-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===============================================================================
>>                                                      CERT-NL, 01-Mar-2000 <<
>> All CERT-NL information has been moved to http://cert.surfnet.nl.  Links  <<
>> to CERT-NL information contained in this advisory are therefore outdated. <<
>>                                                                           <<
>> CERT-NL also has stopped the CERT-CC-Mirror service.  Due to this the     <<
>> links to the CERT-CC mirror are obsolete. Visit the CERT-CC site for the  <<
>> complete CERT-CC advisory texts:                     http://www.cert.org  <<
===============================================================================
===============================================================================
Security Advisory                                                       CERT-NL
===============================================================================
Author/Source : CERT-NL                                     Index  :    S-92-05
Distribution  : SURFnet Constituency                        Page   :          1
Classification: External                                    Version:      final
Subject       : AIX REXD Deamon Vulnerability        Date   :  05-mar-92
===============================================================================

CERT-NL (SURFnet Computer Emergency Response Team) has received
information concerning a security problem in AIX REXD Deamon.

CERT-NL wishes to thank CERT/CC for bringing this to our attention.

===========================================================================
CA-92:05                        CERT Advisory
                                March 5, 1992
                        AIX REXD Daemon Vulnerability

- ---------------------------------------------------------------------------

The Computer Emergency Response Team/Coordination Center (CERT/CC) has
received information concerning a vulnerability with the rexd daemon
in versions 3.1 and 3.2 of AIX for IBM RS/6000 machines.

IBM is aware of the problem and it will be fixed in future updates to
AIX 3.1 and 3.2.  Sites may call IBM Support (800-237-5511) and ask for
the patch for apar ix21353.  Patches may be obtained outside the U.S. by
contacting your local IBM representative.

The fix is also provided below.

- ---------------------------------------------------------------------------

I.   Description

     In certain configurations, particularly if NFS is installed,
     the rexd (RPC remote program execution) daemon is enabled.

     Note: Installing NFS with the current versions of "mknfs" will
     re-enable rexd even if it was previously disabled.

II.  Impact

     If a system allows rexd connections, anyone on the Internet can
     gain access to the system as a user other than root.

III. Solution 

     CERT/CC and IBM recommend that sites take the following actions
     immediately.  These steps should also be taken whenever "mknfs" is run.

     1.  Be sure the rexd line in /etc/inetd.conf is commented out by
     having a '#' at the beginning of the line:

         #rexd   sunrpc_tcp tcp  wait  root  /usr/etc/rpc.rexd rexd 100017 1

     2.  Refresh inetd by running the following command as root:

         refresh -s inetd


- ---------------------------------------------------------------------------
The CERT/CC wishes to thank Darren Reed of the Australian National
University for bringing this vulnerability to our attention and
IBM for their response to the problem.
- ---------------------------------------------------------------------------

If you believe that your system has been compromised, contact CERT/CC or
your representative in FIRST (Forum of Incident Response and Security Teams).

Internet E-mail: cert@cert.sei.cmu.edu
Telephone: 412-268-7090 (24-hour hotline)
           CERT/CC personnel answer 7:30 a.m.-6:00 p.m. EST(GMT-5)/EDT(GMT-4),
           on call for emergencies during other hours.

Computer Emergency Response Team/Coordination Center (CERT/CC)
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213-3890

Past advisories, information about FIRST representatives, and other
information related to computer security are available for anonymous ftp
from cert.sei.cmu.edu (192.88.209.5).

==============================================================================
CERT-NL is the Computer Emergency Response Team for SURFnet customers. SURFnet
is the Dutch network for educational, research and related institutes. CERT-NL
is a member of the Forum of Incident Response and Security Teams (FIRST).

All CERT-NL material is available under:
  http://cert.surfnet.nl/

In case of computer or network security problems please contact your local
CERT/security-team or CERT-NL  (if your institute is NOT a SURFnet customer
please address the appropriate (local) CERT/security-team).

CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer,
i.e. UTC+0100 in winter and UTC+0200 in summer (DST).

   Email:     cert-nl@surfnet.nl     ATTENDED REGULARLY ALL DAYS
   Phone:     +31 302 305 305        BUSINESS HOURS ONLY
   Fax:       +31 302 305 329        BUSINESS HOURS ONLY
   Snailmail: SURFnet bv
              Attn. CERT-NL
              P.O. Box 19035
              NL - 3501 DA  UTRECHT
              The Netherlands

NOODGEVALLEN:    06 22 92 35 64      ALTIJD BEREIKBAAR
EMERGENCIES : +31 6 22 92 35 64      ATTENDED AT ALL TIMES
CERT-NL'S EMERGENCY PHONENUMBER IS ONLY TO BE USED IN CASE OF EMERGENCIES:
THE SURFNET HELPDESK OPERATING THE EMERGENCY NUMBER HAS A *FIXED*
PROCEDURE FOR DEALING WITH YOUR ALERT AND WILL IN REGULAR CASES RELAY IT
TO CERT-NL IN AN APPROPRIATE MANNER. CERT-NL WILL THEN CONTACT YOU.
===============================================================================

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1i

iQA/AwUBOL6V9DSYjBqwfc9jEQLXrwCg2uk09QlBvjDecXoWjsWlYr0E+C4AniDG
OK8lJ5eNLtrfKlec6fzWIEaJ
=8wLa
-----END PGP SIGNATURE-----