-----BEGIN PGP SIGNED MESSAGE-----

=========================================================================
SingCERT Advisory SA-98.03.cfingerd_search_directive
Original issue date: 13 October, 1998 

Topic: Display of GECOS fields for hosts running cfingerd
- ------------------------------------------------------------------------
I.      Description

There is a potential security hazard with finger deamon, cfingerd 1.3.2 
and earlier where a search.username directive can return a listing of all 
usernames in the target system's password file (/etc/passwd). The listing 
returned will allow the attacker to discern if they are valid accounts 
which can then be used for guessing passwords.

II.     Impact 

Activating this feature in cfingerd does not protect users privacy.
User accounts with nofinger option enabled are also searchable under this
directive.

Also stated in the I. , the information returned can be used for password  
guessing attacks on system operators and user accounts. 

III.    Solution 

A. Deactivating search directive for cfinger

We can turned off searchable finger queries to systems running cfingerd
by modifying the option in the global cfingerd configuration file (or
/etc/cfinger.conf by system default).

B. Apply the patch from SingCERT

Apply the following patch to cfingerd 1.3.2 source code to return a fake 
password listing. This patch will redirect all queries for the global
password file, /etc/passwd to a fake password file, /etc/cfingerd.passwd.
The patch is available from
    
ftp://ftp.singcert.org.sg/pub/SingCERT/singcert_advisories/patches/

5efbe7727eef59cfd656ab8f372111ca  cfinger-1.3.2-search.patch

- ------------------------------------------------------------------------
SingCERT Contact Information
- ----------------------------
Email   cert@singcert.org.sg

Phone   +65 874-6666 (Office Hours Hotline)
           SingCERT personnel answer 8:30-5:00 p.m. SGT(GMT+8)

Fax     +65 872-6198

Postal address
        SingCERT
        3rd Floor Computer Centre
        National University of Singapore
        10 Kent Ridge Crescent
        Singapore 119260

Using encryption
   We strongly urge you to encrypt sensitive information sent by email. We
   support PGP. Contact SingCERT for more information.
   Location of SingCERT PGP key
         http://www.singcert.org.sg/asc/singcert.asc

Getting security information
   SingCERT publications and other security information are available from
        http://www.singcert.org.sg/
        ftp://ftp.singcert.org.sg/pub/

   To be added to our mailing list for advisories and bulletins, send an empty
   email message to
        singcert-advisory-subscribe@singcert.org.sg


- ----------------------------------------------------------------------------
Copyright 1998 SingCERT.
- ----------------------------------------------------------------------------


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQCVAwUBNiQKB3r03uiLwmvpAQFdowP+Pg7UgvrPK538KkvZRQeZEkGpPuNAhcN3
3VLrbHbZvRYLScX5vVv+/dIQrAFaRVT0qvto0vwBQ6sJbZ1olXL+/JALAsQ9jIeE
psFHYB5iZwEo2s1qIH7V9DEfIg5aCvyR2crlTG/ek1a2Cq0xB//y3c2cG9s6mmTF
jOJPluSiVZs=
=UgXm
-----END PGP SIGNATURE-----