Excessive Finger Information
CVE 1999-0612
Summary
Certain finger servers, when queried, will release excess data about accounts
on the system.
Impact
This excess information could be used as clues for guessing user passwords
or exploiting other system problems.
Background
The finger command provides information about users on a system. Intruders require
information about users in order to guess their passwords. The finger
service is the most common method of acquiring the necessary hints for cracking user
passwords and compromising a user's account.
The Problem
Some finger daemons release information about the user's shell,
home directory and group membership. This information may be used by hackers
to attack the system. Some of the information can also be used to compromise the
user account. For example, information such as the last time a user logged into the system
could be used to build a table of usage patterns. Another example is that by knowing
a user's home directory and exploiting a vulnerability in the mail system, a hacker could
create an entrance into the system.
Resolution
In order to disable this vulnerability, disable the finger daemon by
editing the inetd.conf file, commenting out the finger service,
and sending a HUP signal (a signal that resets a process, usually after its
configuration has been changed) to the inetd process. Another solution
is to use a finger daemon that is more restrictive or has access control.
A third solution is to control finger daemon requests by restricting its
use to local and trusted networks by using etc/inetd.sec (on some systems like
HP) and/or TCP wrappers.