=============================================================================== Security Advisory CERT-NL =============================================================================== Author/Source : CERT-NL Index : S-92-05 Distribution : SURFnet Constituency Page : 1 Classification: External Version: final Subject : AIX REXD Deamon Vulnerability Date : 05-mar-92 =============================================================================== CERT-NL (SURFnet Computer Emergency Response Team) has received information concerning a security problem in AIX REXD Deamon. CERT-NL wishes to thank CERT/CC for bringing this to our attention. =========================================================================== CA-92:05 CERT Advisory March 5, 1992 AIX REXD Daemon Vulnerability --------------------------------------------------------------------------- The Computer Emergency Response Team/Coordination Center (CERT/CC) has received information concerning a vulnerability with the rexd daemon in versions 3.1 and 3.2 of AIX for IBM RS/6000 machines. IBM is aware of the problem and it will be fixed in future updates to AIX 3.1 and 3.2. Sites may call IBM Support (800-237-5511) and ask for the patch for apar ix21353. Patches may be obtained outside the U.S. by contacting your local IBM representative. The fix is also provided below. --------------------------------------------------------------------------- I. Description In certain configurations, particularly if NFS is installed, the rexd (RPC remote program execution) daemon is enabled. Note: Installing NFS with the current versions of "mknfs" will re-enable rexd even if it was previously disabled. II. Impact If a system allows rexd connections, anyone on the Internet can gain access to the system as a user other than root. III. Solution CERT/CC and IBM recommend that sites take the following actions immediately. These steps should also be taken whenever "mknfs" is run. 1. Be sure the rexd line in /etc/inetd.conf is commented out by having a '#' at the beginning of the line: #rexd sunrpc_tcp tcp wait root /usr/etc/rpc.rexd rexd 100017 1 2. Refresh inetd by running the following command as root: refresh -s inetd --------------------------------------------------------------------------- The CERT/CC wishes to thank Darren Reed of the Australian National University for bringing this vulnerability to our attention and IBM for their response to the problem. --------------------------------------------------------------------------- If you believe that your system has been compromised, contact CERT/CC or your representative in FIRST (Forum of Incident Response and Security Teams). Internet E-mail: cert@cert.sei.cmu.edu Telephone: 412-268-7090 (24-hour hotline) CERT/CC personnel answer 7:30 a.m.-6:00 p.m. EST(GMT-5)/EDT(GMT-4), on call for emergencies during other hours. Computer Emergency Response Team/Coordination Center (CERT/CC) Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Past advisories, information about FIRST representatives, and other information related to computer security are available for anonymous ftp from cert.sei.cmu.edu (192.88.209.5). ============================================================================== CERT-NL is the Computer Emergency Response Team, located in The Netherlands. CERT-NL is a Full Member of the Forum of Incident Response and Security Teams (FIRST). The constituency of CERT-NL are the SURFnet connected institutions. Past CERT-NL Security Bulletins and other CERT-NL related material can be found on the anonymous FTP server of SURFnet bv: "ftp.nic.surfnet.nl" [192.87.46.3], in the directory "netman/cert-nl". This information is also available using email. Send an email saying "help" to "mailserv@nic.surfnet.nl". In case of computer or network security problems please contact CERT-NL or the CERT of your own constituency. Please be aware of the fact that we are are one hour ahead of Universal Time Coordinated (i.e. UTC+0100). Email: cert-nl@surfnet.nl Phone: +31 30 310290 Fax: +31 30 340903 Snailmail: SURFnet bv Attn. CERT-NL P.O. Box 19035 NL - 3501 DA UTRECHT The Netherlands A 7*24h phonenumber is available to SURFnet SSC's and FIRST members on request ==============================================================================