[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Trusted Hosts Configuration Vulnerability

Title: Trusted Hosts Configuration Vulnerability
Released by: CERT
Date: 22nd August 1991
Printable version: Click here

Hash: SHA1



Last Revised: September 18,1997

                Attached copyright statement

                               CERT Advisory

                               August 22, 1991

                    Trusted Hosts Configuration Vulnerability

- ---------------------------------------------------------------------------

The Computer Emergency Response Team/Coordination Center (CERT/CC) has

received information concerning a vulnerability in the configuration

of several system files.  This advisory discusses a workaround since

there are no permanent patches available at this time.

This vulnerability is present in a very large number of UNIX-based

operating systems. Therefore, we recommend that ALL sites take the 

corrective actions listed below.

- ---------------------------------------------------------------------------


     The presence of a '-' as the first character in /etc/hosts.equiv,

     /etc/hosts.lpd and .rhosts files may allow unauthorized access 

     to the system.



     Remote users can gain unauthorized root access to the system.



     Rearrange the order of entries in the hosts.equiv, hosts.lpd,

     and .rhosts files so that the first line does not contain 

     a leading '-' character.

     Remove hosts.equiv, hosts.lpd, and .rhosts files containing only 

     entries beginning with a '-' character.

     .rhosts files in ALL accounts, including root, bin, sys, news, etc.,

     should be examined and modified as required.  .rhosts files that

     are not needed should be removed.    

     Please note that the CERT/CC strongly cautions sites about the

     use of hosts.equiv and .rhosts files.  We suggest that they NOT

     be used unless absolutely necessary.  

- ---------------------------------------------------------------------------

The CERT/CC wishes to thank Alan Marcum, NeXT Computer, for bringing

this security vulnerability to our attention.  We would also like to

thank CIAC for their assistance in testing this vulnerability.

- ---------------------------------------------------------------------------

If you believe that your system has been compromised, contact CERT/CC via

telephone or e-mail.

Computer Emergency Response Team/Coordination Center (CERT/CC)

Software Engineering Institute

Carnegie Mellon University

Pittsburgh, PA 15213-3890

Internet E-mail: cert@cert.org

Telephone: 412-268-7090 24-hour hotline:

           CERT/CC personnel answer 7:30a.m.-6:00p.m. EST,

           on call for emergencies during other hours.

Past advisories and other computer security related information are available

for anonymous ftp from the cert.org ( system.

- ----------------------------------------------------------------------------

Copyright 1991 Carnegie Mellon University. Conditions for use, disclaimers,

and sponsorship information can be found in

http://www.cert.org/legal_stuff.html and http://ftp.cert.org/pub/legal_stuff .

If you do not have FTP or web access, send mail to cert@cert.org with

"copyright" in the subject line.

CERT is registered in the U.S. Patent and Trademark Office.


Revision History

September 18,1997  Attached Copyright Statement


Version: PGP for Personal Privacy 5.0

Charset: noconv





(C) 1999-2000 All rights reserved.