DISTRIBUTION RESTRICTIONS:  PUBLIC DISTRIBUTION
	_______________________________________________________
              The Computer Incident Advisory Capability
                          ___  __ __    _     ___
                         /       |     / \   /
                         \___  __|__  /___\  \___
         _____________________________________________________
                         Information Bulletin
 
		    AIX REXD Daemon Vulnerability
 
March 6, 1992 1000 PST                                       Number C-21
_________________________________________________________________________
PROBLEM:  In certain configurations the rexd (RPC remote program
	  execution) daemon is enabled.
PLATFORM: IBM AIX 3.1 and 3.2.
DAMAGE:   Anyone can remotely gain access to the system as a user other
   	  than root.
SOLUTION: Apply fix below.
__________________________________________________________________________
	  Critical Facts about AIX REXD Daemon Vulnerability

CIAC has become aware of a possible security problem with the rexd
daemon in versions 3.1 and 3.2 of AIX for IBM RS/6000 machines.  In
certain configurations, particularly if NFS is installed, the rexd
(RPC remote program execution) daemon is enabled.  Also note that,
installing NFS with the current versions of "mknfs" will re-enable
rexd even if it was previously disabled.

IBM is aware of the problem and will fix it in future updates to AIX
3.1 and 3.2.  Sites may call IBM Support (800-237-5511) and ask for
the patch for apar ix21353.  Patches may be obtained outside the U.S.
by contacting your local IBM representative.

Until you receive this patch, the following should correct the
problem.  IBM and CIAC recommend that sites take the following actions
immediately.  These steps should also be taken whenever "mknfs" is
run.

     1.  Be sure the rexd line in /etc/inetd.conf is commented out by
     having a '#' at the beginning of the line:

         #rexd   sunrpc_tcp tcp  wait  root  /usr/etc/rpc.rexd rexd 100017 1

     2.  Refresh inetd by running the following command as root:

         refresh -s inetd

For additional information or assistance, please contact CIAC:

	David Brown
	(510) 423-9878/(FTS) 543-9878
	dsbrown@llnl.gov

Call CIAC at (510) 422-8193/(FTS) 532-8193 or send e-mail to
ciac@llnl.gov.  FAX messages to: (510) 423-8002/(FTS) 543-8002.

Previous CIAC bulletins and other information is available via
anonymous ftp from irbis.llnl.gov (ip address 128.115.19.60).  

PLEASE NOTE: Many users outside of the DOE and ESnet computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents.  Some of the other teams include the NASA NSI response
team, DARPA's CERT/CC, NAVCIRT, and the Air Force response team.  Your
agency's team will coordinate with CIAC.

CIAC would like to thank Darren Reed of the Australian National
University and the Computer Emergency Response Team/Coordination
Center (CERT/CC) for their assistance with this bulletin.

Neither the United States Government nor the University of California
nor any of their employees, makes any warranty, expressed or implied,
or assumes any legal liability or responsibility for the accuracy,
completeness, or usefulness of any information, product, or process
disclosed, or represents that its use would not infringe privately
owned rights.  Reference herein to any specific commercial products,
process, or service by trade name, trademark manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation, or favoring by the United States Government or the
University of California.  The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government nor the University of California, and shall not be used for
advertising or product endorsement purposes.