=========================================================================== CA-92:05 CERT Advisory March 5, 1992 AIX REXD Daemon Vulnerability --------------------------------------------------------------------------- The Computer Emergency Response Team/Coordination Center (CERT/CC) has received information concerning a vulnerability with the rexd daemon in versions 3.1 and 3.2 of AIX for IBM RS/6000 machines. IBM is aware of the problem and it will be fixed in future updates to AIX 3.1 and 3.2. Sites may call IBM Support (800-237-5511) and ask for the patch for apar ix21353. Patches may be obtained outside the U.S. by contacting your local IBM representative. The fix is also provided below. --------------------------------------------------------------------------- I. Description In certain configurations, particularly if NFS is installed, the rexd (RPC remote program execution) daemon is enabled. Note: Installing NFS with the current versions of "mknfs" will re-enable rexd even if it was previously disabled. II. Impact If a system allows rexd connections, anyone on the Internet can gain access to the system as a user other than root. III. Solution CERT/CC and IBM recommend that sites take the following actions immediately. These steps should also be taken whenever "mknfs" is run. 1. Be sure the rexd line in /etc/inetd.conf is commented out by having a '#' at the beginning of the line: #rexd sunrpc_tcp tcp wait root /usr/etc/rpc.rexd rexd 100017 1 2. Refresh inetd by running the following command as root: refresh -s inetd --------------------------------------------------------------------------- The CERT/CC wishes to thank Darren Reed of the Australian National University for bringing this vulnerability to our attention and IBM for their response to the problem. --------------------------------------------------------------------------- If you believe that your system has been compromised, contact CERT/CC or your representative in FIRST (Forum of Incident Response and Security Teams). Internet E-mail: cert@cert.sei.cmu.edu Telephone: 412-268-7090 (24-hour hotline) CERT/CC personnel answer 7:30 a.m.-6:00 p.m. EST(GMT-5)/EDT(GMT-4), on call for emergencies during other hours. Computer Emergency Response Team/Coordination Center (CERT/CC) Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Past advisories, information about FIRST representatives, and other information related to computer security are available for anonymous ftp from cert.sei.cmu.edu (192.88.209.5).