[ SOURCE: http://www.secureroot.com/security/advisories/9640257578.html ] -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== CA-92:05 Last Revised: September 19,1997 Attached copyright statement CERT Advisory March 5, 1992 AIX REXD Daemon Vulnerability - --------------------------------------------------------------------------- The Computer Emergency Response Team/Coordination Center (CERT/CC) has received information concerning a vulnerability with the rexd daemon in versions 3.1 and 3.2 of AIX for IBM RS/6000 machines. IBM is aware of the problem and it will be fixed in future updates to AIX 3.1 and 3.2. Sites may call IBM Support (800-237-5511) and ask for the patch for apar ix21353. Patches may be obtained outside the U.S. by contacting your local IBM representative. The fix is also provided below. - --------------------------------------------------------------------------- I. Description In certain configurations, particularly if NFS is installed, the rexd (RPC remote program execution) daemon is enabled. Note: Installing NFS with the current versions of "mknfs" will re-enable rexd even if it was previously disabled. II. Impact If a system allows rexd connections, anyone on the Internet can gain access to the system as a user other than root. III. Solution CERT/CC and IBM recommend that sites take the following actions immediately. These steps should also be taken whenever "mknfs" is run. 1. Be sure the rexd line in /etc/inetd.conf is commented out by having a '#' at the beginning of the line: #rexd sunrpc_tcp tcp wait root /usr/etc/rpc.rexd rexd 100017 1 2. Refresh inetd by running the following command as root: refresh -s inetd - --------------------------------------------------------------------------- The CERT/CC wishes to thank Darren Reed of the Australian National University for bringing this vulnerability to our attention and IBM for their response to the problem. - --------------------------------------------------------------------------- If you believe that your system has been compromised, contact CERT/CC or your representative in FIRST (Forum of Incident Response and Security Teams). Internet E-mail: cert@cert.org Telephone: 412-268-7090 (24-hour hotline) CERT/CC personnel answer 7:30 a.m.-6:00 p.m. EST(GMT-5)/EDT(GMT-4), on call for emergencies during other hours. Computer Emergency Response Team/Coordination Center (CERT/CC) Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Past advisories, information about FIRST representatives, and other information related to computer security are available for anonymous ftp from cert.org (192.88.209.5). - ------------------------------------------------------------------------------ Copyright 1992 Carnegie Mellon University. Conditions for use, disclaimers, and sponsorship information can be found in http://www.cert.org/legal_stuff.html and ftp://ftp.cert.org/pub/legal_stuff . If you do not have FTP or web access, send mail to cert@cert.org with "copyright" in the subject line. CERT is registered in the U.S. Patent and Trademark Office. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Revision History: September 19,1997 Attached Copyright Statement -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQA/AwUBOBS+UVr9kb5qlZHQEQI0LQCfWA8GlZ6I24a8m4GhcQsUDBXpW8oAoK15 tUOZ5zJvH+fPH6HAUNh434XN =+Ixw -----END PGP SIGNATURE-----