| VID |
15004 |
| Severity |
30 |
| Port |
79 |
| Protocol |
TCP |
| Class |
FINGER |
| Detailed Description |
There is a bug in the finger service which will make it display the complete list of the accounts on the target system, when anyone issues the request :
finger "0 1 2 3 4 5 6 7 8 9"@target.com
This list will provide an attacker to significant assistance to a brute force attack on user accounts. |
| Recommendation |
For this is already found in the wild and there seems to be no patch for this feature. Disable finger service in /etc/inetd.conf
To disable the finger daemon started from inetd:
1. Edit the /etc/inetd.conf (or equivalent) file.
2. Locate the line that controls the daemon.
3. Type a # at the beginning of the line to comment out the daemon.
4. Restart inetd.
*Solaris 10, Solaris 11:
# svcadm disable svc:/network/finger:default
*Enterprise Linux 6.4, CentOS 6.4, Fedora 19:
Open /etc/xinetd.d/finger and set disable=yes
and then restart xinetd |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
