TUCoPS :: Unix :: Various Flavours :: cert0041.txt

IBM AIX REXD Daemon vulnerability


CA-92:05                        CERT Advisory
                                March 5, 1992
                        AIX REXD Daemon Vulnerability

- ---------------------------------------------------------------------------

The Computer Emergency Response Team/Coordination Center (CERT/CC) has
received information concerning a vulnerability with the rexd daemon
in versions 3.1 and 3.2 of AIX for IBM RS/6000 machines.

IBM is aware of the problem and it will be fixed in future updates to
AIX 3.1 and 3.2.  Sites may call IBM Support (800-237-5511) and ask for
the patch for apar ix21353.  Patches may be obtained outside the U.S. by
contacting your local IBM representative.

The fix is also provided below.

- ---------------------------------------------------------------------------

I.   Description

     In certain configurations, particularly if NFS is installed,
     the rexd (RPC remote program execution) daemon is enabled.

     Note: Installing NFS with the current versions of "mknfs" will
     re-enable rexd even if it was previously disabled.

II.  Impact

     If a system allows rexd connections, anyone on the Internet can
     gain access to the system as a user other than root.

III. Solution 

     CERT/CC and IBM recommend that sites take the following actions
     immediately.  These steps should also be taken whenever "mknfs" is run.

     1.  Be sure the rexd line in /etc/inetd.conf is commented out by
     having a '#' at the beginning of the line:

         #rexd   sunrpc_tcp tcp  wait  root  /usr/etc/rpc.rexd rexd 100017 1

     2.  Refresh inetd by running the following command as root:

         refresh -s inetd

- ---------------------------------------------------------------------------
The CERT/CC wishes to thank Darren Reed of the Australian National
University for bringing this vulnerability to our attention and
IBM for their response to the problem.
- ---------------------------------------------------------------------------

If you believe that your system has been compromised, contact CERT/CC or
your representative in FIRST (Forum of Incident Response and Security Teams).

Internet E-mail: cert@cert.org
Telephone: 412-268-7090 (24-hour hotline)
           CERT/CC personnel answer 7:30 a.m.-6:00 p.m. EST(GMT-5)/EDT(GMT-4),
           on call for emergencies during other hours.

Computer Emergency Response Team/Coordination Center (CERT/CC)
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213-3890

Past advisories, information about FIRST representatives, and other
information related to computer security are available for anonymous ftp
from cert.org (

Version: 2.6.2


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH