Rwhod daemon running

rwhod (119) The risk level is classified as LowLow Risk

Description:

The rwho daemon was detected as running. Rwho provides information about the status of the system and the users on the system. This is potentially security-sensitive information that you may not wish to be made available. The rwho daemon does not properly validate the information it receives and creates a potential vulnerability by overflowing the hostname sent to the daemon. On some computers, this overflow results in the rwhod crashing. Other computers register a change in process status information for rwhod, which is visible by executing a ps -a on most Unix systems.

Platforms Affected:

  • IBM, AIX
  • Various vendors, Unix

Remedy:

Disable the rwhod daemon if it is not required.

For Unix:
To disable a Unix daemon started from inetd:

  1. Edit the /etc/inetd.conf (or equivalent) file.
  2. Locate the line that controls the daemon.
  3. Type a # at the beginning of the line to comment out the daemon.
  4. Restart inetd.

Consequences:

Informational

References:

  • CVE-1999-0085: Buffer overflow in rwhod on AIX and other operating systems allows remote attackers to execute arbitrary code via a UDP packet with a long hostname.
  • CVE-1999-0628: The rwho/rwhod service is running, which exposes machine status and user information.

Reported:

Not available

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page