------------------------------------------------------------------
I. Description
In certain configurations, particularly if NFS is installed,
the rexd (RPC remote program execution) daemon is enabled.
Note: Installing NFS with the current versions of "mknfs" will
re-enable rexd even if it was previously disabled.
II. Impact
If a system allows rexd connections, anyone on the Internet can
gain access to the system as a user other than root.
III. Solution
CERT/CC and IBM recommend that sites take the following actions
immediately. These steps should also be taken whenever "mknfs" is run.
1. Be sure the rexd line in /etc/inetd.conf is commented out by
having a '#' at the beginning of the line:
#rexd sunrpc_tcp tcp wait root /usr/etc/rpc.rexd rexd 100017 1
2. Refresh inetd by running the following command as root:
refresh -s inetd
---------------------------------------------------------------------------
The CERT/CC wishes to thank Darren Reed of the Australian National
University for bringing this vulnerability to our attention and
IBM for their response to the problem.
---------------------------------------------------------------------------
If you believe that your system has been compromised, contact CERT/CC or
your representative in FIRST (Forum of Incident Response and Security Teams).
Internet E-mail: cert@cert.sei.cmu.edu
Telephone: 412-268-7090 (24-hour hotline)
CERT/CC personnel answer 7:30 a.m.-6:00 p.m. EST(GMT-5)/EDT(GMT-4),
on call for emergencies during other hours.
Computer Emergency Response Team/Coordination Center (CERT/CC)
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213-3890
Past advisories, information about FIRST representatives, and other
information related to computer security are available for anonymous ftp
from cert.sei.cmu.edu (192.88.209.5).
