1. Copy the content of theĀ <TITLE> tag from advisories/CA-YYYY-NN.html to the page title above.
  2. Copy the entire content of the corresponding file from body/advisories/CAYYYYNN_FAYYYYNN.html into the HTML box below.
  3. (optional) Delete this page properties box prior to saving. This step is optional because it won't display on the rendered page anyway, only in edit mode.
Original issue date: August 22, 1991<BR>
Last revised: September 18, 1997<BR>
Attached copyright statement

<P>A complete revision history is at the end of this file.

<P>The Computer Emergency Response Team/Coordination Center (CERT/CC) has
received information concerning a vulnerability in the configuration
of several system files.  This advisory discusses a workaround since
there are no permanent patches available at this time.

<P>This vulnerability is present in a very large number of UNIX-based
operating systems. Therefore, we recommend that ALL sites take the 
corrective actions listed below.

<H2>I. Description </H2>

The presence of a '-' as the first character in /etc/hosts.equiv,
/etc/hosts.lpd and .rhosts files may allow unauthorized access 
to the system.

<H2>II. Impact</H2>

Remote users can gain unauthorized root access to the system.

<H2>III. Solution</H2>

Rearrange the order of entries in the hosts.equiv, hosts.lpd,
and .rhosts files so that the first line does not contain 
a leading '-' character.

<P>Remove hosts.equiv, hosts.lpd, and .rhosts files containing only 
entries beginning with a '-' character.

<P>.rhosts files in ALL accounts, including root, bin, sys, news, etc.,
should be examined and modified as required.  .rhosts files that
are not needed should be removed.    

<P>Please note that the CERT/CC strongly cautions sites about the
use of hosts.equiv and .rhosts files.  We suggest that they NOT
be used unless absolutely necessary.  


<P>The CERT/CC wishes to thank Alan Marcum, NeXT Computer, for bringing
this security vulnerability to our attention.  We would also like to
thank CIAC for their assistance in testing this vulnerability.


<!--#include virtual="/include/footer_nocopyright.html" -->
<P>Copyright 1991 Carnegie Mellon University.</P>


Revision History
September 18,1997  Attached Copyright Statement