Vulnerability

    inetd

Affected

    FreeBSD 3.x, 4.x

Description

    'dynamo'  found  following.    The  inetd   ident  server  is   an
    implementation of the RFC1413 identification server which  returns
    the local username of the user connecting to a remote service.

    During internal auditing, the  internal ident server in  inetd was
    found to incorrectly set  group privileges according to  the user.
    Due to ident  using root's group  permissions, users may  read the
    first 16 (excluding initial whitespace) bytes of  wheel-accessible
    files.  This  is only true  if the internal  ident service is  run
    using the '-f' flag.

    An additional  problem with  the '-f'  flag is  that under certain
    circumstances  the  child  inetd  process  can  be  made to block,
    potentially  allowing  a  resource  starvation  condition  on  the
    server.

    Users can read the first  16 bytes of wheel-accessible files.   To
    determine which  may be  potentially read,  execute the  following
    command as root:

        # find / -group wheel \( -perm -40 -a \! -perm +4 \) -ls

    The inetd internal ident server is not enabled by default.  If you
    have  not  enabled  the  ident  portion  of  inetd,  you  are  not
    vulnerable.

Solution

    Disable the  internal ident  server, if  enabled: comment  out all
    lines  beginning  with  "auth"  in  /etc/inetd.conf,  then restart
    inetd by sending it a SIGHUP:

        # killall -HUP inetd

    Fix:

        ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:11/inetd-4.2.patch
        ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:11/inetd-3.5.1.patch